summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2013-02-19[1.3.x] Bump version numbers for security release.1.3.6James Bennett
2013-02-12[1.3.x] Added a default limit to the maximum number of forms in a formset.Aymeric Augustin
This is a security fix. Disclosure and advisory coming shortly.
2013-02-12[1.3.x] Checked object permissions on admin history view.Carl Meyer
This is a security fix. Disclosure and advisory coming shortly. Patch by Russell Keith-Magee.
2013-02-12[1.3.x] Restrict the XML deserializer to prevent network and ↵Carl Meyer
entity-expansion DoS attacks. This is a security fix. Disclosure and advisory coming shortly.
2013-02-12[1.3.x] Added ALLOWED_HOSTS setting for HTTP host header validation.Carl Meyer
This is a security fix; disclosure and advisory coming shortly.
2012-12-10[1.3.x] Bump version numbers for security release.1.3.5James Bennett
2012-12-03[1.3.X] Fixed a security issue in get_host.Florian Apolloner
Full disclosure and new release forthcoming.
2012-11-17[1.3.X] Fixed #18856 -- Ensured that redirects can't be poisoned by ↵Florian Apolloner
malicious users.
2012-10-17[1.3.x] Bump version numbers for security release.1.3.4James Bennett
2012-10-17Fixed a security issue related to password resetsPreston Holmes
Full disclosure and new release are forthcoming backport from master
2012-08-01[1.3.x] Bump version numbers for bugfix release.1.3.3James Bennett
2012-08-01[1.3.x] Fixed #18692 -- Restored python 2.4 compatibility.Florian Apolloner
Thanks to chipx86 for the report.
2012-07-30[1.3.x] Bump version numbers for security releases.James Bennett
2012-07-30[1.3.x] Fixed a security issue in http redirects. Disclosure and new release ↵Florian Apolloner
forthcoming. Backport of 4129201c3e0fa057c198bdefcb34686a23b4a93c from master.
2012-07-30[1.3.x] Fixed second security issue in image uploading. Disclosure and ↵Florian Apolloner
release forthcoming. Backport of b1d463468694f2e91fde67221b7996e9c52a9720 from master.
2012-07-30[1.3.x] Fixed a security issue in image uploading. Disclosure and release ↵Florian Apolloner
forthcoming. Backport of dd16b17099b7d86f27773df048c5014cf439b282 from master.
2012-05-28Reverted "[1.3.x] Fixed #18135 -- Close connection used for db version checking"Anssi Kääriäinen
This reverts commit a15d3b58d8c4cbb6137f0458544ec03f3394bb08. Django 1.3.x is in security fixes only state, and this wasn't a security issue.
2012-05-27[1.3.x] Fixed #18135 -- Close connection used for db version checkingMichael Newman
On MySQL when checking the server version, a new connection could be created but never closed. This could result in open connections on server startup. Backport of 4423757c0c50afbe2470434778c8d5e5b4a70925.
2012-03-31[1.3.X] Fixed #17972 -- Ensured that admin filters on a foreign key respect ↵Julien Phalip
the to_field attribute. This fixes a regression introduced in [14674] and Django 1.3. Thanks to graveyboat and Karen Tracey for the report. Backport of r17854 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17857 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-25[1.3.X] Fixed #17634 -- Optimized the performance of MultiValueDict by using ↵Aymeric Augustin
append instead of copy and by minimizing the number of dict lookups. Backport of r17464 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17807 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-24[1.3.x] Fixed #16481 -- Adapted one raw SQL query in cull implementation of ↵Aymeric Augustin
the database-based cache backend so it works with Oracle. Backport of r16635 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17805 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-24[1.3.X] Fixed #16677 -- Fixed the future version of the ssi template tag to ↵Aymeric Augustin
work with template file names that contain spaces. Backport of r16687 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17804 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-24[1.3.X] Fixed #16812 -- Percent-encode URLs in verify_exists, to fix test ↵Aymeric Augustin
failures on Python 2.5 and 2.6. Backport of r16838 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17803 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-16[1.3.X] Fixed #17908 -- Made some `contrib.markup` tests be skipped so they ↵Julien Phalip
don't fail on old versions of Markdown. Thanks to Preston Holmes for the patch. Backport of r17749 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17750 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-14[1.3.X] Fixed #17837. Improved markdown safety.Paul McMillan
Markdown enable_attributes is now False when safe_mode is enabled. Documented the markdown "safe" argument. Added warnings when the safe argument is passed to versions of markdown which cannot be made safe. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17734 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-01[1.3.X] Fixed #17737 -- Stopped the collectstatic management command from ↵Jannis Leidel
copying the wrong file in repeated runs. Thanks, pigletto. Backport from trunk (r17612). git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17613 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-22[1.3.X] Don't let ALLOWED_INCLUDE_ROOTS be accidentally set to a string ↵Chris Beaven
rather than a tuple. Backport of r17571 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17572 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-18[1.3.x] Fixed #15496 -- Corrected handling of base64 file upload encoding. ↵Aymeric Augustin
Backport of r16176 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17546 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-19[1.3.X] Fixed #17078: properly invoke IPython 0.12.Jacob Kaplan-Moss
Backport of r17379. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17380 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-07[1.3.X] Fixed #17100 -- Typo in the regex for EmailValidator. Backport of ↵Aymeric Augustin
r17349 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17350 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-07[1.3.X] Fixed #17415 -- Reset database sequence for Site's pk after creating ↵Aymeric Augustin
the default site with an explicit pk. Backport of r17343 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17344 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-11[1.3.X] Fixed #16632 -- Crash on responses without Content-Type with IE. ↵Aymeric Augustin
Backport of r17196. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17198 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-03[1.3.X] Backported the fix for #15852 -- Modified cookie parsing so it can ↵Aymeric Augustin
handle duplicate invalid cookie names. Thanks goes to Fredrik Stålnacke for the report and to vung for the patch. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17168 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-22[1.3.X] Reverting r16878 (improved admin error message) per advice from ↵Paul McMillan
jezdez. refs #16837 git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16891 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-22[1.3.X] Fixed #16837 -- Improved error messages for admin login. Thanks Wim ↵Paul McMillan
Feijen for the patch. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16878 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-21[1.3.X] Fixed #16353 -- don't try to create Site objects on all databases. ↵Carl Meyer
Refs #15573, #15346. Thanks Aymeric Augustin for the report and the patch. Backport of r16868 in trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16869 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-17[1.3.X] Fixed #14648 -- Fixed annotated date querysets when `GeoManager` is ↵Justin Bronn
used. Thanks, codysoyland, for the bug report. Backport of r16796 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16844 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-16[1.3.X] Reverted the change in r16684, which, while fixing an alignment ↵Julien Phalip
issue in IE7 with the admin's "Save and continue editing" and "Save and add another" buttons, caused the swapping of those buttons' order. Thanks to jocmeh for the report. Refs #16852. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16834 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10[1.3.X] Bump to 1.3.1 for security release.1.3.1James Bennett
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16767 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10[1.3.X] Altered the behavior of URLField to avoid a potential DOS vector, ↵Russell Keith-Magee
and to avoid potential leakage of local filesystem data. A security announcement will be made shortly. Backport of r16760 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16763 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10[1.3.X] Corrected an issue which could allow attackers to manipulate session ↵Russell Keith-Magee
data using the cache. A security announcement will be made shortly. Backport of r16759 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16762 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10[1.3.X] Added protection against spoofing of X_FORWARDED_HOST headers. A ↵Russell Keith-Magee
security announcement will be made shortly. Backport of r16758 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16761 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09[1.3.X] Fixed #16408 -- Fixed conversion of dates, and other problems with ↵Justin Bronn
the SpatiaLite backend. Backport of r16749 and r16750 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16751 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-25[1.3.X] Fixed a small admin CSS issue where the "Save and continue editing" ↵Julien Phalip
and "Save and add another" buttons were wrongly aligned with left-to-right languages in IE7. Backport of r16683 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16684 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23[1.3.X] Fixed #16201 -- Ensure that requests with Content-Length=0 don't ↵Russell Keith-Magee
break the multipart parser. Thanks to albsen for the report and patch Backport of r16353 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16676 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23[1.3.X] Fixed #16299 -- Ensure that unicode strings can be used to identify ↵Russell Keith-Magee
classes in ForeignKey and ManyToManyFields. Unicode strings aren't actually legal as class names, but this is an issue if you use from __future__ import unicode_literals in your models.py file. Thanks to Martijn Bastiaan for the report, and Anthony Briggs for the final patch. Backport of r16663 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16675 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23[1.3.X] Fixed #15499 -- Ensure that cache control headers don't try to set ↵Russell Keith-Magee
public and private as a result of multiple calls to patch_cache_control with different arguments. Thanks to AndiDog for the report and patch. Backport of r16657 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23[1.3.X] Fixed #10571 -- Factored out the payload encoding code to make sure ↵Russell Keith-Magee
it is used for PUT requests. Thanks to kennu for the report, pterk for the patch, and wildfire for the review comments. Backport of r16651 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16672 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23[1.3.X] Fixed #14876 -- Ensure that join promotion works correctly when ↵Russell Keith-Magee
there are nullable related fields. Thanks to simonpercivall for the report, oinopion and Aleksandra Sendecka for the original patch, and to Malcolm for helping me wrestle the edge cases to the ground. Backport of r16648 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16671 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-29[1.3.X] Fixed #16531 -- Fixed various instances of "undefined name" issues. ↵Jannis Leidel
Thanks, Bruno Renié. Backport from trunk (r16557). git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16571 bcc190cf-cafb-0310-a4f2-bffc1f526a37