summaryrefslogtreecommitdiff
path: root/django/core
AgeCommit message (Collapse)Author
2026-06-16Fixed #37152 -- Raised ValueError when Bcc is used in EmailMessage headers.diaxoaine
Bcc addresses are sent via the SMTP envelope and must never appear in the message itself. A "Bcc" key in `extra_headers` was not excluded like From/To/Cc/Reply-To, so it leaked into the generated message as a visible header. Thanks Mike Edmunds for reviews.
2026-06-11Fixed #37141 -- Added --using option to sendtestemail command.NagaKartheekReddy
2026-06-10Fixed #37142 -- Moved django_file_prefixes() to django.utils.warnings.zhengkangyang
2026-06-09Fixed #37130 -- Skipped DB cache deletion when culling offset is zero.vishwa
2026-06-09Fixed #36900 -- Used safe_join() on downloaded template archive.ar3ph
2026-06-08Fixed #32785 -- Optimized cull frequency for DBCache.eevelweezel
2026-06-03Refs CVE-2026-6873 -- Defaulted SIGNED_COOKIE_LEGACY_SALT_FALLBACK ↵Jacob Walls
transitional setting to False.
2026-06-03Fixed CVE-2026-7666 -- Delayed setting SMTP connection until fully configured.Jake Howard
Thanks Kasper Dupont for the report, and Jacob Walls and Natalia Bidart for reviews.
2026-06-03Fixed CVE-2026-6873 -- Prevented signed cookie salt namespace collisions.Paul McMillan
Made signed cookies derive their signer namespace from an injective encoding of `(name, salt)` while preserving compatibility with legacy `name + salt` cookies behind SIGNED_COOKIE_LEGACY_SALT_FALLBACK. Thanks Peng Zhou for the report, and Shai Berger, Markus Holterman, Jake Howard, and Paul McMillan for reviews. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-06-01Fixed #28800 -- Added a listurls management command.Chris Rose
Thanks JaeHyuck Sa, Jacob Walls, and Tim McCurrach for reviews. Co-authored-by: Ülgen Sarıkavak <ulgensrkvk@gmail.com>
2026-06-01Fixed #37108 -- Made DjangoJSONEncoder consistently omit .000 microseconds.Aaryan P
2026-05-14Refs #36664 -- Updated SMTP EmailBackend tests for Python 3.15.Mike Edmunds
Versions of Python prior to 3.15 would incorrectly encode non-ASCII email addresses using rfc2047, resulting in undeliverable email. The SMTP EmailBackend detects and prevents that (#35713). Python 3.15 fixes that behavior (CPython issue gh-122476). Updated test_rejects_non_ascii_local_part() to feature-detect the fix (in case it is backported) and check for a representative section of the Python error message if so; otherwise test for the SMTP EmailBackend workaround. Updated comments to clarify need and requirement.
2026-05-13Fixed #35514 -- Implemented dictionary-based MAILERS.Mike Edmunds
See DEP 0018. Added: * MAILERS setting. * django.core.mail.mailers dict-like EmailBackend factory. * `using` argument to mail sending APIs. * `sent_using` attribute to mail.outbox messages in locmem backend. * MAILERS in startproject settings template, set to console backend. * AdminLogHandler.using argument. * BrokenLinkEmailsMiddleware.send_mail() method. Updated: * BaseEmailBackend to track the MAILERS alias used to construct it, and to report errors for unknown kwargs (OPTIONS). * EmailBackend implementations to initialize from kwargs (OPTIONS) only when MAILERS is being used. * smtp.EmailBackend to require `host` option and to default `port` option based on SSL/TLS options. * SimpleTestCase setup to substitute the locmem backend for all defined MAILERS configurations. * Django's tests that send mail to define MAILERS. Deprecated: * EMAIL_BACKEND and other backend-related EMAIL_* settings. * mail.get_connection(). * The `connection`, `fail_silently`, `auth_user`, and `auth_password` arguments to mail functions. * The EmailMessage.connection attribute. * BaseEmailBackend support for `fail_silently`. Backends that support fail_silently (SMTP, console, file) now implement it directly. * AdminEmailHandler.email_backend argument. Removed undocumented features without deprecation: * EmailMessage.get_connection() method. (send() now raises an error if a subclass has attempted to override it.) * EmailMessage.send() no longer sets self.connection to the connection used for sending. (It still _uses_ a pre-existing self.connection.) * AdminEmailHandler.connection() method. (Init now raises an error if a subclass has attempted to override it.) Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive reviews and suggestions on the implementation. Thanks to Jacob Rief for the initial implementation and multiple iterations while refining the design. Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
2026-05-13Refs CVE-2025-64460 -- Removed workaround for minidom document checks.Jacob Walls
CVE-2025-12084 was fixed upstream in CPython and backported to 3.14.2, 3.13.11, and 3.12.13, making this workaround unnecessary. https://github.com/python/cpython/issues/142145
2026-05-07Fixed #37084 -- Added CSP nonce context processor system check.Milad Zarour
2026-05-06Refs #35514 -- Added error for missing EMAIL_FILE_PATH setting.Mike Edmunds
Replaced TypeError in `os.path.abspath(None)` with ImproperlyConfigured error when settings.EMAIL_FILE_PATH is required but missing.
2026-05-05Fixed #37053 -- Added validate=True to base64.b64decode() calls.Sarah Boyce
2026-05-05Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in ↵Jacob Walls
MemoryFileUploadHandler on ASGI. In ASGI deployments, Content-Length is not guaranteed to reflect the actual request body size, so relying on it to gate memory allocation allowed the limit to be bypassed. The handler now enforces DATA_UPLOAD_MAX_MEMORY_SIZE regardless of the declared header value. Thanks to Kyle Agronick for the report. Refs #35289. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-05-04Fixed #37078 -- Deprecated SHA-1 default for salted_hmac() and base64_hmac() ↵Denny Biasiolli
algorithm. Deprecated the default value of the algorithm argument in django.utils.crypto.salted_hmac() and django.core.signing.base64_hmac(), which will change from 'sha1' to 'sha256' in Django 7.0.
2026-04-19Added support for nested fields to XML deserializer.Tim Graham
Needed by Django MongoDB Backend's EmbeddedModelField.
2026-04-19Removed OrderedDict representer from PyYAML serializer.Tim Graham
Added in 5bc3123479bd97dc9d8a36fa9a3421a71063d1da (refs #24558), it was obsoleted when OrderedDict usage was removed in 24b82cd201e21060fbc02117dc16d1702877a1f3 (refs #30159).
2026-04-19Refs #36986 -- Replaced yaml's Serializer._value_from_field() time handling ↵Tim Graham
with a representer.
2026-04-19Replaced yaml serializer workaround to preserve dict order with PyYAML's ↵Tim Graham
sort_keys=False. The sort_keys parameter was added in PyYAML 5.1 (released March 2019). The workaround was added in 24b82cd201e21060fbc02117dc16d1702877a1f3 (refs #30159).
2026-04-14Fixed #27150 -- Made base File objects truthy by default.VIZZARD-X
2026-04-07Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.Jacob Walls
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews.
2026-04-06Fixed #37023 -- Made XML serializer put each ManyToManyField object on its ↵Tim Graham
own line.
2026-04-06Refs #37023 -- Removed hardcoded indent levels from XML serializer.Tim Graham
This facilitates nested fields and objects.
2026-03-16Fixed #36894 -- Added TypeError for conflicting arguments in mail APIs.Praful Gulani
A TypeError is now raised if fail_silently=True, auth_user, or auth_password are provided along a connection. Updated AdminEmailHandler in django.utils.log to remove redundant fail_silently=True. Thanks Mike Edmunds for the report and Jacob Tyler Walls for the review.
2026-03-08Fixed #12529 -- Fixed migrate --run-syncdb crash for existing model with ↵Mariusz Felisiak
truncated db_table names.
2026-03-06Fixed #36940 -- Fixed script name edge case in ASGIRequest.path_info.khadyottakale
Paths that happened to begin with the script name were inappropriately stripped, instead of checking that script name preceded a slash.
2026-03-03Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file ↵Natalia
system object creation. This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews.
2026-02-27Refs #23919 -- Used yield from in Paginator.Pierre Sassoulas
2026-02-26Fixed #36750 -- Made ordering of M2M objects deterministic in serializers.VIZZARD-X
Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2026-02-09Added DatabaseFeatures.supports_inspectdb.Tim Graham
Needed by MongoDB.
2026-02-03Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests.Jake Howard
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews.
2026-02-03Fixed #36879 -- Identified Django client in Redis client metadata.ar3ph
2026-01-31Refs #34118 -- Removed asgiref coroutine detection shims.Jacob Walls
As Python 3.12 is now the floor, we can drop the shims and use the `inspect` module.
2026-01-26Fixed #36776 -- Clarified dev server runs in WSGI mode.jafarkhan83
2026-01-18Applied Black's 2026 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/26.1.0
2026-01-12Refs #36769 -- Raised SuspiciousOperation for unexpected nested tags in XML ↵Jacob Walls
Deserializer. Thanks Shai Berger and Natalia Bidart for reviews.
2026-01-12Refs #36769 -- Avoided visiting grandchild nodes in XML Deserializer.Jacob Walls
The only use case for visiting grandchild nodes turned out to be to support an unintentionally invalid fixture in the test suite. The invalid fixture added in #36969 was modeled on fixture9.xml in dae08cf55b83caef5e8ee39b16417692e8565278, so that is corrected as well in this commit, where the test will still pass.
2025-12-22Fixed #36786 -- Fixed XML serialization of None values in natural keys.Youngkwang Yang
None values in natural keys were incorrectly serialized as the string "None", causing deserialization to fail for fields like UUIDField.
2025-12-22Fixed #36376 -- Fixed --no-color for command help in Python 3.14+.Skyiesac
https://github.com/python/cpython/pull/136809 made `color` default to True in ArgumentParser.
2025-12-19Fixed #36590 -- Made async cache methods use specialized sync versions if ↵eevelweezel
available. Thanks Simon Charette, Sarah Boyce, and Jacob Walls for reviews.
2025-12-17Fixed #27380 -- Added "raw" argument to m2m_changed signals.Mariusz Felisiak
2025-12-11Fixed #36769 -- Avoided visiting deeply nested nodes in XML deserializer.Pravin Kamble
Only children at one level of depth need to be visited. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-12-09Fixed #36768 -- Optimized string concatenation in File.__iter__().varunkasyap
2025-12-03Fixed #35729 -- Enabled natural key serialization opt-out for subclasses.rimi0108
Refactored serialization logic to allow models inheriting a natural_key() method (e.g. AbstractBaseUser) to explicitly opt out of natural key serialization by returning an empty tuple from the method. Thanks Jonas Dittrich for the report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-12-02Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML ↵Shai Berger
serializer. Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>