summaryrefslogtreecommitdiff
path: root/django/core
AgeCommit message (Collapse)Author
2026-04-19Added support for nested fields to XML deserializer.Tim Graham
Needed by Django MongoDB Backend's EmbeddedModelField.
2026-04-19Removed OrderedDict representer from PyYAML serializer.Tim Graham
Added in 5bc3123479bd97dc9d8a36fa9a3421a71063d1da (refs #24558), it was obsoleted when OrderedDict usage was removed in 24b82cd201e21060fbc02117dc16d1702877a1f3 (refs #30159).
2026-04-19Refs #36986 -- Replaced yaml's Serializer._value_from_field() time handling ↵Tim Graham
with a representer.
2026-04-19Replaced yaml serializer workaround to preserve dict order with PyYAML's ↵Tim Graham
sort_keys=False. The sort_keys parameter was added in PyYAML 5.1 (released March 2019). The workaround was added in 24b82cd201e21060fbc02117dc16d1702877a1f3 (refs #30159).
2026-04-14Fixed #27150 -- Made base File objects truthy by default.VIZZARD-X
2026-04-07Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.Jacob Walls
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews.
2026-04-06Fixed #37023 -- Made XML serializer put each ManyToManyField object on its ↵Tim Graham
own line.
2026-04-06Refs #37023 -- Removed hardcoded indent levels from XML serializer.Tim Graham
This facilitates nested fields and objects.
2026-03-16Fixed #36894 -- Added TypeError for conflicting arguments in mail APIs.Praful Gulani
A TypeError is now raised if fail_silently=True, auth_user, or auth_password are provided along a connection. Updated AdminEmailHandler in django.utils.log to remove redundant fail_silently=True. Thanks Mike Edmunds for the report and Jacob Tyler Walls for the review.
2026-03-08Fixed #12529 -- Fixed migrate --run-syncdb crash for existing model with ↵Mariusz Felisiak
truncated db_table names.
2026-03-06Fixed #36940 -- Fixed script name edge case in ASGIRequest.path_info.khadyottakale
Paths that happened to begin with the script name were inappropriately stripped, instead of checking that script name preceded a slash.
2026-03-03Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file ↵Natalia
system object creation. This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews.
2026-02-27Refs #23919 -- Used yield from in Paginator.Pierre Sassoulas
2026-02-26Fixed #36750 -- Made ordering of M2M objects deterministic in serializers.VIZZARD-X
Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2026-02-09Added DatabaseFeatures.supports_inspectdb.Tim Graham
Needed by MongoDB.
2026-02-03Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests.Jake Howard
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews.
2026-02-03Fixed #36879 -- Identified Django client in Redis client metadata.ar3ph
2026-01-31Refs #34118 -- Removed asgiref coroutine detection shims.Jacob Walls
As Python 3.12 is now the floor, we can drop the shims and use the `inspect` module.
2026-01-26Fixed #36776 -- Clarified dev server runs in WSGI mode.jafarkhan83
2026-01-18Applied Black's 2026 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/26.1.0
2026-01-12Refs #36769 -- Raised SuspiciousOperation for unexpected nested tags in XML ↵Jacob Walls
Deserializer. Thanks Shai Berger and Natalia Bidart for reviews.
2026-01-12Refs #36769 -- Avoided visiting grandchild nodes in XML Deserializer.Jacob Walls
The only use case for visiting grandchild nodes turned out to be to support an unintentionally invalid fixture in the test suite. The invalid fixture added in #36969 was modeled on fixture9.xml in dae08cf55b83caef5e8ee39b16417692e8565278, so that is corrected as well in this commit, where the test will still pass.
2025-12-22Fixed #36786 -- Fixed XML serialization of None values in natural keys.Youngkwang Yang
None values in natural keys were incorrectly serialized as the string "None", causing deserialization to fail for fields like UUIDField.
2025-12-22Fixed #36376 -- Fixed --no-color for command help in Python 3.14+.Skyiesac
https://github.com/python/cpython/pull/136809 made `color` default to True in ArgumentParser.
2025-12-19Fixed #36590 -- Made async cache methods use specialized sync versions if ↵eevelweezel
available. Thanks Simon Charette, Sarah Boyce, and Jacob Walls for reviews.
2025-12-17Fixed #27380 -- Added "raw" argument to m2m_changed signals.Mariusz Felisiak
2025-12-11Fixed #36769 -- Avoided visiting deeply nested nodes in XML deserializer.Pravin Kamble
Only children at one level of depth need to be visited. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-12-09Fixed #36768 -- Optimized string concatenation in File.__iter__().varunkasyap
2025-12-03Fixed #35729 -- Enabled natural key serialization opt-out for subclasses.rimi0108
Refactored serialization logic to allow models inheriting a natural_key() method (e.g. AbstractBaseUser) to explicitly opt out of natural key serialization by returning an empty tuple from the method. Thanks Jonas Dittrich for the report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-12-02Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML ↵Shai Berger
serializer. Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-12-01Refs #36743 -- Corrected docstring for DisallowedRedirect.Jacob Walls
2025-11-20Fixed #36321 -- Defaulted suggest_on_error=True in management commands.kihuni
Python 3.15 defaults suggest_on_error=True, but the feature is available from 3.14, so this change opts in earlier. This change can be reverted when Python 3.15 is the minimum supported version.
2025-11-17Fixed #24920 -- Added support for DecimalField with no precision.Mariusz Felisiak
Thanks Lily for the review.
2025-11-13Fixed #36663 -- Defaulted to running checks against all databases.Simon Charette
Regression in 0b83c8cc4db95812f1e15ca19d78614e94cf38dd which added support for running checks only against databases but also defaulted to running against no databases if not specified. Note that this continues to *not* default to runing database tagged checks for all management commands except the migrate one as whether or not we should change this must be discussed further. Thanks Tim Graham for surfacing how this was a problematic default.
2025-11-07Refs #36315 -- Replaced manual task and cancellation handling with TaskGroup ↵Thomas Grainger
in ASGIHandler.
2025-11-07Refs #36315 -- Used contextlib.closing() in ASGIHandler.handle().Thomas Grainger
2025-10-31Fixed #36661 -- Added introspection of database-level delete options.Mariusz Felisiak
2025-10-20Fixed #36470 -- Prevented log injection in runserver when handling NOT FOUND.YashRaj1506
Migrated `WSGIRequestHandler.log_message()` to use a more robust `log_message()` helper, which was based of `log_response()` via factoring out the common bits. Refs CVE-2025-48432. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-10-16Fixed #28586 -- Added model field fetch modes.Adam Johnson
May your database queries be much reduced with minimal effort. co-authored-by: Andreas Pelme <andreas@pelme.se> co-authored-by: Simon Charette <charette.s@gmail.com> co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-10-13Replaced multi-level relative imports with absolute imports in django/.lyova24
2025-09-14Fixed typo in django/core/files/storage/base.py docstring.Siyabonga Dlikilili
2025-08-27Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵Sarah Boyce
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
2025-08-25Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵SaJH
favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-21Fixed #36399 -- Added support for multiple Cookie headers in HTTP/2 for ↵SaJH
ASGIRequest. Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-12Fixed #36368 -- Prevented duplicate locale paths and write_po_file calls in ↵michalpokusa
makemessages.
2025-07-25Fixed #35581 -- Updated django.core.mail to Python's modern email API.Mike Edmunds
- Changed EmailMessage.message() to construct a "modern email API" email.message.EmailMessage and added policy keyword arg. - Added support for modern MIMEPart objects in EmailMessage.attach() (and EmailMessage constructor, EmailMessage.attachments list). - Updated SMTP EmailBackend to use modern email.policy.SMTP. Deprecated: - Attaching MIMEBase objects (replace with MIMEPart) - BadHeaderError (modern email uses ValueError) - SafeMIMEText, SafeMIMEMultipart (unnecessary for modern email) - django.core.mail.forbid_multi_line_headers() (undocumented, but exposed via `__all__` and in wide use) - django.core.mail.message.sanitize_address() (undocumented, but in wide use) Removed without deprecation (all undocumented): - EmailMessage.mixed_subtype - EmailMultiAlternatives.alternative_subtype - Support for setting (undocumented) EmailMessage.encoding property to a legacy email.charset.Charset object Related changes: - Dropped tests for incorrect RFC 2047 encoding of non-ASCII email address localparts. This is specifically prohibited by RFC 2047, and not supported by any known MTA or email client. (Python still mis-applies encoded-word to non-ASCII localparts, but it is a bug that may be fixed in the future.) - Added tests that try to discourage using Python's legacy email APIs in future updates to django.core.mail.
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Refs #36500 -- Shortened some long docstrings and comments.Mike Edmunds
Manually reformatted some long docstrings and comments that would be damaged by the to-be-applied autofixer script, in cases where editorial judgment seemed necessary for style or wording changes.
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce