summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2019-08-01[2.1.x] Bumped version for 2.1.11 release.2.1.11Carlton Gibson
2019-07-31[2.1.x] Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in ↵Florian Apolloner
django.utils.encoding.uri_to_iri(). Thanks to Guido Vranken for initial report.
2019-07-31[2.1.x] Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and ↵Mariusz Felisiak
index lookups against SQL injection. Thanks to Sage M. Abdullah for the report and initial patch. Thanks Florian Apolloner for reviews.
2019-07-29[2.1.X] Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in ↵Florian Apolloner
strip_tags() when handling incomplete HTML entities. Thanks to Guido Vranken for initial report.
2019-07-29[2.1.X] Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues ↵Florian Apolloner
when truncating HTML. Thanks to Guido Vranken for initial report.
2019-07-01[2.1.x] Post-release version bump.Mariusz Felisiak
2019-07-01[2.1.x] Bumped version for 2.1.10 release.2.1.10Mariusz Felisiak
2019-07-01[2.1.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust ↵Carlton Gibson
SECURE_PROXY_SSL_HEADER if set. An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review. Backport of 54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 from master
2019-06-21[2.1.x] Bumped minimum ESLint version to 4.18.2.Markus Holtermann
Backport of ad7b438002f1ab2a0ccb321012182991737ea84e from master.
2019-06-03[2.1.x] Post-release version bump.Carlton Gibson
2019-06-03[2.1.x] Bumped version for 2.1.9 release.2.1.9Carlton Gibson
2019-06-03[2.1.x] Applied jQuery patch for CVE-2019-11358.Carlton Gibson
Backport of 34ec52269ade54af31a021b12969913129571a3f from master.
2019-06-03[2.1.x] Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before ↵Carlton Gibson
rendering clickable link. Backport of deeba6d92006999fee9adfbd8be79bf0a59e8008 from master.
2019-04-01[2.1.x] Post-release version bump.Carlton Gibson
2019-04-01[2.1.x] Bumped version for 2.1.8 release.2.1.8Carlton Gibson
2019-03-30[2.1.x] Fixed #30289 -- Prevented admin inlines for a ManyToManyField's ↵Tim Graham
implicit through model from being editable if the user only has the view permission. Backport of 8335d59200e4c64dfe3348ea93989d95e0107439 from master.
2019-03-03[2.1.x] Reverted "Fixed relative paths imports per isort 4.3.5."Mariusz Felisiak
This reverts commit 463fe11bc8b2d068e447c5df677e7a31c2af7e03 due to restore of relative paths sorting from isort < 4.3.5 in isort 4.3.10. Backport of b435f82939edf70674856e0e1cd63973c2e0a1d1 from master
2019-02-25[2.1.x] Fixed relative paths imports per isort 4.3.5.Mariusz Felisiak
Backport of 463fe11bc8b2d068e447c5df677e7a31c2af7e03 from master
2019-02-11[2.1.x] Post-release version bump.Tim Graham
2019-02-11[2.1.x] Bumped version for 2.1.7 release.2.1.7Carlton Gibson
2019-02-11[2.1.x] Bumped version for 2.1.6 release.2.1.6Carlton Gibson
2019-02-11[2.1.x] Fixed CVE-2019-6975 -- Fixed memory exhaustion in ↵Carlton Gibson
utils.numberformat.format(). Thanks Sjoerd Job Postmus for the report and initial patch. Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review. Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master
2019-01-30[2.1.x] Fixed E117 and F405 flake8 warnings.Mariusz Felisiak
Backport of 5a5c77d55dc85c7e6cf910243257e408887f412a from master
2019-01-17[2.1.x] Refs #30097 -- Fixed typos in InlineModelAdmin.has_add_permission() ↵Tim Graham
deprecation comments. Backport of ee9bd8c31024ec424157798b2a60a7f52f9353ee from stable/2.2.x.
2019-01-11[2.1.x] Fixed #30097 -- Made 'obj' arg of ↵MaximZemskov
InlineModelAdmin.has_add_permission() optional. Restored backwards compatibility after refs #27991. Regression in be6ca89396c031619947921c81b8795d816e3285. Backport of 3c01fe30f3dd4dc1c8bb4fec816bd277d1ae5fa6 from master.
2019-01-04[2.1.x] Post-release version bump.Tim Graham
2019-01-04[2.1.x] Bumped version for 2.1.5 release.2.1.5Tim Graham
2019-01-03[2.1.x] Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in ↵Tom Hacohen
the default 404 page. Co-Authored-By: Tim Graham <timograham@gmail.com> Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.
2019-01-01[2.1.x] Fixed #30050 -- Fixed InlineModelAdmin.has_change_permission() ↵Tim Graham
called with non-None obj during add. Thanks andreage for the report and suggested fix. Backport of 02c07be95c47efaab9da7422c33ee76142f11336 from master.
2018-12-20[2.1.x] Fixed #30015 -- Ensured request body is properly consumed for ↵Konstantin Alekseev
keep-alive connections. Backport of b514dc14f4e1c364341f5931b354e83ef15ee12d and bbe28fa07658f00786dc1d91ee281b4daac22d07 from master.
2018-12-17[2.1.x] Fixed #30023 -- Prevented SQLite schema alterations while foreign ↵Simon Charette
key checks are enabled. Prior to this change foreign key constraint references could be left pointing at tables dropped during operations simulating unsupported table alterations because of an unexpected failure to disable foreign key constraint checks. SQLite3 does not allow disabling such checks while in a transaction so they must be disabled beforehand. Thanks ezaquarii for the report and Carlton and Tim for the review. Backport of 315357ad25a6590e7f4564ec2e56a22132b09001 from master.
2018-12-07[2.1.x] Fixed #29182 -- Fixed schema table alteration on SQLite 3.26+.Simon Charette
SQLite 3.26 repoints foreign key constraints on table renames even when foreign_keys pragma is off which breaks every operation that requires a table rebuild to simulate unsupported ALTER TABLE statements. The newly introduced legacy_alter_table pragma disables this behavior and restores the previous schema editor assumptions. Thanks Florian Apolloner, Christoph Trassl, Chris Lamb for the report and troubleshooting assistance. Backport of c8ffdbe514b55ff5c9a2b8cb8bbdf2d3978c188f from master.
2018-12-05[2.1.x] Fixed #30013 -- Fixed DatabaseOperations.last_executed_query() with ↵Tim Graham
mysqlclient 1.3.14+. Backport of 284b3221a2c17af5bfe2edbf851ac0a9901f91a0 from master.
2018-12-03[2.1.x] Post-release version bump.Carlton Gibson
2018-12-03[2.1.x] Bumped version for 2.1.4 release.2.1.4Carlton Gibson
2018-12-03[2.1.x] Fixed #29930 -- Allowed editing in admin with view-only inlines.Carlton Gibson
Co-authored-by: Tim Graham <timograham@gmail.com> Backport of 8245c99ee6032c2748ba46583d8cab15b2f9438e from master
2018-11-28[2.1.x] Fixed #29929 -- Fixed admin view-only change form crash when using ↵Basil Dubyk
ModelAdmin.prepopulated_fields. Backport of 7d1123e5ada60963ba3c708a8932e57342278706 from master.
2018-11-25[2.1.x] Fixed typo in patch_logger() docstring.takaaki shimbo
Backport of 6275b50ac26ea6c026aa7b2aae9192f5792e8a94 from master
2018-11-20[2.1.x] Fixed #29849 -- Fixed keep-alive support in runserver.Florian Apolloner
Ticket #25619 changed the default protocol to HTTP/1.1 but did not properly implement keep-alive. As a "fix" keep-alive was disabled in ticket #28440 to prevent clients from hanging (they expect the server to send more data if the connection is not closed and there is no content length set). The combination of those two fixes resulted in yet another problem: HTTP/1.1 by default allows a client to assume that keep-alive is supported unless the server disables it via 'Connection: close' -- see RFC2616 8.1.2.1 for details on persistent connection negotiation. Now if the client receives a response from Django without 'Connection: close' and immediately sends a new request (on the same tcp connection) before our server closes the tcp connection, it will error out at some point because the connection does get closed a few milli seconds later. This patch fixes the mentioned issues by always sending 'Connection: close' if we cannot determine a content length. The code is inefficient in the sense that it does not allow for persistent connections when chunked responses are used, but that should not really cause any problems (Django does not generate those) and it only affects the development server anyways. Refs #25619, #28440. Regression in ac756f16c5bbbe544ad82a8f3ab2eac6cccdb62e. Backport of 934acf1126995f6e6ccba5947ec8f7561633c27f from master.
2018-11-16[2.1.x] Fixed #29959 -- Cached GEOS version in WKBWriter class.Claude Paroz
Regression in f185d929fa1c0caad8c03fccde899b647d7248c6. Backport of e7e55059027ae2f644c852e0ba60dc9307b425e1 from master.
2018-11-15[2.1.x] Fixed #29952 -- Lowercased all passwords in contrib.auth's ↵Mathew Payne
auth/common-passwords.txt.gz. Backport of 26bb2611a567d43bc258aa7806eef766b7adcfe5 from master.
2018-11-09[2.1.x] Fixed signing.dumps() example for Python 3.minusf
Backport of 545dae24fd01a9165d869a13aad04f5b88d626c1 from master
2018-11-01[2.1.x] Post-release version bump.Carlton Gibson
2018-11-01[2.1.x] Bumped version for 2.1.3 release.2.1.3Carlton Gibson
2018-10-31[2.1.x] Fixed #29890 -- Fixed FileSystemStorage crash if concurrent saves ↵Tim Graham
try to create the same directory. Regression in 632c4ffd9cb1da273303bcd8005fff216506c795. Backport of 98ef3829e96ebc73d4d446f92465e671ff520d2b from master.
2018-10-28[2.1.x] Fixed #29896 -- Fixed incorrect Model.save() cache relation clearing ↵Tim Graham
for foreign keys that use to_field. Regression in ee49306176a2d2f1751cb890bd607d42c7c09196. Backport of f77fc56c9671a2e2498e3920d79e247e6de18c16 from master.
2018-10-25[2.1.x] Fixed #29827 -- Fixed reuse of test databases with --keepdb on MySQL.Sergey Fedoseev
Regression in e1253bc26facfa1d0fca161f43925e99c2591ced. Backport of 9a88c6dd6aa84a1b35e585faa0058a0996cc7ed7 from master.
2018-10-24[2.1.x] Fixed F841 flake8 warning.Mariusz Felisiak
Backport of 641742528a8babbede92890bc0bef50a255c1bbb from master.
2018-10-19[2.1.x] Fixed #29774 -- Fixed django-admin shell hang on startup.Adam Allred
sys.stdin.read() blocks waiting for EOF in shell.py which will likely never come if the user provides input on stdin via the keyboard before the shell starts. Added check for a tty to skip reading stdin if it's not present. This still allows piping of code into the shell (which should have no TTY and should have an EOF) but also doesn't cause it to hang if multi-line input is provided. Backport of 4e78e389b16fbceb23d5236ee1650b213e71c968 from master.
2018-10-17[2.1.x] Fixed #29838 -- Fixed crash when combining Q objects with __in ↵aspalding
lookups and lists. Regression in fc6528b25ab1834be1a478b405bf8f7ec5cf860c. Backport of 834c4ec8e4cfc43acf0525e0a4d8c914534f6afd, 217f82d7139fd32f07adbfa92c5fb383d0ade577, and dc5e75d419893bde33b7e439b59bdf271fc1a3f2 from master.