| Age | Commit message (Collapse) | Author |
|
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
|
|
via archive.extract().
Thanks stackered for the report.
Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23.
Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
|
|
`log_response()`.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
|
|
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
|
|
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b.
This work improves the django.utils.text.wrap() function to ensure that
empty lines and lines with whitespace only are kept instead of being
dropped.
Thanks Matti Pohjanvirta for the report and fix.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
|
|
https://github.com/PyCQA/flake8/releases/tag/7.2.0
Backport of 281910ff8e9ae98fa78ee5d26ae3f0b713ccf418 from main.
|
|
filter.
Thanks sw0rd1ight for the report.
Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
|
|
validate_ipv6_address()/validate_ipv46_address() crash for non-string values.
Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf.
Backport of b3c5830769d8a5dbf2f974da7116fe503c9454d9 from main.
|
|
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
for the reviews.
|
|
validate IPv6 and IPvFuture addresses.
Refs Python CVE-2024-11168. Django should not affected, but others who
incorrectly use internal function _urlsplit() with unsanitized input
could be at risk.
https://github.com/python/cpython/pull/103849
|
|
urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
|
|
django.utils.html.urlize() and AdminURLFieldWidget.
Thanks Seokchan Yoon for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
urlizetrunc template filters.
Thanks to MProgrammer for the report.
|
|
ValueError in get_supported_language_variant().
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.
Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb.
Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
|
|
get_supported_language_variant().
Language codes are now parsed with a maximum length limit of 500 chars.
Thanks to MProgrammer for the report.
|
|
urlizetrunc template filters.
Thank you to Elias Myllymäki for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
Thanks Seokchan Yoon for the report.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
|
django.utils.text.Truncator when truncating HTML text.
Thanks Wenchao Li of Alibaba Group for the report.
|
|
django.utils.encoding.uri_to_iri().
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
|
|
when i18n patterns are used.
Regression in 94e7f471c4edef845a4fe5e3160132997b4cca81.
This reverts commit 94e7f471c4edef845a4fe5e3160132997b4cca81
(refs #34069) and
partly reverts commit 3b4728310a7a64f8fcc548163b0aa5f98a5c78f5.
Thanks Anthony Baillard for the report.
Co-Authored-By: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 0e444e84f87d174713a2aef0c4f9704ce2865586 from main
|
|
dates on different days and interval less than 1 day.
Follow up to 813015d67e2557fa859a07930a9becec4e5f64a0.
Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8.
Backport of 198a19b692699ad3940373d9ed797fe9155f3f4a from main
|
|
dates and interval less than 1 day.
Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8.
Thanks Lorenzo Peña for the report.
Backport of 813015d67e2557fa859a07930a9becec4e5f64a0 from main
|
|
prefix_default_language argument when fallback language is used.
Regression in 94e7f471c4edef845a4fe5e3160132997b4cca81.
Thanks Oussama Jarrousse for the report.
Backport of 3b4728310a7a64f8fcc548163b0aa5f98a5c78f5 from main
|
|
Python 3.12+.
https://github.com/python/cpython/commit/2a4d8c0a9e88f45047da640ce5a92b304d2d39b1
Backport of 38e63c9e61152682f3ff982c85a73793ab6d3267 from main
|
|
Black 23.1.0 is released which, as the first release of the year,
introduces the 2023 stable style. This incorporates most of last year's
preview style.
https://github.com/psf/black/releases/tag/23.1.0
Backport of 097e3a70c1481ee7b042b2edd91b2be86fb7b5b6 from main
|
|
Accept-Language.
The parsed values of Accept-Language headers are cached in order to
avoid repetitive parsing. This leads to a potential denial-of-service
vector via excessive memory usage if the raw value of Accept-Language
headers is very large.
Accept-Language headers are now limited to a maximum length in order
to avoid this issue.
|
|
Plural value must be an integer.
Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8.
|
|
interval longer than 1 month.
Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8.
|
|
Instead of the separate property, we can just not set self.timezone if
the datetime is ambiguous or imaginary. This ensures that this check
will only ever happen once as it's dependant on the datetime object and
not the format string characters.
|
|
|
|
O() - we should try to avoid calling specifier methods from each other
to avoid extra function call overhead. In addition we end up, in this
case, duplicating the ambiguous/imaginary datetime checks. We're also
going to be looking at simplifying things by having all of these
specifier methods return strings and not an random mix of types.
t() - the value can only be one of 28, 29, 30, or 31. As such, there is
no need to zero-pad to a width of two.
|
|
Avoid extra attribute lookup in specifier methods, etc. by importing
classes from datetime directly.
|
|
This removes redundant get_format() calls and passing a default value
for the format argument.
|
|
|
|
Thanks to Florian Vazelle for initial exploratory work, and to Nick
Pope and Mariusz Felisiak for review.
|
|
Thanks to Mariusz Felisiak for review.
|
|
|
|
|
|
- Updated references to RFC 1123 to RFC 5322
- Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
- Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
|
|
Identified using the following command:
$ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
|
|
i18n patterns are used.
|
|
|
|
|
|
This is checked at startup in get_reloader(). The runtime check ties
the implementation to Watchman excessively.
|
|
Node.create() which has a compatible signature with Node.__init__()
takes in a single `children` argument rather than relying in unpacking
*args in Q.__init__() which calls Node.__init__().
In addition, we were often needing to unpack iterables into *args and
can instead pass a list direct to Node.create().
|
|
This allows the copy.copy() usage in the Q._combine() method to finish
sooner, instead of having to fallback to using the __reduce_ex__(4)
method.
Thia also avoids having to fall into copy.copy() at in Q._combine(),
when combining a Q() with another Q().
Co-authored-by: Keryn Knight <keryn@kerynknight.com>
|
|
We can use copy() in Node.add() instead of create() as we don't need the
children to be cloned via [:] subscript in __init__().
|
|
Node._new_instance() was added in
6dd2b5468fa275d53aa60fdcaff8c28bdc5e9c25 to work around Q.__init__()
having an incompatible signature with Node.__init__().
It was intended as a hook that could be overridden if subclasses needed
to change the behaviour of instantiation of their specialised form of
Node. In practice this doesn't ever seem to have been used for this
purpose and there are very few calls to Node._new_instance() with other
code, e.g. Node.__deepcopy__() calling Node and overriding __class__ as
required.
Rename this to Node.create() to make it a more "official" piece of
private API that we can use to simplify a lot of other areas internally.
The docstring and nearby comment have been reworded to read more
clearly.
|
|
DeprecationForHistoricalMigrationMixin."
This reverts commit 57793b47657ace966ce8ce96d801ac0d85e5efc6.
|