summaryrefslogtreecommitdiff
path: root/django/utils
AgeCommit message (Collapse)Author
2025-04-02[5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in ↵Sarah Boyce
url_has_allowed_host_and_scheme() on Windows. Thank you sw0rd1ight for the report. Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.
2025-03-30[5.2.x] Fixed warnings per flake8 7.2.0.Mariusz Felisiak
https://github.com/PyCQA/flake8/releases/tag/7.2.0 Backport of 281910ff8e9ae98fa78ee5d26ae3f0b713ccf418 from main
2025-03-06[5.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template ↵Sarah Boyce
filter. Thanks sw0rd1ight for the report. Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
2025-01-23[5.2.x] Fixed #36013 -- Removed use of IDNA-2003 in django.utils.html.Mike Edmunds
Removed obsolete and potentially problematic IDNA 2003 ("punycode") encoding of international domain names in smart_urlquote() and Urlizer, which are used (only) by AdminURLFieldWidget and the urlize/urlizetrunc template filters. Changed to use percent-encoded UTF-8, which defers IDNA details to the browser (like other URLs rendered by Django). Backport of 29ba75e6e57414f0e6f9528d08a520b8b931fb28 from main.
2025-01-20[5.2.x] Fixed #36017 -- Used EmailValidator in urlize to detect emails.greg
Backport of 61dae11df52fae71fc3050974ac459f362c9dfd7 from main.
2025-01-15Fixed #36098 -- Fixed validate_ipv6_address()/validate_ipv46_address() crash ↵Mariusz Felisiak
for non-string values. Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf.
2025-01-14Fixed #35998 -- Added caching to django.utils.html.urlize().Sarah Boyce
2025-01-14Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.Michael Manfre
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-01-07Fixed #36023 -- Handled controls chars in content_disposition_header.Alex Vandiver
To use the simple `filename="..."` form, the value must conform to the official grammar from RFC6266[^1]: filename-parm = "filename" "=" value value = <value, defined in [RFC2616], Section 3.6> ; token | quoted-string The `quoted-string` definition comes from RFC 9110[^2]: ``` quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text The backslash octet ("\") can be used as a single-octet quoting mechanism within quoted-string and comment constructs. Recipients that process the value of a quoted-string MUST handle a quoted-pair as if it were replaced by the octet following the backslash. quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) A sender SHOULD NOT generate a quoted-pair in a quoted-string except where necessary to quote DQUOTE and backslash octets occurring within that string. ``` That is, quoted strings are able to express horizontal tabs, space characters, and everything in the range from 0x21 to 0x7e, expect for 0x22 (`"`) and 0x5C (`\`), which can still be expressed but must be escaped with their own `\`. We ignore the case of `obs-text`, which is defined as the range 0x80-0xFF, since its presence is there for permissive parsing of accidental high-bit characters, and it should not be generated by conforming implementations. Transform this character range into a regex and apply it in addition to the "is ASCII" check. This ensures that all simple filenames are expressed in the simple format, and that all filenames with newlines and other control characters are properly expressed with the percent-encoded `filename*=...`form. [^1]: https://datatracker.ietf.org/doc/html/rfc6266#section-4.1 [^2]: https://datatracker.ietf.org/doc/html/rfc9110#name-quoted-strings
2024-12-17Fixed #36012 -- Made mailto punctuation percent-encoded in Urlizer.Mike Edmunds
Urlizer was not properly encoding email addresses containing punctuation in generated mailto links. Per RFC 6068, fixed by percent encoding (urllib.parse.quote) the local and domain address parts.
2024-12-04Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-10-25Refs #35844 -- Corrected expected error messages in commands tests on Python ↵Tainara Palmeira
3.14+. Updated CommandTests.test_subparser_invalid_option and CommandDBOptionChoiceTests.test_invalid_choice_db_option to address changes in Python 3.14+ error handling.
2024-09-18Fixed #35766 -- Handled slices in BaseChoiceIterator.Sarah Boyce
2024-09-16Fixed #34221 -- Honored translation precedence with mixed plural forms.Claude Paroz
2024-09-03Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc ↵Sarah Boyce
template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-30Fixed #35083 -- Updated method_decorator to handle async methods.Vaarun Sinha
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2024-08-30Dropped safeguards against very old versions of gettext.Claude Paroz
gettext 0.19 was released in 2014.
2024-08-27Refs #34609 -- Fixed deprecation warning stack level in format_html().Adam Johnson
Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-20Fixed #35668 -- Added mapping support to format_html_join.nabil-rady
2024-08-12Fixed #35648 -- Raised NotImplementedError in SafeString.__add__ for ↵Matthias Kestenholz
non-string RHS. This change ensures SafeString addition operations handle non-string RHS properly, allowing them to implement __radd__ for better compatibility.
2024-08-06Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc ↵Sarah Boyce
template filters. Thanks to MProgrammer for the report.
2024-07-25Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in ↵Lorenzo Peña
get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb.
2024-07-11Refs #25466 -- Removed unused DeprecationInstanceCheck.Adam Johnson
Unused since ff419de263138e905dff44c5cb806310c70f32aa.
2024-07-09Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵Sarah Boyce
get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
2024-07-09Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc ↵Adam Johnson
template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-06-18Fixed #12978 -- Added support for RSS feed stylesheets.Baptiste Mispelon
2024-05-29Fixed 35467 -- Replaced urlparse with urlsplit where appropriate.Jake Howard
This work should not generate any change of functionality, and `urlsplit` is approximately 6x faster. Most use cases of `urlparse` didn't touch the path, so they can be converted to `urlsplit` without any issue. Most of those which do use `.path`, simply parse the URL, mutate the querystring, then put them back together, which is also fine (so long as urlunsplit is used).
2024-05-22Advanced deprecation warnings for Django 5.2.Natalia
2024-05-16Removed PY36 and PY37 version constants.Sarah Boyce
As the oldest supported version is Django 4.2, we only need constants for PY38+. Thank you to Mariusz Felisiak for the review.
2024-04-12Fixed #35364 -- Stopped AdminEmailHandler rendering email unnecessarily.Adam Johnson
2024-03-14Refs #30686 -- Made django.utils.html.VOID_ELEMENTS a frozenset.Nick Pope
2024-02-20Refs #34900 -- Fixed ↵Mariusz Felisiak
CommandTypes.test_help_default_options_with_custom_arguments test on Python 3.13+. https://github.com/python/cpython/commit/c4a2e8a2c5188c3288d57b80852e92c83f46f6f3
2024-02-15Refs #30686 -- Removed unused regexes in django.utils.text.Mariusz Felisiak
Unused since 6ee37ada3241ed263d8d1c2901b030d964cbd161.
2024-02-14Fixed #35179 -- Made admindocs detect positional/keyword-only arguments.Salvo Polizzi
2024-02-09Fixed #35175 -- Made migraton writer preserve keyword-only arguments.David Sanders
Thanks Gerald Goh for the report.
2024-02-07Fixed #30686 -- Used Python HTMLParser in utils.text.Truncator.David Smith
2024-02-07Refs #30686 -- Fixed text truncation for negative or zero lengths.David Smith
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-11-28Refs #34986 -- Added PyPy support to ↵Nick Pope
django.utils.autoreload.get_child_arguments(). It seems that `sys._xoptions` is also supported on PyPy.
2023-11-28Refs #34986 -- Fixed mocking in ↵Nick Pope
utils_tests.test_http.HttpDateProcessingTests.test_parsing_rfc850. Mocking in the `datetime` module can be tricky. In CPython the datetime C module is used, but PyPy uses a pure Python implementation. This caused issues with the prior approach to mocking `datetime.datetime`. See https://docs.python.org/3/library/unittest.mock-examples.html#partial-mocking
2023-11-27Refs #34986 -- Added django.utils.version.PYPY.Nick Pope
2023-11-27Refs #34986 -- Avoided pickling error in DjangoUnicodeDecodeError.Nick Pope
By using the existing object reference instead of a custom one, pickling related issues when running the test suite in parallel can be avoided.
2023-11-24Fixed #34983 -- Deprecated django.utils.itercompat.is_iterable().Nick Pope
2023-11-24Fixed #34818 -- Prevented GenericIPAddressField from mutating error messages.Parth Verma
Co-authored-by: Parth Verma <parth.verma@gmail.com>
2023-10-23Fixed #34899 -- Added blank choice to forms' callable choices lazily.Nick Pope
2023-10-23Refs #34899 -- Extracted Field.flatchoices to flatten_choices helper function.Nick Pope
Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>
2023-10-23Refs #31262 -- Added __eq__() and __getitem__() to BaseChoiceIterator.Nick Pope
This makes it easier to work with lazy iterators used for callables, etc. when extracting items or comparing to lists, e.g. during testing. Also added `BaseChoiceIterator.__iter__()` to make it clear that subclasses must implement this and added `__all__` to the module. Co-authored-by: Adam Johnson <me@adamj.eu> Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>
2023-10-23Refs #34118 -- Avoided repeat coroutine checks in MiddlewareMixin.Adam Johnson
2023-10-04Fixed CVE-2023-43665 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator when truncating HTML text. Thanks Wenchao Li of Alibaba Group for the report.