summaryrefslogtreecommitdiff
path: root/django/utils
AgeCommit message (Collapse)Author
2025-11-05[4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in ↵Jacob Walls
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-10-01[4.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal ↵Sarah Boyce
via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
2025-06-04[4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in ↵Natalia
`log_response()`. Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
2025-05-06[4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
2025-04-23[4.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter.Matti Pohjanvirta
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b. This work improves the django.utils.text.wrap() function to ensure that empty lines and lines with whitespace only are kept instead of being dropped. Thanks Matti Pohjanvirta for the report and fix. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
2025-04-23[4.2.x] Fixed warnings per flake8 7.2.0.Mariusz Felisiak
https://github.com/PyCQA/flake8/releases/tag/7.2.0 Backport of 281910ff8e9ae98fa78ee5d26ae3f0b713ccf418 from main.
2025-03-06[4.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template ↵Sarah Boyce
filter. Thanks sw0rd1ight for the report. Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
2025-01-15[4.2.x] Fixed #36098 -- Fixed ↵Mariusz Felisiak
validate_ipv6_address()/validate_ipv46_address() crash for non-string values. Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf. Backport of b3c5830769d8a5dbf2f974da7116fe503c9454d9 from main.
2025-01-14[4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.Natalia
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-12-04[4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-12-03[4.2.x] Refs CVE-2024-11168 -- Updated vendored _urlsplit() to properly ↵Mariusz Felisiak
validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. https://github.com/python/cpython/pull/103849
2024-09-03[4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-07-31[4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-31[4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks to MProgrammer for the report.
2024-07-25[4.2.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵Lorenzo Peña
ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
2024-07-09[4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵Sarah Boyce
get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
2024-07-09[4.2.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and ↵Adam Johnson
urlizetrunc template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-03-04[4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().Shai Berger
Thanks Seokchan Yoon for the report. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2023-10-04[4.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator when truncating HTML text. Thanks Wenchao Li of Alibaba Group for the report.
2023-09-04[4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in ↵Mariusz Felisiak
django.utils.encoding.uri_to_iri(). Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-05-02[4.2.x] Fixed #34515 -- Made LocaleMiddleware prefer language from paths ↵Mariusz Felisiak
when i18n patterns are used. Regression in 94e7f471c4edef845a4fe5e3160132997b4cca81. This reverts commit 94e7f471c4edef845a4fe5e3160132997b4cca81 (refs #34069) and partly reverts commit 3b4728310a7a64f8fcc548163b0aa5f98a5c78f5. Thanks Anthony Baillard for the report. Co-Authored-By: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Backport of 0e444e84f87d174713a2aef0c4f9704ce2865586 from main
2023-04-14[4.2.x] Refs #34483 -- Fixed timesince()/timeuntil() with timezone-aware ↵Mariusz Felisiak
dates on different days and interval less than 1 day. Follow up to 813015d67e2557fa859a07930a9becec4e5f64a0. Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8. Backport of 198a19b692699ad3940373d9ed797fe9155f3f4a from main
2023-04-13[4.2.x] Fixed #34483 -- Fixed timesince()/timeuntil() with timezone-aware ↵nessita
dates and interval less than 1 day. Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8. Thanks Lorenzo Peña for the report. Backport of 813015d67e2557fa859a07930a9becec4e5f64a0 from main
2023-04-10[4.2.x] Fixed #34455 -- Restored i18n_patterns() respect of ↵sarahboyce
prefix_default_language argument when fallback language is used. Regression in 94e7f471c4edef845a4fe5e3160132997b4cca81. Thanks Oussama Jarrousse for the report. Backport of 3b4728310a7a64f8fcc548163b0aa5f98a5c78f5 from main
2023-04-05[4.2.x] Refs #34118 -- Fixed CustomChoicesTests.test_uuid_unsupported on ↵Mariusz Felisiak
Python 3.12+. https://github.com/python/cpython/commit/2a4d8c0a9e88f45047da640ce5a92b304d2d39b1 Backport of 38e63c9e61152682f3ff982c85a73793ab6d3267 from main
2023-02-01[4.2.x] Refs #33476 -- Applied Black's 2023 stable style.David Smith
Black 23.1.0 is released which, as the first release of the year, introduces the 2023 stable style. This incorporates most of last year's preview style. https://github.com/psf/black/releases/tag/23.1.0 Backport of 097e3a70c1481ee7b042b2edd91b2be86fb7b5b6 from main
2023-02-01[4.2.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for ↵Nick Pope
Accept-Language. The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. Accept-Language headers are now limited to a maximum length in order to avoid this issue.
2023-01-11Refs #33879 -- Fixed plural value deprecation warnings.Mariusz Felisiak
Plural value must be an integer. Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8.
2023-01-05Fixed #34243 -- Fixed timesince() crash with timezone-aware dates and ↵sag᠎e
interval longer than 1 month. Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8.
2023-01-05Simplified handling ambiguous/imaginary datetimes in django.utils.dateformat.Nick Pope
Instead of the separate property, we can just not set self.timezone if the datetime is ambiguous or imaginary. This ensures that this check will only ever happen once as it's dependant on the datetime object and not the format string characters.
2023-01-05Added support for datetime.date to DateFormat.r().Nick Pope
2023-01-05Simplified django.utils.dateformat.DateFormat.O()/t()/e() a bit.Nick Pope
O() - we should try to avoid calling specifier methods from each other to avoid extra function call overhead. In addition we end up, in this case, duplicating the ambiguous/imaginary datetime checks. We're also going to be looking at simplifying things by having all of these specifier methods return strings and not an random mix of types. t() - the value can only be one of 28, 29, 30, or 31. As such, there is no need to zero-pad to a width of two.
2023-01-05Optimized imports in django.utils.dateformat.Nick Pope
Avoid extra attribute lookup in specifier methods, etc. by importing classes from datetime directly.
2023-01-04Simplified django.utils.formats.date_format()/time_format() calls.Nick Pope
This removes redundant get_format() calls and passing a default value for the format argument.
2023-01-04Fixed #33879 -- Improved timesince handling of long intervals.GianpaoloBranca
2022-12-22Fixed #33735 -- Added async support to StreamingHttpResponse.Carlton Gibson
Thanks to Florian Vazelle for initial exploratory work, and to Nick Pope and Mariusz Felisiak for review.
2022-12-20Refs #34118 -- Adopted asgiref coroutine detection shims.Carlton Gibson
Thanks to Mariusz Felisiak for review.
2022-12-17Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware.Andreas Pelme
2022-12-05Fixed #34194 -- Added django.utils.http.content_disposition_header().Alex Vandiver
2022-11-10Updated documentation and comments for RFC updates.Nick Pope
- Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents
2022-10-31Used more augmented assignment statements.Nick Pope
Identified using the following command: $ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
2022-10-13Fixed #34069 -- Made LocaleMiddleware respect language from requests when ↵Sergio
i18n patterns are used.
2022-09-12Refs #34000 -- Optimized handling None values in numberformat.format().Jimmy Angelakos
2022-09-12Fixed #34000 -- Fixed numberformat.format() crash on empty strings.Jimmy Angelakos
2022-08-11Refs #30213 -- Removed post-startup check for Watchman availability.Carlton Gibson
This is checked at startup in get_reloader(). The runtime check ties the implementation to Watchman excessively.
2022-07-27Refs #32948, Refs #32946 -- Used Q.create() internally for dynamic Q() objects.Nick Pope
Node.create() which has a compatible signature with Node.__init__() takes in a single `children` argument rather than relying in unpacking *args in Q.__init__() which calls Node.__init__(). In addition, we were often needing to unpack iterables into *args and can instead pass a list direct to Node.create().
2022-07-27Refs #32948 -- Added Node.__copy__().Nick Pope
This allows the copy.copy() usage in the Q._combine() method to finish sooner, instead of having to fallback to using the __reduce_ex__(4) method. Thia also avoids having to fall into copy.copy() at in Q._combine(), when combining a Q() with another Q(). Co-authored-by: Keryn Knight <keryn@kerynknight.com>
2022-07-27Refs #32948 -- Simplified WhereNode and Node.__deepcopy__()/add().Nick Pope
We can use copy() in Node.add() instead of create() as we don't need the children to be cloned via [:] subscript in __init__().
2022-07-27Refs #32948 -- Renamed Node._new_instance() to Node.create().Nick Pope
Node._new_instance() was added in 6dd2b5468fa275d53aa60fdcaff8c28bdc5e9c25 to work around Q.__init__() having an incompatible signature with Node.__init__(). It was intended as a hook that could be overridden if subclasses needed to change the behaviour of instantiation of their specialised form of Node. In practice this doesn't ever seem to have been used for this purpose and there are very few calls to Node._new_instance() with other code, e.g. Node.__deepcopy__() calling Node and overriding __class__ as required. Rename this to Node.create() to make it a more "official" piece of private API that we can use to simplify a lot of other areas internally. The docstring and nearby comment have been reworded to read more clearly.
2022-07-26Refs #27236 -- Reverted "Refs #27236 -- Refactored out ↵Mariusz Felisiak
DeprecationForHistoricalMigrationMixin." This reverts commit 57793b47657ace966ce8ce96d801ac0d85e5efc6.