summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2012-07-30[1.3.x] Bump version numbers for security releases.James Bennett
2012-07-30[1.3.x] Fixed a security issue in http redirects. Disclosure and new release ↵Florian Apolloner
forthcoming. Backport of 4129201c3e0fa057c198bdefcb34686a23b4a93c from master.
2012-07-30[1.3.x] Fixed second security issue in image uploading. Disclosure and ↵Florian Apolloner
release forthcoming. Backport of b1d463468694f2e91fde67221b7996e9c52a9720 from master.
2012-07-30[1.3.x] Fixed a security issue in image uploading. Disclosure and release ↵Florian Apolloner
forthcoming. Backport of dd16b17099b7d86f27773df048c5014cf439b282 from master.
2012-05-28Reverted "[1.3.x] Fixed #18135 -- Close connection used for db version checking"Anssi Kääriäinen
This reverts commit a15d3b58d8c4cbb6137f0458544ec03f3394bb08. Django 1.3.x is in security fixes only state, and this wasn't a security issue.
2012-05-27[1.3.x] Fixed #18135 -- Close connection used for db version checkingMichael Newman
On MySQL when checking the server version, a new connection could be created but never closed. This could result in open connections on server startup. Backport of 4423757c0c50afbe2470434778c8d5e5b4a70925.
2012-03-31[1.3.X] Fixed #17972 -- Ensured that admin filters on a foreign key respect ↵Julien Phalip
the to_field attribute. This fixes a regression introduced in [14674] and Django 1.3. Thanks to graveyboat and Karen Tracey for the report. Backport of r17854 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17857 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-25[1.3.X] Fixed #17634 -- Optimized the performance of MultiValueDict by using ↵Aymeric Augustin
append instead of copy and by minimizing the number of dict lookups. Backport of r17464 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17807 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-24[1.3.x] Fixed #16481 -- Adapted one raw SQL query in cull implementation of ↵Aymeric Augustin
the database-based cache backend so it works with Oracle. Backport of r16635 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17805 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-24[1.3.X] Fixed #16677 -- Fixed the future version of the ssi template tag to ↵Aymeric Augustin
work with template file names that contain spaces. Backport of r16687 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17804 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-24[1.3.X] Fixed #16812 -- Percent-encode URLs in verify_exists, to fix test ↵Aymeric Augustin
failures on Python 2.5 and 2.6. Backport of r16838 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17803 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-16[1.3.X] Fixed #17908 -- Made some `contrib.markup` tests be skipped so they ↵Julien Phalip
don't fail on old versions of Markdown. Thanks to Preston Holmes for the patch. Backport of r17749 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17750 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-14[1.3.X] Fixed #17837. Improved markdown safety.Paul McMillan
Markdown enable_attributes is now False when safe_mode is enabled. Documented the markdown "safe" argument. Added warnings when the safe argument is passed to versions of markdown which cannot be made safe. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17734 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-01[1.3.X] Fixed #17737 -- Stopped the collectstatic management command from ↵Jannis Leidel
copying the wrong file in repeated runs. Thanks, pigletto. Backport from trunk (r17612). git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17613 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-22[1.3.X] Don't let ALLOWED_INCLUDE_ROOTS be accidentally set to a string ↵Chris Beaven
rather than a tuple. Backport of r17571 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17572 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-18[1.3.x] Fixed #15496 -- Corrected handling of base64 file upload encoding. ↵Aymeric Augustin
Backport of r16176 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17546 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-19[1.3.X] Fixed #17078: properly invoke IPython 0.12.Jacob Kaplan-Moss
Backport of r17379. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17380 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-07[1.3.X] Fixed #17100 -- Typo in the regex for EmailValidator. Backport of ↵Aymeric Augustin
r17349 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17350 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-07[1.3.X] Fixed #17415 -- Reset database sequence for Site's pk after creating ↵Aymeric Augustin
the default site with an explicit pk. Backport of r17343 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17344 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-11[1.3.X] Fixed #16632 -- Crash on responses without Content-Type with IE. ↵Aymeric Augustin
Backport of r17196. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17198 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-03[1.3.X] Backported the fix for #15852 -- Modified cookie parsing so it can ↵Aymeric Augustin
handle duplicate invalid cookie names. Thanks goes to Fredrik Stålnacke for the report and to vung for the patch. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17168 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-22[1.3.X] Reverting r16878 (improved admin error message) per advice from ↵Paul McMillan
jezdez. refs #16837 git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16891 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-22[1.3.X] Fixed #16837 -- Improved error messages for admin login. Thanks Wim ↵Paul McMillan
Feijen for the patch. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16878 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-21[1.3.X] Fixed #16353 -- don't try to create Site objects on all databases. ↵Carl Meyer
Refs #15573, #15346. Thanks Aymeric Augustin for the report and the patch. Backport of r16868 in trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16869 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-17[1.3.X] Fixed #14648 -- Fixed annotated date querysets when `GeoManager` is ↵Justin Bronn
used. Thanks, codysoyland, for the bug report. Backport of r16796 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16844 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-16[1.3.X] Reverted the change in r16684, which, while fixing an alignment ↵Julien Phalip
issue in IE7 with the admin's "Save and continue editing" and "Save and add another" buttons, caused the swapping of those buttons' order. Thanks to jocmeh for the report. Refs #16852. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16834 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10[1.3.X] Bump to 1.3.1 for security release.1.3.1James Bennett
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16767 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10[1.3.X] Altered the behavior of URLField to avoid a potential DOS vector, ↵Russell Keith-Magee
and to avoid potential leakage of local filesystem data. A security announcement will be made shortly. Backport of r16760 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16763 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10[1.3.X] Corrected an issue which could allow attackers to manipulate session ↵Russell Keith-Magee
data using the cache. A security announcement will be made shortly. Backport of r16759 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16762 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10[1.3.X] Added protection against spoofing of X_FORWARDED_HOST headers. A ↵Russell Keith-Magee
security announcement will be made shortly. Backport of r16758 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16761 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09[1.3.X] Fixed #16408 -- Fixed conversion of dates, and other problems with ↵Justin Bronn
the SpatiaLite backend. Backport of r16749 and r16750 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16751 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-25[1.3.X] Fixed a small admin CSS issue where the "Save and continue editing" ↵Julien Phalip
and "Save and add another" buttons were wrongly aligned with left-to-right languages in IE7. Backport of r16683 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16684 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23[1.3.X] Fixed #16201 -- Ensure that requests with Content-Length=0 don't ↵Russell Keith-Magee
break the multipart parser. Thanks to albsen for the report and patch Backport of r16353 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16676 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23[1.3.X] Fixed #16299 -- Ensure that unicode strings can be used to identify ↵Russell Keith-Magee
classes in ForeignKey and ManyToManyFields. Unicode strings aren't actually legal as class names, but this is an issue if you use from __future__ import unicode_literals in your models.py file. Thanks to Martijn Bastiaan for the report, and Anthony Briggs for the final patch. Backport of r16663 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16675 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23[1.3.X] Fixed #15499 -- Ensure that cache control headers don't try to set ↵Russell Keith-Magee
public and private as a result of multiple calls to patch_cache_control with different arguments. Thanks to AndiDog for the report and patch. Backport of r16657 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23[1.3.X] Fixed #10571 -- Factored out the payload encoding code to make sure ↵Russell Keith-Magee
it is used for PUT requests. Thanks to kennu for the report, pterk for the patch, and wildfire for the review comments. Backport of r16651 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16672 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23[1.3.X] Fixed #14876 -- Ensure that join promotion works correctly when ↵Russell Keith-Magee
there are nullable related fields. Thanks to simonpercivall for the report, oinopion and Aleksandra Sendecka for the original patch, and to Malcolm for helping me wrestle the edge cases to the ground. Backport of r16648 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16671 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-29[1.3.X] Fixed #16531 -- Fixed various instances of "undefined name" issues. ↵Jannis Leidel
Thanks, Bruno Renié. Backport from trunk (r16557). git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16571 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-14[1.3.X] Reverted [14563] because it introduced a dependency from core on a ↵Ramiro Morales
contrib app (contenttypes). Fixes #16283, Refs #3055. Thanks TheRoSS for the report and Aymeric Augustin for finding the problem. This caused models shipped with some contrib apps to pollute the namespace when user's apps had the same name (e.g. auth, sites), even when these contrib apps weren't installed. This undesired loading of contrib apps happened when model validation was executed, for example when running management commands that set or inherit `requires_model_validation=True`: cleanup, dumpdata, flush, loaddata, reset, runfcgi, sql, sqlall, sqlclear, sqlcustom, sqlflush, sqlindexes, sqlinitialdata, sqlreset, sqlsequencereset, syncdb, createsuperusers, ping_google, collectstatic, findstatic. This could also cause hard to diagnose problems e.g. when performing reverse URL resolving. Backport of [16493] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16541 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-18[1.3.X] Fixed #16292 -- Removed broken link for Swiss localflavor ↵Jannis Leidel
documentation. Thanks, BernhardEssl. Backport from trunk (r16435). git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16436 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-04[1.3.X] Fix #15880: Prevent "stalling" when running dev server in background ↵Karen Tracey
by ignoring SIGTTOU for the duration of tcsetattr. Backport of [16326] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16327 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-02[1.3.X] Fixed #16144 - layout of admin changelist broken for RTL languages.Luke Plant
Backport of [16314] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16315 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-30[1.3.X] Fixed #15776 - delete regression in Django 1.3 involving nullable ↵Luke Plant
foreign keys Many thanks to aaron.l.madison for the detailed report and to emulbreh for the fix. Backport of [16295] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16296 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-25[1.3.X] Fixed #16004 - csrf_protect does not send cookie if view returns ↵Luke Plant
TemplateResponse The root bug was in decorator_from_middleware, and the fix also corrects bugs with gzip_page and other decorators. Backport of [16276] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16279 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-10[1.3.X] Fixed #13648 - '%s' escaping support for sqlite3 regression.Luke Plant
Thanks to master for the report and initial patch, and salgado and others for work on the patch. Backport of [16209] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16210 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-23[1.3.X] Fixed #15819 - Fixed 1.3 regression from r15526 causing duplicate ↵Carl Meyer
search results in admin with search_fields traversing to non-M2M related models. Thanks to Adam Kochanowski for the report and Ryan Kaskel for the patch. Backport of r16093 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16094 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-22[1.3.X] Fixes regression #15721 -- {% include %} and RequestContext not ↵Chris Beaven
working together. Refs #15814. Backport of r16031, plus the utility from r16030. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16089 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-22[1.3.X] Fixed #15758 -- Removed stale constants that were missed in r15983.Jannis Leidel
Backport from trunk (r16084). git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16085 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-22[1.3.X] Fixed #15672 -- Refined changes made in r15918. Thanks, vung.Jannis Leidel
Backport from trunk (r16082). git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16083 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-22[1.3.X] Fixed #15698 -- Fixed inconsistant handling of context_object_name ↵Jannis Leidel
in paginated MultipleObjectMixin views. Thanks, Dave Hall. Backport from trunk (r16079). git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16080 bcc190cf-cafb-0310-a4f2-bffc1f526a37