summaryrefslogtreecommitdiff
path: root/django/utils
AgeCommit message (Collapse)Author
2025-12-01[6.0.x] Fixed #36712 -- Evaluated type annotations lazily in template tag ↵Jacob Walls
registration. Ideally, this will be reverted when an upstream solution is available for https://github.com/python/cpython/issues/141560. Thanks Patrick Rauscher for the report and Augusto Pontes for the first iteration and test. Backport of 34186e731ca20a2344b1f88fd543a854d6b13a00 from main.
2025-11-26[6.0.x] Fixed #36743 -- Increased URL max length enforced in ↵varunkasyap
HttpResponseRedirectBase. Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
2025-11-18[6.0.x] Fixed #36733 -- Escaped attributes in Stylesheet.__str__().varunkasyap
Thanks Mustafa Barakat for the report, Baptiste Mispelon for the triage, and Jake Howard for the review. Backport of e05f2a75695b5f5faa7682d4053db4776d4d6f93 from main.
2025-11-05[6.0.x] Fixed #36710 -- Fixed a regression in urlize for multipart domain names.Mehraz Hossain Rumman
Thanks Mehraz Hossain Rumman for the report and Bruno Alla for the triage. Regression in a9fe98d5bd4212d069afe8316101984aadecfbb2. Backport of 125b63ca745bace1e098ed3c7362d59136f68a8b from main.
2025-10-31[6.0.x] Fixed #36696 -- Fixed NameError when inspecting functions with ↵Patrick Rauscher
deferred annotations. In Python 3.14, annotations are deferred by default, so we should not assume that the names in them have been imported unconditionally. Backport of 601914722956cc41f1f2c53972d669ddee6ffc04 from main.
2025-10-21[6.0.x] Fixed #36656 -- Avoided truncating async streaming responses in ↵Adam Johnson
GZipMiddleware. Backport of a0323a0c44135c28134672e6e633e5f4a7a68d5d from main.
2025-10-20[6.0.x] Fixed #36470 -- Prevented log injection in runserver when handling ↵YashRaj1506
NOT FOUND. Migrated `WSGIRequestHandler.log_message()` to use a more robust `log_message()` helper, which was based of `log_response()` via factoring out the common bits. Refs CVE-2025-48432. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9bb83925d6c231e964f8b54efbc982fb1333da27 from main.
2025-10-01[6.0.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal ↵Sarah Boyce
via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
2025-09-25[6.0.x] Fixed #36434 -- Preserved unbuffered stdio (-u) in autoreloader child.SaJH
Signed-off-by: SaJH <wogur981208@gmail.com> Backport of 68aae8878ff90dd787db55ecc44ee712525ccdc6 from main.
2025-09-16Fixed #35859 -- Added background Tasks framework interface.Jake Howard
This work implements what was defined in DEP 14 (https://github.com/django/deps/blob/main/accepted/0014-background-workers.rst). Thanks to Raphael Gaschignard, Eric Holscher, Ran Benita, Sarah Boyce, Jacob Walls, and Natalia Bidart for the reviews.
2025-09-15Fixed #36520 -- Reverted "Fixed #35440 -- Simplified parse_header_parameters ↵Natalia
by leveraging stdlid's Message." This partially reverts commit 9aabe7eae3eeb3e64c5a0f3687118cd806158550. The simplification of parse_header_parameters using stdlib's Message is reverted due to a performance regression. The check for the header maximum length remains in place, per Security Team guidance. Thanks to David Smith for reporting the regression, and Jacob Walls for the review.
2025-09-12Refs #35667 -- Cached Django file prefixes for warnings.Adam Johnson
2025-08-28Fixed #35533 -- Prevented urlize creating broken links given a markdown link ↵SaJH
input. Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-27Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵Sarah Boyce
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
2025-08-25Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵SaJH
favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-14Fixed #36410 -- Added support for Template Partials to the Django Template ↵farhan
Language. Introduced `{% partialdef %}` and `{% partial %}` template tags to define and render reusable named fragments within a template file. Partials can also be accessed using the `template_name#partial_name` syntax via `get_template()`, `render()`, `{% include %}`, and other template-loading tools. Adjusted `get_template()` behavior to support partial resolution, with appropriate error handling for invalid names and edge cases. Introduced `PartialTemplate` to encapsulate partial rendering behavior. Includes tests and internal refactors to support partial context binding, exception reporting, and tag validation. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Refs #36500 -- Shortened some long docstrings and comments.Mike Edmunds
Manually reformatted some long docstrings and comments that would be damaged by the to-be-applied autofixer script, in cases where editorial judgment seemed necessary for style or wording changes.
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce
2025-07-16Fixed #36477, Refs #36163 -- Added @deprecate_posargs decorator to simplify ↵Mike Edmunds
deprecation of positional arguments. This helper allows marking positional-or-keyword parameters as keyword-only with a deprecation period, in a consistent and correct manner.
2025-06-27Fixed #15727 -- Added Content Security Policy (CSP) support.Rob Hudson
This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-06-04Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.Natalia
Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net>
2025-05-06Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-04-23Fixed #36341 -- Preserved whitespaces in wordwrap template filter.Matti Pohjanvirta
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b. This work improves the django.utils.text.wrap() function to ensure that empty lines and lines with whitespace only are kept instead of being dropped. Thanks Matti Pohjanvirta for the report and fix. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-04-02Fixed CVE-2025-27556 -- Mitigated potential DoS in ↵Sarah Boyce
url_has_allowed_host_and_scheme() on Windows. Thank you sw0rd1ight for the report.
2025-03-31Refs #28909 -- Simplified code using unpacking generalizations.Aarni Koskela
2025-03-30Fixed warnings per flake8 7.2.0.Mariusz Felisiak
https://github.com/PyCQA/flake8/releases/tag/7.2.0
2025-03-27Fixed #35440 -- Simplified parse_header_parameters by leveraging stdlid's ↵Khudyakov Artem
Message. The `parse_header_parameters` function historically used Python's `cgi` module (now deprecated). In 34e2148fc725e7200050f74130d7523e3cd8507a, the logic was inlined to work around this deprecation ( #33173). Later, in d4d5427571b4bf3a21c902276c2a00215c2a37cc, the header parsing logic was further cleaned up to align with `multipartparser.py` (#33697). This change takes it a step further by replacing the copied `cgi` logic with Python's `email.message.Message` API for a more robust and maintainable header parsing implementation. Thanks to Raphael Gaschignard for testing, and to Adam Johnson and Shai Berger for reviews. Co-authored-by: Ben Cail <bcail@crossway.org> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-03-19Fixed #36000 -- Deprecated HTTP as the default protocol in urlize and ↵Ahmed Nassar
urlizetrunc.
2025-03-06Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template filter.Sarah Boyce
Thanks sw0rd1ight for the report.
2025-02-18Refs #36005 -- Used datetime.UTC alias instead of datetime.timezone.utc.Mariusz Felisiak
datetime.UTC was added in Python 3.11.
2025-02-16Refs #35704 -- Used copy.replace() in Operation.reduce() methods.Adam Johnson
2025-01-23Fixed #36013 -- Removed use of IDNA-2003 in django.utils.html.Mike Edmunds
Removed obsolete and potentially problematic IDNA 2003 ("punycode") encoding of international domain names in smart_urlquote() and Urlizer, which are used (only) by AdminURLFieldWidget and the urlize/urlizetrunc template filters. Changed to use percent-encoded UTF-8, which defers IDNA details to the browser (like other URLs rendered by Django).
2025-01-20Fixed #36017 -- Used EmailValidator in urlize to detect emails.greg
2025-01-15Advanced deprecation warnings for Django 6.0.Sarah Boyce
2025-01-15Refs #34983 -- Removed django.utils.itercompat per deprecation timeline.Sarah Boyce
2025-01-15Refs #34609 -- Removed support for calling format_html() without arguments ↵Sarah Boyce
per deprecation timeline.
2025-01-15Fixed #36098 -- Fixed validate_ipv6_address()/validate_ipv46_address() crash ↵Mariusz Felisiak
for non-string values. Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf.
2025-01-14Fixed #35998 -- Added caching to django.utils.html.urlize().Sarah Boyce
2025-01-14Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.Michael Manfre
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-01-07Fixed #36023 -- Handled controls chars in content_disposition_header.Alex Vandiver
To use the simple `filename="..."` form, the value must conform to the official grammar from RFC6266[^1]: filename-parm = "filename" "=" value value = <value, defined in [RFC2616], Section 3.6> ; token | quoted-string The `quoted-string` definition comes from RFC 9110[^2]: ``` quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text The backslash octet ("\") can be used as a single-octet quoting mechanism within quoted-string and comment constructs. Recipients that process the value of a quoted-string MUST handle a quoted-pair as if it were replaced by the octet following the backslash. quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) A sender SHOULD NOT generate a quoted-pair in a quoted-string except where necessary to quote DQUOTE and backslash octets occurring within that string. ``` That is, quoted strings are able to express horizontal tabs, space characters, and everything in the range from 0x21 to 0x7e, expect for 0x22 (`"`) and 0x5C (`\`), which can still be expressed but must be escaped with their own `\`. We ignore the case of `obs-text`, which is defined as the range 0x80-0xFF, since its presence is there for permissive parsing of accidental high-bit characters, and it should not be generated by conforming implementations. Transform this character range into a regex and apply it in addition to the "is ASCII" check. This ensures that all simple filenames are expressed in the simple format, and that all filenames with newlines and other control characters are properly expressed with the percent-encoded `filename*=...`form. [^1]: https://datatracker.ietf.org/doc/html/rfc6266#section-4.1 [^2]: https://datatracker.ietf.org/doc/html/rfc9110#name-quoted-strings
2024-12-17Fixed #36012 -- Made mailto punctuation percent-encoded in Urlizer.Mike Edmunds
Urlizer was not properly encoding email addresses containing punctuation in generated mailto links. Per RFC 6068, fixed by percent encoding (urllib.parse.quote) the local and domain address parts.
2024-12-04Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-10-25Refs #35844 -- Corrected expected error messages in commands tests on Python ↵Tainara Palmeira
3.14+. Updated CommandTests.test_subparser_invalid_option and CommandDBOptionChoiceTests.test_invalid_choice_db_option to address changes in Python 3.14+ error handling.
2024-09-18Fixed #35766 -- Handled slices in BaseChoiceIterator.Sarah Boyce
2024-09-16Fixed #34221 -- Honored translation precedence with mixed plural forms.Claude Paroz
2024-09-03Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc ↵Sarah Boyce
template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-30Fixed #35083 -- Updated method_decorator to handle async methods.Vaarun Sinha
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2024-08-30Dropped safeguards against very old versions of gettext.Claude Paroz
gettext 0.19 was released in 2014.
2024-08-27Refs #34609 -- Fixed deprecation warning stack level in format_html().Adam Johnson
Co-authored-by: Simon Charette <charette.s@gmail.com>