| Age | Commit message (Collapse) | Author |
|
`log_response()`.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
|
|
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
|
|
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b.
This work improves the django.utils.text.wrap() function to ensure that
empty lines and lines with whitespace only are kept instead of being
dropped.
Thanks Matti Pohjanvirta for the report and fix.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
|
|
url_has_allowed_host_and_scheme() on Windows.
Thank you sw0rd1ight for the report.
Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.
|
|
https://github.com/PyCQA/flake8/releases/tag/7.2.0
Backport of 281910ff8e9ae98fa78ee5d26ae3f0b713ccf418 from main
|
|
filter.
Thanks sw0rd1ight for the report.
Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
|
|
Removed obsolete and potentially problematic IDNA 2003 ("punycode")
encoding of international domain names in smart_urlquote() and Urlizer,
which are used (only) by AdminURLFieldWidget and the urlize/urlizetrunc
template filters. Changed to use percent-encoded UTF-8, which defers
IDNA details to the browser (like other URLs rendered by Django).
Backport of 29ba75e6e57414f0e6f9528d08a520b8b931fb28 from main.
|
|
Backport of 61dae11df52fae71fc3050974ac459f362c9dfd7 from main.
|
|
for non-string values.
Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf.
|
|
|
|
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
To use the simple `filename="..."` form, the value must conform to the
official grammar from RFC6266[^1]:
filename-parm = "filename" "=" value
value = <value, defined in [RFC2616], Section 3.6>
; token | quoted-string
The `quoted-string` definition comes from RFC 9110[^2]:
```
quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE
qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text
The backslash octet ("\") can be used as a single-octet quoting
mechanism within quoted-string and comment constructs. Recipients that
process the value of a quoted-string MUST handle a quoted-pair as if
it were replaced by the octet following the backslash.
quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text )
A sender SHOULD NOT generate a quoted-pair in a quoted-string except
where necessary to quote DQUOTE and backslash octets occurring within
that string.
```
That is, quoted strings are able to express horizontal tabs, space
characters, and everything in the range from 0x21 to 0x7e, expect for
0x22 (`"`) and 0x5C (`\`), which can still be expressed but must be
escaped with their own `\`.
We ignore the case of `obs-text`, which is defined as the range
0x80-0xFF, since its presence is there for permissive parsing of
accidental high-bit characters, and it should not be generated by
conforming implementations.
Transform this character range into a regex and apply it in addition
to the "is ASCII" check. This ensures that all simple filenames are
expressed in the simple format, and that all filenames with newlines
and other control characters are properly expressed with the
percent-encoded `filename*=...`form.
[^1]: https://datatracker.ietf.org/doc/html/rfc6266#section-4.1
[^2]: https://datatracker.ietf.org/doc/html/rfc9110#name-quoted-strings
|
|
Urlizer was not properly encoding email addresses containing punctuation
in generated mailto links. Per RFC 6068, fixed by percent encoding
(urllib.parse.quote) the local and domain address parts.
|
|
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
for the reviews.
|
|
3.14+.
Updated CommandTests.test_subparser_invalid_option and CommandDBOptionChoiceTests.test_invalid_choice_db_option to address changes in Python 3.14+ error handling.
|
|
|
|
|
|
template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
|
|
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
|
|
gettext 0.19 was released in 2014.
|
|
Co-authored-by: Simon Charette <charette.s@gmail.com>
|
|
|
|
non-string RHS.
This change ensures SafeString addition operations handle non-string RHS
properly, allowing them to implement __radd__ for better compatibility.
|
|
django.utils.html.urlize() and AdminURLFieldWidget.
Thanks Seokchan Yoon for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
template filters.
Thanks to MProgrammer for the report.
|
|
get_supported_language_variant().
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.
Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb.
|
|
Unused since ff419de263138e905dff44c5cb806310c70f32aa.
|
|
get_supported_language_variant().
Language codes are now parsed with a maximum length limit of 500 chars.
Thanks to MProgrammer for the report.
|
|
template filters.
Thank you to Elias Myllymäki for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
|
|
This work should not generate any change of functionality, and
`urlsplit` is approximately 6x faster.
Most use cases of `urlparse` didn't touch the path, so they can be
converted to `urlsplit` without any issue. Most of those which do use
`.path`, simply parse the URL, mutate the querystring, then put them
back together, which is also fine (so long as urlunsplit is used).
|
|
|
|
As the oldest supported version is Django 4.2, we only need constants for PY38+.
Thank you to Mariusz Felisiak for the review.
|
|
|
|
|
|
CommandTypes.test_help_default_options_with_custom_arguments test on Python 3.13+.
https://github.com/python/cpython/commit/c4a2e8a2c5188c3288d57b80852e92c83f46f6f3
|
|
Unused since 6ee37ada3241ed263d8d1c2901b030d964cbd161.
|
|
|
|
Thanks Gerald Goh for the report.
|
|
|
|
|
|
https://github.com/psf/black/releases/tag/24.1.0
|
|
django.utils.autoreload.get_child_arguments().
It seems that `sys._xoptions` is also supported on PyPy.
|
|
utils_tests.test_http.HttpDateProcessingTests.test_parsing_rfc850.
Mocking in the `datetime` module can be tricky. In CPython the datetime
C module is used, but PyPy uses a pure Python implementation. This
caused issues with the prior approach to mocking `datetime.datetime`.
See https://docs.python.org/3/library/unittest.mock-examples.html#partial-mocking
|
|
|
|
By using the existing object reference instead of a custom one, pickling
related issues when running the test suite in parallel can be avoided.
|
|
|
|
Co-authored-by: Parth Verma <parth.verma@gmail.com>
|
|
|
|
Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>
|