| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
Extracted the repeated `split(",")` + per-token `.strip()` pattern into
a `split_header_value()` generator in django/utils/http.py. The previous
`cc_delim_re` regex only stripped whitespace adjacent to the comma
delimiter, leaving leading or trailing whitespace on the first and last
tokens. Now, `split_header_value()` strips every token fully, matching
RFC 9110's optional-whitespace rules.
Thanks to Shai Berger, Jacob Walls, and Sarah Boyce for reviews.
|
|
values.
Thanks to Navid Rezazadeh for the report and Jacob Walls for review.
|
|
Thanks JaeHyuck Sa, Jacob Walls, and Tim McCurrach for reviews.
Co-authored-by: Ülgen Sarıkavak <ulgensrkvk@gmail.com>
|
|
|
|
See DEP 0018.
Added:
* MAILERS setting.
* django.core.mail.mailers dict-like EmailBackend factory.
* `using` argument to mail sending APIs.
* `sent_using` attribute to mail.outbox messages in locmem backend.
* MAILERS in startproject settings template, set to console backend.
* AdminLogHandler.using argument.
* BrokenLinkEmailsMiddleware.send_mail() method.
Updated:
* BaseEmailBackend to track the MAILERS alias used to construct it, and
to report errors for unknown kwargs (OPTIONS).
* EmailBackend implementations to initialize from kwargs (OPTIONS) only
when MAILERS is being used.
* smtp.EmailBackend to require `host` option and to default `port`
option based on SSL/TLS options.
* SimpleTestCase setup to substitute the locmem backend for all defined
MAILERS configurations.
* Django's tests that send mail to define MAILERS.
Deprecated:
* EMAIL_BACKEND and other backend-related EMAIL_* settings.
* mail.get_connection().
* The `connection`, `fail_silently`, `auth_user`, and `auth_password`
arguments to mail functions.
* The EmailMessage.connection attribute.
* BaseEmailBackend support for `fail_silently`. Backends that support
fail_silently (SMTP, console, file) now implement it directly.
* AdminEmailHandler.email_backend argument.
Removed undocumented features without deprecation:
* EmailMessage.get_connection() method. (send() now raises an error if a
subclass has attempted to override it.)
* EmailMessage.send() no longer sets self.connection to the connection
used for sending. (It still _uses_ a pre-existing self.connection.)
* AdminEmailHandler.connection() method. (Init now raises an error if a
subclass has attempted to override it.)
Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive
reviews and suggestions on the implementation.
Thanks to Jacob Rief for the initial implementation and multiple
iterations while refining the design.
Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
|
|
on Python 3.15.
https://github.com/python/cpython/pull/149457
|
|
New default tag `{% csp_nonce_attr %}` was added for explicit CSP nonce
inclusion into `<script>` and `<link>` elements.
`{% csp_nonce_attr %}` renders `nonce="<value>"` when `csp_nonce` is
present in the template context, and renders nothing otherwise.
`{% csp_nonce_attr media %}` renders a `Media` object's assets with the
nonce attr applied to each tag.
Thanks Jacob Walls for the accurate and spot on review comments.
Co-authored-by: Johannes Maron <johannes@maron.family>
|
|
algorithm.
Deprecated the default value of the algorithm argument in
django.utils.crypto.salted_hmac() and django.core.signing.base64_hmac(),
which will change from 'sha1' to 'sha256' in Django 7.0.
|
|
Ensure skip_file_prefixes does not match sibling packages like django*.
Bug in f42b89f1bf49a5b89ed852b60f79342320a81c5e
and 34bd3ed944bf38792c631b55e581963d44d52284.
|
|
Implemented a new `warn_about_external_use()` helper to conditionally
issue warnings depending on whether a deprecated feature is used from
within Django.
Fixed `LazySettings._show_deprecation_warning()` (Refs #26029) to work
correctly when called from anywhere in `LazySettings`. Previously, it
assumed a specific code path through `LazyObject.__getattribute__()` and
an `@property` getter on `LazySettings`.
|
|
|
|
Added a fast-path to parse_header_parameters
Benchmark results (50,000 iterations):
- Simple headers: ~73% improvement
Thanks Nick Pope (@ngnpope) for the review.
|
|
As the oldest supported version is Django 5.2, we only need constants for PY310+.
|
|
A TypeError is now raised if fail_silently=True, auth_user, or auth_password
are provided along a connection.
Updated AdminEmailHandler in django.utils.log to remove redundant
fail_silently=True.
Thanks Mike Edmunds for the report and Jacob Tyler Walls for the review.
|
|
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
This avoids latency and/or blocking.
The example of streaming a CSV file was rewritten to employ batching for
greater efficiency in all layers (db, HTTP, etc.). The improved
performance from batching should outweigh the drag introduced by an
additional byte for each flush.
Co-authored-by: huoyinghui <huoyinghui@users.noreply.github.com>
|
|
system object creation.
This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.
This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Refs CVE-2020-24583 and #31921.
Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.
|
|
imported by namespace.
|
|
references from HTML truncation docs.
|
|
deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
|
|
django.utils.text.Truncator for HTML input.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
|
|
As Python 3.12 is now the floor, we can drop the shims and
use the `inspect` module.
|
|
Detect when `SimpleLazyObject._setupfunc` is a bound method of the same
instance to use a safe representation and avoid infinite recursion.
|
|
Moved nonce generation in ``django.utils.csp.LazyNonce`` to a function
to avoid infinite recursion in ``SimpleLazyObject.__repr__`` for
unevaluated instances.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Replaced instances of mark_safe('some string literal') with
SafeString to avoid the overhead of managing lazy objects.
Thanks Tim McCurrach for the idea and David Smith and Jacob Walls
for reviews.
|
|
|
|
Ideally, this will be reverted when an upstream solution is available for
https://github.com/python/cpython/issues/141560.
Thanks Patrick Rauscher for the report and Augusto Pontes for the
first iteration and test.
|
|
Refs CVE-2025-64458.
The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.
Thanks Jacob Walls for report and review.
|
|
Python 3.15 defaults suggest_on_error=True, but the feature is available
from 3.14, so this change opts in earlier. This change can be reverted
when Python 3.15 is the minimum supported version.
|
|
|
|
Thanks Mustafa Barakat for the report, Baptiste Mispelon for
the triage, and Jake Howard for the review.
|
|
|
|
Repeated string concatenation performs poorly on PyPy.
Thanks Seokchan Yoon for the report.
|
|
Thanks Mehraz Hossain Rumman for the report and Bruno Alla for the triage.
Regression in a9fe98d5bd4212d069afe8316101984aadecfbb2.
|
|
annotations.
In Python 3.14, annotations are deferred by default, so we should not
assume that the names in them have been imported unconditionally.
|
|
|
|
Migrated `WSGIRequestHandler.log_message()` to use a more robust
`log_message()` helper, which was based of `log_response()` via factoring out
the common bits.
Refs CVE-2025-48432.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
archive.extract().
Thanks stackered for the report.
Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23.
|
|
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
|
|
This work implements what was defined in DEP 14
(https://github.com/django/deps/blob/main/accepted/0014-background-workers.rst).
Thanks to Raphael Gaschignard, Eric Holscher, Ran Benita, Sarah Boyce,
Jacob Walls, and Natalia Bidart for the reviews.
|
|
by leveraging stdlid's Message."
This partially reverts commit 9aabe7eae3eeb3e64c5a0f3687118cd806158550.
The simplification of parse_header_parameters using stdlib's Message
is reverted due to a performance regression. The check for the header
maximum length remains in place, per Security Team guidance.
Thanks to David Smith for reporting the regression, and Jacob Walls for
the review.
|
|
|
|
input.
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()."
This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
|
|
favor of hmac.compare_digest().
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
Language.
Introduced `{% partialdef %}` and `{% partial %}` template tags to
define and render reusable named fragments within a template file.
Partials can also be accessed using the `template_name#partial_name`
syntax via `get_template()`, `render()`, `{% include %}`, and other
template-loading tools.
Adjusted `get_template()` behavior to support partial resolution, with
appropriate error handling for invalid names and edge cases. Introduced
`PartialTemplate` to encapsulate partial rendering behavior.
Includes tests and internal refactors to support partial context
binding, exception reporting, and tag validation.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
|
