summaryrefslogtreecommitdiff
path: root/django/utils
AgeCommit message (Collapse)Author
2024-08-06[5.1.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06[5.1.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks to MProgrammer for the report.
2024-07-25[5.1.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵Lorenzo Peña
ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
2024-07-09[5.1.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵Sarah Boyce
get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
2024-07-09[5.1.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and ↵Adam Johnson
urlizetrunc template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-05-16Removed PY36 and PY37 version constants.Sarah Boyce
As the oldest supported version is Django 4.2, we only need constants for PY38+. Thank you to Mariusz Felisiak for the review.
2024-04-12Fixed #35364 -- Stopped AdminEmailHandler rendering email unnecessarily.Adam Johnson
2024-03-14Refs #30686 -- Made django.utils.html.VOID_ELEMENTS a frozenset.Nick Pope
2024-02-20Refs #34900 -- Fixed ↵Mariusz Felisiak
CommandTypes.test_help_default_options_with_custom_arguments test on Python 3.13+. https://github.com/python/cpython/commit/c4a2e8a2c5188c3288d57b80852e92c83f46f6f3
2024-02-15Refs #30686 -- Removed unused regexes in django.utils.text.Mariusz Felisiak
Unused since 6ee37ada3241ed263d8d1c2901b030d964cbd161.
2024-02-14Fixed #35179 -- Made admindocs detect positional/keyword-only arguments.Salvo Polizzi
2024-02-09Fixed #35175 -- Made migraton writer preserve keyword-only arguments.David Sanders
Thanks Gerald Goh for the report.
2024-02-07Fixed #30686 -- Used Python HTMLParser in utils.text.Truncator.David Smith
2024-02-07Refs #30686 -- Fixed text truncation for negative or zero lengths.David Smith
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-11-28Refs #34986 -- Added PyPy support to ↵Nick Pope
django.utils.autoreload.get_child_arguments(). It seems that `sys._xoptions` is also supported on PyPy.
2023-11-28Refs #34986 -- Fixed mocking in ↵Nick Pope
utils_tests.test_http.HttpDateProcessingTests.test_parsing_rfc850. Mocking in the `datetime` module can be tricky. In CPython the datetime C module is used, but PyPy uses a pure Python implementation. This caused issues with the prior approach to mocking `datetime.datetime`. See https://docs.python.org/3/library/unittest.mock-examples.html#partial-mocking
2023-11-27Refs #34986 -- Added django.utils.version.PYPY.Nick Pope
2023-11-27Refs #34986 -- Avoided pickling error in DjangoUnicodeDecodeError.Nick Pope
By using the existing object reference instead of a custom one, pickling related issues when running the test suite in parallel can be avoided.
2023-11-24Fixed #34983 -- Deprecated django.utils.itercompat.is_iterable().Nick Pope
2023-11-24Fixed #34818 -- Prevented GenericIPAddressField from mutating error messages.Parth Verma
Co-authored-by: Parth Verma <parth.verma@gmail.com>
2023-10-23Fixed #34899 -- Added blank choice to forms' callable choices lazily.Nick Pope
2023-10-23Refs #34899 -- Extracted Field.flatchoices to flatten_choices helper function.Nick Pope
Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>
2023-10-23Refs #31262 -- Added __eq__() and __getitem__() to BaseChoiceIterator.Nick Pope
This makes it easier to work with lazy iterators used for callables, etc. when extracting items or comparing to lists, e.g. during testing. Also added `BaseChoiceIterator.__iter__()` to make it clear that subclasses must implement this and added `__all__` to the module. Co-authored-by: Adam Johnson <me@adamj.eu> Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>
2023-10-23Refs #34118 -- Avoided repeat coroutine checks in MiddlewareMixin.Adam Johnson
2023-10-04Fixed CVE-2023-43665 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator when truncating HTML text. Thanks Wenchao Li of Alibaba Group for the report.
2023-09-18Advanced deprecation warnings for Django 5.1.Mariusz Felisiak
2023-09-13Refs #31949 -- Made make_middleware_decorator to work with async functions.Ben Lomax
2023-09-12Renamed ChoicesMeta to ChoicesType.Nick Pope
This also uses enum.EnumType for Python 3.11+ as Python 3.11 renamed EnumMeta to EnumType. While the former is still available as an alias of the latter for now, let's prefer the canonical name for this. Check out https://docs.python.org/3/library/enum.html#enum.EnumType
2023-09-04Refs #31262 -- Renamed ChoiceIterator to BaseChoiceIterator.Nick Pope
Some third-party applications, e.g. `django-filter`, already define their own `ChoiceIterator`, so renaming this `BaseChoiceIterator` will be a better fit and avoid any potential confusion. See https://github.com/carltongibson/django-filter/pull/1607.
2023-09-04Fixed CVE-2023-41164 -- Fixed potential DoS in ↵Mariusz Felisiak
django.utils.encoding.uri_to_iri(). Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-09-01Fixed #34807 -- Avoided circular import between forms, models, and utils' ↵nessita
choices. Thanks Collin Anderson for the report. Regression in 500e01073adda32d5149624ee9a5cb7aa3d3583f.
2023-08-30 Fixed #31262 -- Added support for mappings on model fields and ↵Nick Pope
ChoiceField's choices.
2023-08-28Fixed #34787 -- Fixed autoreloader crash when run from installed script on ↵sarahboyce
Windows.
2023-08-02Removed unneeded escapes in regexes.Mariusz Felisiak
Special characters lose their special meaning inside sets of characters. "-" lose its special meaning if it's placed as the first or last character. Follow up to 7c6b66383da5f9a67142334cd2ed2d769739e8f1.
2023-07-14Refs #30686 -- Moved Parser.SELF_CLOSING_TAGS to django.utils.html.VOID_ELEMENTSDavid Smith
2023-07-14Refs #30686 -- Moved add_truncation_text() helper to a module level.David Smith
2023-06-12Allowed custom formatting of lazy() objects.Nick Pope
This allows for formatting of lazy objects which have a custom formatter defined by overriding the default implementation from `object`.
2023-06-12Allowed multiplication of lazy() objects with int return type.Nick Pope
2023-06-12Removed function call overhead when preparing proxy class for lazy().Nick Pope
We can avoid the function call and assignment overhead which could be significant when instantiating many lazy objects. It's still easy enough to read too.
2023-06-12Made proxy class in lazy() prepare eagerly.Ran Benita
Previously, the proxy class was prepared lazily: lazy_identity = lazy(identity, int) lazy_identity(10) # prepared here lazy_identity(10) This has a slight advantage that if the lazy doesn't end up getting used, the preparation work is skipped, however that's not very likely. Besides this laziness, it is also inconsistent in that the methods which are wrapped directly (__str__ etc.) are prepared already when __proxy__ is defined, and there is a weird half-initialized state. This change it so that everything is prepared already on the first line of the example above.
2023-06-12Improved order of methods in proxy class in lazy().Ran Benita
This order reads more naturally and puts methods into three groups: 1. The methods required to support the implementation of __proxy__, e.g. __deepcopy__ doesn't come from `object` and __reduce__ is overridden to support behavior required explicitly for pickling of lazy objects. 2. Methods that are specifically overridden from `object` which we don't want to inherit from the provided resultclasses. These will be skipped later when we add methods from the resultclasses. 3. Additional methods - that is _add__, __radd__, and __mod__ - don't come from `object`, but typically from `str` and `int` which are the most common use cases. Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2023-06-08Optimized lazy() by removing use of @total_ordering.Ran Benita
@total_ordering is slow. Using the following micro-benchmark (resultclasses intentionally omitted to narrow the scope): import cProfile from django.utils.functional import lazy def identity(x): return x cProfile.run("for i in range(10000): str(lazy(identity)(1))") Before: 380003 function calls in 0.304 seconds ncalls tottime percall cumtime percall filename:lineno(function) 1 0.016 0.016 0.304 0.304 <string>:1(<module>) 10000 0.002 0.000 0.002 0.000 bench.py:5(double) 10000 0.005 0.000 0.006 0.000 functional.py:100(__cast) 10000 0.007 0.000 0.013 0.000 functional.py:106(__str__) 10000 0.005 0.000 0.017 0.000 functional.py:140(__wrapper__) 10000 0.020 0.000 0.258 0.000 functional.py:60(lazy) 10000 0.039 0.000 0.039 0.000 functional.py:68(__proxy__) 10000 0.010 0.000 0.012 0.000 functional.py:77(__init__) 10000 0.002 0.000 0.002 0.000 functional.py:84(__prepare_class__) 10000 0.025 0.000 0.075 0.000 functools.py:186(total_ordering) 10000 0.015 0.000 0.028 0.000 functools.py:189(<setcomp>) 10000 0.024 0.000 0.044 0.000 functools.py:37(update_wrapper) 10000 0.005 0.000 0.005 0.000 functools.py:67(wraps) 10000 0.074 0.000 0.114 0.000 {built-in method builtins.__build_class__} 1 0.000 0.000 0.304 0.304 {built-in method builtins.exec} 150000 0.023 0.000 0.023 0.000 {built-in method builtins.getattr} 10000 0.004 0.000 0.004 0.000 {built-in method builtins.max} 80000 0.025 0.000 0.025 0.000 {built-in method builtins.setattr} 1 0.000 0.000 0.000 0.000 {method 'disable' of '_lsprof.Profiler' objects} 10000 0.003 0.000 0.003 0.000 {method 'update' of 'dict' objects} After: 240003 function calls in 0.231 seconds ncalls tottime percall cumtime percall filename:lineno(function) 1 0.016 0.016 0.231 0.231 <string>:1(<module>) 10000 0.002 0.000 0.002 0.000 bench.py:5(double) 10000 0.006 0.000 0.012 0.000 functional.py:105(__str__) 10000 0.005 0.000 0.017 0.000 functional.py:159(__wrapper__) 10000 0.015 0.000 0.186 0.000 functional.py:60(lazy) 10000 0.022 0.000 0.022 0.000 functional.py:68(__proxy__) 10000 0.010 0.000 0.012 0.000 functional.py:76(__init__) 10000 0.002 0.000 0.002 0.000 functional.py:83(__prepare_class__) 10000 0.004 0.000 0.006 0.000 functional.py:99(__cast) 10000 0.023 0.000 0.043 0.000 functools.py:37(update_wrapper) 10000 0.004 0.000 0.004 0.000 functools.py:67(wraps) 10000 0.102 0.000 0.124 0.000 {built-in method builtins.__build_class__} 1 0.000 0.000 0.231 0.231 {built-in method builtins.exec} 70000 0.011 0.000 0.011 0.000 {built-in method builtins.getattr} 50000 0.007 0.000 0.007 0.000 {built-in method builtins.setattr} 1 0.000 0.000 0.000 0.000 {method 'disable' of '_lsprof.Profiler' objects} 10000 0.003 0.000 0.003 0.000 {method 'update' of 'dict' objects}
2023-06-08Made bytes and str return types no longer mutually exclusive in lazy().Ran Benita
They are no longer special cased.
2023-06-08Removed unnecessary wrapping of __bytes__ in proxy class in lazy().Ran Benita
2023-06-08Removed unnecessary branch in __mod__() from proxy class in lazy().Ran Benita
Unnecessary since c716fe87821df00f9f03ecc761c914d1682591a2 and 7b2f2e74adb36a4334e83130f6abc2f79d395235.
2023-06-08Refs #34445 -- Fixed string-casting of non-string lazy objects when value ↵Ran Benita
may be bytes. If the result type is bytes, then calling bytes() on it does nothing. If the result type is not bytes, we should not cast to bytes, just because the return value may be bytes.
2023-06-06Fixed #34609 -- Deprecated calling format_html() without arguments.devilsautumn
2023-05-02Fixed #34515 -- Made LocaleMiddleware prefer language from paths when i18n ↵Mariusz Felisiak
patterns are used. Regression in 94e7f471c4edef845a4fe5e3160132997b4cca81. This reverts commit 94e7f471c4edef845a4fe5e3160132997b4cca81 (refs #34069) and partly reverts commit 3b4728310a7a64f8fcc548163b0aa5f98a5c78f5. Thanks Anthony Baillard for the report. Co-Authored-By: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2023-04-20Corrected exception type in safe_join()'s docstring.David Sanders