| Age | Commit message (Collapse) | Author |
|
Bcc addresses are sent via the SMTP envelope and must never appear in
the message itself. A "Bcc" key in `extra_headers` was not excluded like
From/To/Cc/Reply-To, so it leaked into the generated message as a
visible header.
Thanks Mike Edmunds for reviews.
|
|
|
|
|
|
|
|
|
|
|
|
transitional setting to False.
|
|
Thanks Kasper Dupont for the report, and Jacob Walls and Natalia Bidart
for reviews.
|
|
Made signed cookies derive their signer namespace from an injective
encoding of `(name, salt)` while preserving compatibility with legacy
`name + salt` cookies behind SIGNED_COOKIE_LEGACY_SALT_FALLBACK.
Thanks Peng Zhou for the report, and Shai Berger, Markus Holterman,
Jake Howard, and Paul McMillan for reviews.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Thanks JaeHyuck Sa, Jacob Walls, and Tim McCurrach for reviews.
Co-authored-by: Ülgen Sarıkavak <ulgensrkvk@gmail.com>
|
|
|
|
Versions of Python prior to 3.15 would incorrectly encode non-ASCII
email addresses using rfc2047, resulting in undeliverable email. The
SMTP EmailBackend detects and prevents that (#35713). Python 3.15 fixes
that behavior (CPython issue gh-122476).
Updated test_rejects_non_ascii_local_part() to feature-detect the fix
(in case it is backported) and check for a representative section of
the Python error message if so; otherwise test for the SMTP EmailBackend
workaround.
Updated comments to clarify need and requirement.
|
|
See DEP 0018.
Added:
* MAILERS setting.
* django.core.mail.mailers dict-like EmailBackend factory.
* `using` argument to mail sending APIs.
* `sent_using` attribute to mail.outbox messages in locmem backend.
* MAILERS in startproject settings template, set to console backend.
* AdminLogHandler.using argument.
* BrokenLinkEmailsMiddleware.send_mail() method.
Updated:
* BaseEmailBackend to track the MAILERS alias used to construct it, and
to report errors for unknown kwargs (OPTIONS).
* EmailBackend implementations to initialize from kwargs (OPTIONS) only
when MAILERS is being used.
* smtp.EmailBackend to require `host` option and to default `port`
option based on SSL/TLS options.
* SimpleTestCase setup to substitute the locmem backend for all defined
MAILERS configurations.
* Django's tests that send mail to define MAILERS.
Deprecated:
* EMAIL_BACKEND and other backend-related EMAIL_* settings.
* mail.get_connection().
* The `connection`, `fail_silently`, `auth_user`, and `auth_password`
arguments to mail functions.
* The EmailMessage.connection attribute.
* BaseEmailBackend support for `fail_silently`. Backends that support
fail_silently (SMTP, console, file) now implement it directly.
* AdminEmailHandler.email_backend argument.
Removed undocumented features without deprecation:
* EmailMessage.get_connection() method. (send() now raises an error if a
subclass has attempted to override it.)
* EmailMessage.send() no longer sets self.connection to the connection
used for sending. (It still _uses_ a pre-existing self.connection.)
* AdminEmailHandler.connection() method. (Init now raises an error if a
subclass has attempted to override it.)
Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive
reviews and suggestions on the implementation.
Thanks to Jacob Rief for the initial implementation and multiple
iterations while refining the design.
Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
|
|
CVE-2025-12084 was fixed upstream in CPython and backported to
3.14.2, 3.13.11, and 3.12.13, making this workaround unnecessary.
https://github.com/python/cpython/issues/142145
|
|
|
|
Replaced TypeError in `os.path.abspath(None)` with ImproperlyConfigured
error when settings.EMAIL_FILE_PATH is required but missing.
|
|
|
|
MemoryFileUploadHandler on ASGI.
In ASGI deployments, Content-Length is not guaranteed to reflect the
actual request body size, so relying on it to gate memory allocation
allowed the limit to be bypassed. The handler now enforces
DATA_UPLOAD_MAX_MEMORY_SIZE regardless of the declared header value.
Thanks to Kyle Agronick for the report. Refs #35289.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
algorithm.
Deprecated the default value of the algorithm argument in
django.utils.crypto.salted_hmac() and django.core.signing.base64_hmac(),
which will change from 'sha1' to 'sha256' in Django 7.0.
|
|
Needed by Django MongoDB Backend's EmbeddedModelField.
|
|
Added in 5bc3123479bd97dc9d8a36fa9a3421a71063d1da (refs #24558),
it was obsoleted when OrderedDict usage was removed in
24b82cd201e21060fbc02117dc16d1702877a1f3 (refs #30159).
|
|
with a representer.
|
|
sort_keys=False.
The sort_keys parameter was added in PyYAML 5.1 (released March 2019).
The workaround was added in 24b82cd201e21060fbc02117dc16d1702877a1f3
(refs #30159).
|
|
|
|
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart
for reviews.
|
|
own line.
|
|
This facilitates nested fields and objects.
|
|
A TypeError is now raised if fail_silently=True, auth_user, or auth_password
are provided along a connection.
Updated AdminEmailHandler in django.utils.log to remove redundant
fail_silently=True.
Thanks Mike Edmunds for the report and Jacob Tyler Walls for the review.
|
|
truncated db_table names.
|
|
Paths that happened to begin with the script name were inappropriately
stripped, instead of checking that script name preceded a slash.
|
|
system object creation.
This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.
This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Refs CVE-2020-24583 and #31921.
Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.
|
|
|
|
Co-authored-by: Simon Charette <charette.s@gmail.com>
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
|
|
Needed by MongoDB.
|
|
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
|
|
|
|
As Python 3.12 is now the floor, we can drop the shims and
use the `inspect` module.
|
|
|
|
https://github.com/psf/black/releases/tag/26.1.0
|
|
Deserializer.
Thanks Shai Berger and Natalia Bidart for reviews.
|
|
The only use case for visiting grandchild nodes turned out to be to
support an unintentionally invalid fixture in the test suite.
The invalid fixture added in #36969 was modeled on fixture9.xml in
dae08cf55b83caef5e8ee39b16417692e8565278, so that is corrected as well
in this commit, where the test will still pass.
|
|
None values in natural keys were incorrectly serialized as the string
"None", causing deserialization to fail for fields like UUIDField.
|
|
https://github.com/python/cpython/pull/136809 made `color` default to
True in ArgumentParser.
|
|
available.
Thanks Simon Charette, Sarah Boyce, and Jacob Walls for reviews.
|
|
|
|
Only children at one level of depth need to be visited.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
|
|
Refactored serialization logic to allow models inheriting a natural_key()
method (e.g. AbstractBaseUser) to explicitly opt out of natural key
serialization by returning an empty tuple from the method.
Thanks Jonas Dittrich for the report.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
serializer.
Previously, `getInnerText()` recursively used `list.extend()` on strings,
which added each character from child nodes as a separate list element.
On deeply nested XML content, this caused the overall deserialization
work to grow quadratically with input size, potentially allowing
disproportionate CPU consumption for crafted XML.
The fix separates collection of inner texts from joining them, so that
each subtree is joined only once, reducing the complexity to linear in
the size of the input. These changes also include a mitigation for a
xml.dom.minidom performance issue.
Thanks Seokchan Yoon (https://ch4n3.kr/) for report.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|