summaryrefslogtreecommitdiff
path: root/django/core
AgeCommit message (Collapse)Author
2022-01-04[2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage ↵Florian Apolloner
subsystem. Thanks to Dennis Brinkrolf for the report.
2021-06-02[2.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.Mariusz Felisiak
validate_ipv4_address() was affected only on Python < 3.9.5, see [1]. URLValidator() uses a regular expressions and it was affected on all Python versions. [1] https://bugs.python.org/issue36384
2021-05-13[2.2.x] Fixed #32718 -- Relaxed file name validation in FileField.Mariusz Felisiak
- Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main.
2021-05-06[2.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs ↵Mariusz Felisiak
from being accepted in URLValidator on Python 3.9.5+. In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
2021-04-27[2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in ↵Florian Apolloner
file uploads.
2020-08-25[2.2.x] Fixed CVE-2020-24584 -- Fixed permission escalation in ↵Mariusz Felisiak
intermediate-level directories of the file system cache on Python 3.7+. Backport of f56b57976133129b0b351a38bba4ac882badabf0 from master.
2020-08-25[2.2.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on ↵Mariusz Felisiak
intermediate-level static and storage directories on Python 3.7+. Thanks WhiteSage for the report. Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
2020-07-20[2.2.x] Fixed #31784 -- Fixed crash when sending emails on Python 3.6.11+, ↵Florian Apolloner
3.7.8+, and 3.8.4+. Fixed sending emails crash on email addresses with display names longer then 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+. Wrapped display names were passed to email.headerregistry.Address() what caused raising an exception because address parts cannot contain CR or LF. See https://bugs.python.org/issue39073 Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> Backport of 96a3ea39ef0790dbc413dde0a3e19f6a769356a2 from master.
2020-06-05[2.2.x] Fixed #31654 -- Fixed cache key validation messages.Mariusz Felisiak
Backport of 926148ef019abcac3a9988c78734d9336d69f24e from master.
2020-06-03[2.2.x] Fixed CVE-2020-13254 -- Enforced cache key validation in memcached ↵Dan Palmer
backends.
2020-06-02[2.2.x] Fixed E128, E741 flake8 warnings.Mariusz Felisiak
Backport of 0668164b4ac93a5be79f5b87fae83c657124d9ab from master.
2019-10-14[2.2.x] Fixed #30870 -- Fixed showing that RunPython operations are ↵Mariusz Felisiak
irreversible by migrate --plan. Thanks Hasan Ramezani for the initial patch and Kyle Dickerson for the report. Backport of 06d34aab7cfb1632a1538a243db81f24498525ff from master.
2019-08-08[2.2.x] Fixed #30673 -- Relaxed system check for db_table collision when ↵Adnan Umer
database routers are installed by turning the error into a warning. Backport of 8d3519071ec001f763b70a3a1f98ae2e980bd552 from master.
2019-03-28[2.2.x] Fixed "byte string" typo in various docs and comments.Mariusz Felisiak
Backport of 881362986a1ee8f650752de8471a895890b71f96 from master
2019-02-13[2.2.x] Fixed #30184 -- Removed ellipsis characters from shell output strings.Dan Davis
Partially reverted 50b8493581fea3d7137dd8db33bac7008868d23a (refs #29654) to avoid a crash when the user shell doesn't support non-ASCII characters. Backport of 2bd8df243ac6fc35e58c9fe90b20c9e42519a5ac from master.
2019-01-13Fixed #27685 -- Added watchman support to the autoreloader.Tom Forbes
Removed support for pyinotify (refs #9722).
2019-01-12Fixed #30057 -- Fixed diffsettings ignoring custom configured settings.orlnub123
Regression in 49b679371fe9beddcd23a93b5fdbadea914f37f8.
2018-12-26Fixed #30058 -- Made SMTP EmailBackend.send_messages() return 0 for ↵Denis Stebunov
empty/error cases.
2018-12-24Fixed #20098 -- Added a check for model Meta.db_table collisions.Sanyam Khurana
2018-12-20Refs #30015 -- Added 2.1.5 release note and removed 'we' in comments.Carlton Gibson
2018-12-19Fixed #30031 -- Added --no-header option to makemigrations/squashmigrations.Dakota Hawkins
2018-12-19Fixed #30015 -- Ensured request body is properly consumed for keep-alive ↵Konstantin Alekseev
connections.
2018-11-27Fixed #28385 -- Fixed deserializing natural keys when primary key has a ↵dmytryi.striletskyi
default value. Co-Authored-By: Hasan Ramezani <hasan.r67@gmail.com>
2018-11-21Fixed #29949 -- Refactored db introspection identifier converters.Mariusz Felisiak
Removed DatabaseIntrospection.table_name_converter()/column_name_converter() and use instead DatabaseIntrospection.identifier_converter(). Removed DatabaseFeatures.uppercases_column_names. Thanks Tim Graham for the initial patch and review and Simon Charette for the review.
2018-11-20Refs #24829 -- Removed TemplateResponse rendering in BaseHandler.get_response().Tim Graham
Obsolete since 742ea51413b3aab07c6afbfd1d52c1908ffcb510.
2018-11-20Corrected docs and removed unused code for got_request_exception signal's ↵Tim Graham
sender argument. Inaccurate since 7d1b69dbe7f72ac04d2513f0468fe2146231b286.
2018-11-20Removed BaseHandler.get_exception_response().Tim Graham
Unused since 7d1b69dbe7f72ac04d2513f0468fe2146231b286.
2018-11-19Refs #29722 -- Added introspection of partitions for PostgreSQL.Nick Pope
2018-11-14Fixed #25884 -- Fixed migrate --run-syncdb when specifying an app label.Sarah Guermond
2018-11-10Fixed keep-alive support in manage.py runserver.Florian Apolloner
Ticket #25619 changed the default protocol to HTTP/1.1 but did not properly implement keep-alive. As a "fix" keep-alive was disabled in ticket #28440 to prevent clients from hanging (they expect the server to send more data if the connection is not closed and there is no content length set). The combination of those two fixes resulted in yet another problem: HTTP/1.1 by default allows a client to assume that keep-alive is supported unless the server disables it via 'Connection: close' -- see RFC2616 8.1.2.1 for details on persistent connection negotiation. Now if the client receives a response from Django without 'Connection: close' and immediately sends a new request (on the same tcp connection) before our server closes the tcp connection, it will error out at some point because the connection does get closed a few milli seconds later. This patch fixes the mentioned issues by always sending 'Connection: close' if we cannot determine a content length. The code is inefficient in the sense that it does not allow for persistent connections when chunked responses are used, but that should not really cause any problems (Django does not generate those) and it only affects the development server anyways. Refs #25619, #28440.
2018-11-09Fixed signing.dumps() example for Python 3.minusf
2018-10-31Fixed #29890 -- Fixed FileSystemStorage crash if concurrent saves try to ↵Tim Graham
create the same directory. Regression in 632c4ffd9cb1da273303bcd8005fff216506c795.
2018-10-30Fixed #29783 -- Added app label validation to showmigrations command.Junyoung
2018-10-30Capitalized SecurityMiddleware headers for consistency with other headers.Artur Juraszek
(No behavior change since HTTP headers are case insensitive.)
2018-10-23Fixed #29831 -- Added validation for makemigrations --name.Prabakaran Kumaresshan
2018-10-22Fixed #29830 -- Fixed loss of custom utf-8 body encoding in mails.jannschu
2018-10-22Fixed #29860 -- Allowed BaseValidator to accept a callable limit_value.buzzi
2018-10-19Fixed #29774 -- Fixed django-admin shell hang on startup.Adam Allred
sys.stdin.read() blocks waiting for EOF in shell.py which will likely never come if the user provides input on stdin via the keyboard before the shell starts. Added check for a tty to skip reading stdin if it's not present. This still allows piping of code into the shell (which should have no TTY and should have an EOF) but also doesn't cause it to hang if multi-line input is provided.
2018-10-17Fixed #29857 -- Added get_storage_class to django.core.files.storage.__all__.Tim Graham
2018-10-09Capitalized "Python" in docs and comments.Jon Dufresne
2018-10-08Replaced kwargs.pop() with keyword-only arguments.Jon Dufresne
2018-09-28Refs #28909 -- Simplifed code using unpacking generalizations.Sergey Fedoseev
2018-09-26Fixed #29673 -- Reset the URLconf at the end of each request.Matthew Power
Co-authored-by: Ross Thorne <rmwthorne@googlemail.com>
2018-09-26Fixed loaddata error message when uncompressed fixture has a dot in its name.Sergey Fedoseev
2018-09-26Refs #29784 -- Switched to https:// links where available.Jon Dufresne
2018-09-25Removed unneeded list() calls in list.extend() argument.Sergey Fedoseev
2018-09-19Refs #29198 -- Fixed migrate --plan crash if RunSQL uses a list or tuple.Tim Graham
Also fixed test failures if sqlparse isn't installed.
2018-09-11Refs #29560 -- Fixed typo in django/core/management/base.py.Nick Pope
2018-09-11Fixed #29560 -- Added --force-color management command option.Hasan Ramezani
2018-09-06Refs #29713 -- Improved error message from translation system check.Nick Pope