summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2024-08-06[5.0.x] Bumped version for 5.0.8 release.5.0.8Sarah Boyce
2024-08-06[5.0.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵Simon Charette
attacks against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-08-06[5.0.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06[5.0.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks to MProgrammer for the report.
2024-08-06[5.0.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in ↵Sarah Boyce
floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
2024-08-05[5.0.x] Fixed #35657 -- Made FileField handle db_default values.Sarah Boyce
Backport of 8deb6bb1fc427762d56646bf7306cbd11fb5bb68 from main.
2024-08-05[5.0.x] Fixed #35638 -- Updated validate_constraints to consider db_default.David Sanders
Backport of 509763c79952cde02d9f5b584af4278bdbed77b2 from main.
2024-08-05[5.0.x] Refs #35638 -- Avoided wrapping expressions with Value in ↵David Sanders
_get_field_value_map() and renamed to _get_field_expression_map(). Backport of 91a038754bb516d29cb79f0fed4025436b5c5346 from main.
2024-08-05[5.0.x] Fixed #35628 -- Allowed compatible GeneratedFields for ↵John Parton
ModelAdmin.date_hierarchy. Backport of 7f8d839722b72aeb3ec5a4278ae57c18283acacd from main.
2024-07-25[5.0.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵Lorenzo Peña
ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
2024-07-25[5.0.x] Fixed #35625 -- Fixed a crash when adding a field with db_default ↵Simon Charette
and check constraint. This is the exact same issue as refs #30408 but for creating a model with a constraint containing % escapes instead of column addition. All of these issues stem from a lack of SQL and parameters separation from the BaseConstraint DDL generating methods preventing them from being mixed with other parts of the schema alteration logic that do make use of parametrization on some backends (e.g. Postgres, MySQL for DEFAULT). Prior to the addition of Field.db_default and GeneratedField in 5.0 parametrization of DDL was never exercised on model creation so this is effectively a bug with db_default as the GeneratedField case was addressed by refs #35336. Thanks Julien Chaumont for the report and Mariusz Felisiak for the review. Backport of f359990e4909db8722820849d61a6f5724338723 from main.
2024-07-18[5.0.x] Fixed #35606, Refs #34045 -- Fixed rendering of ↵Hisham Mahmood
ModelAdmin.action_checkbox for models with a __html__ method. Thank you Claude Paroz for the report. Regression in 85366fbca723c9b37d0ac9db1d44e3f1cb188db2. Backport of 182f262b15882649bbc39d769f9b721cf3660f6f from main.
2024-07-17[5.0.x] Fixed #35594 -- Added unique nulls distinct validation for expressions.Simon Charette
Thanks Mark Gensler for the report. Backport of adc0b6aac3f8a5c96e1ca282bc9f46e28d20281c from main.
2024-07-17[5.0.x] Refs #30581 -- Made unattached UniqueConstraint(fields) validation ↵Simon Charette
testable. The logic allowing UniqueConstraint(fields).validate to preserve backward compatiblity with Model.unique_error_message failed to account for cases where the constraint might not be attached to a model which is a common pattern during testing. This changes allows for arbitrary UniqueConstraint(fields) to be tested in isolation without requiring actual models backing them up. Co-authored-by: Mark G <mark.gensler@protonmail.com> Backport of 13922580cccfb9ab2922ff4943dd39da56dfbd8c from main.
2024-07-09[5.0.x] Post-release version bump.Natalia
2024-07-09[5.0.x] Bumped version for 5.0.7 release.5.0.7Natalia
2024-07-09[5.0.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵Sarah Boyce
get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
2024-07-09[5.0.x] Fixed CVE-2024-39330 -- Added extra file name validation in ↵Natalia
Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
2024-07-09[5.0.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵Michael Manfre
checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-09[5.0.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and ↵Adam Johnson
urlizetrunc template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-04[5.0.x] Fixed #35560 -- Made Model.full_clean() ignore GeneratedFields for ↵Mark Gensler
constraints. Accessing generated field values on unsaved models caused a crash when validating CheckConstraints and UniqueConstraints with expressions. Backport of 1005c2abd1ef0c156f449641e38c33e473989d37 from main.
2024-05-07[5.0.x]Post-release version bump.Natalia
2024-05-07[5.0.x] Bumped version for 5.0.6 release.5.0.6Sarah Boyce
2024-05-06[5.0.x] Post-release version bump.Natalia
2024-05-06[5.0.x] Bumped version for 5.0.5 release.5.0.5Sarah Boyce
2024-05-04[5.0.x] Fixed #35426 -- Updated querysets to be a required argument of ↵sobolevn
GenericPrefetch. Backport of 9a27c76021f934201cccf12215514a3091325ec8 from main.
2024-05-03[5.0.x] Fixed #35422 -- Fixed migrations crash when altering GeneratedField ↵Mariusz Felisiak
referencing rename field. Thanks Sarah Boyce for the report and Simon Charette for the implementation idea. Backport of 91a4b9a8ec2237434f06866f39c7977e889aeae6 from main.
2024-05-02[5.0.x] Fixed #35359 -- Fixed migration operations ordering when adding ↵DevilsAutumn
fields referenced by GeneratedField.expression. Thank you to Simon Charette for the review. Backport of 9aeb38c296c69532c7e64b5e3d706a5eb17b3f12 from main.
2024-05-02[5.0.x] Refs #34007, Refs #35359 -- Added Q.referenced_based_fields property.David Sanders
Thank you to Mariusz Felisiak and Natalia Bidart for the reviews. Backport of 97d48cd3c6f409584b5cc19fbddfca917bae78fd from main
2024-04-22[5.0.x] Fixed #35392, Refs #34331 -- Allowed importing ↵James Ostrander
aprefetch_related_objects from django.db.models. Thanks James Ostrander for the report and fix, and to Tim Graham and Mariusz Felisiak for the reviews. Backport of 36b7024b7fc881b319a2b67876e4f72ba680d6a8 from main
2024-04-19[5.0.x] Reverted "Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS ↵Sarah Boyce
class unconditionally in Admin." This reverts commit ffcf66071158ed3b5541ed13b4c7381240d1b310.
2024-04-19[5.0.x] Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS class ↵Adam Johnson
unconditionally in Admin. Backport of bdd76c4c3817d8e3ed5b0450d5e18e4eae096f16 from main.
2024-04-16[5.0.x] Fixed #35373 -- Fixed a crash when indexing a generated field on SQLite.Simon Charette
Generated fields have to be excluded from the INSERT query against the remade table including the index. Thanks Moshe Dicker for the report, David Sanders and Mariusz Felisiak for the review. Backport of d048f0d311cc9cb9578d687968f2d24a0a9efddb from main.
2024-04-15[5.0.x] Fixed ↵Mariusz Felisiak
backends.oracle.tests.TransactionalTests.test_hidden_no_data_found_exception() on oracledb >= 2.1.2. python-oracledb 2.1.2+ no longer hides 'ORA-1403: no data found' exceptions raised in database triggers: https://github.com/oracle/python-oracledb/issues/321 Backport of dd238212082f6547d5b03c5af6ec53368c39568e from main.
2024-04-10[5.0.x] Refs #34900, Refs #35361 -- Fixed SafeMIMEText.set_payload() crash ↵Mariusz Felisiak
on Python 3.13. Payloads with surrogates are passed to the set_payload() since https://github.com/python/cpython/commit/f97f25ef5dfcdfec0d9a359fd970abd139cf3428 Backport of b231bcd19e57267ce1fc21d42d46f0b65fdcfcf8 from main.
2024-04-10[5.0.x] Fixed #35350 -- Fixed save() with pk set on models with GeneratedFields.Sarah Boyce
Thanks Matt Hegarty for the report and Simon Charette and Natalia Bidart for the reviews. Regression in f333e35. Backport of 8b53560eea9f10a1271d3bdf765dc6f969c7d9d5 from main.
2024-04-03[5.0.x] Post-release version bump.Natalia
2024-04-03[5.0.x] Bumped version for 5.0.4 release.5.0.4Natalia
2024-04-02[5.0.x] Fixed #35336 -- Addressed crash when adding a GeneratedField with % ↵Simon Charette
literals. A longer term solution is likely to have a better separation of parametrized DDL altogether to handle checks, constraints, defaults, and generated fields but such a change would require a significant refactor that isn't suitable for a backport. Thanks Adrian Garcia for the report. Backport of 888b9042b3598bab6557c62de82505eec9ea62ed from main
2024-04-01[5.0.x] Fixed #35344, Refs #34838 -- Corrected output_field of resolved ↵Johannes Westphal
columns for GeneratedFields in aliased tables. Thanks Simon Charette for the review. Backport of 5f180216409d75290478c71ddb0ff8a68c91dc16 from main
2024-03-26[5.0.x] Fixed #35329 -- Fixed migrations crash when adding partial unique ↵Mariusz Felisiak
constraints with nulls_distinct. Bug in 595a2abb58e04caa4d55fb2589bb80fb2a8fdfa1. Thanks Lucas Lemke Saunitti for the report. Backport of b98271a6e42107233311d17f5d7bc74fbb47f22c from main
2024-03-14[5.0.x] Fixed #35273 -- Fixed rendering AdminFileWidget's attributes.Johannes Maron
Regression in 8a6c0203c4e92908c2b26ba54feba4ce7e76d081. Backport of e69019555d683fd6a831f87cb09e3deb86e4e7c7 from main
2024-03-08[5.0.x] Fixed #35223 -- Made Model.full_clean() ignore fields with ↵Ben Cail
db_default when validating empty values. Thanks Brian Ibbotson for the report. Regression in 7414704e88d73dafbcfbb85f9bc54cb6111439d3. Backport of 1570ef02f34037d32218d463342592debccf915c from main.
2024-03-04[5.0.x] Post-release version bump.Mariusz Felisiak
2024-03-04[5.0.x] Bumped version for 5.0.3 release.5.0.3Mariusz Felisiak
2024-03-04[5.0.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().Shai Berger
Thanks Seokchan Yoon for the report. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-02-29[5.0.x] Fixed #35198 -- Fixed facet filters crash on querysets with no ↵Shafiya Adzhani
primary key. Thanks Simon Alef for the report. Regression in 868e2fcddae6720d5713924a785339d1665f1bb9. Backport of a738281265bba5d00711ab62d4d37923764a27eb from main
2024-02-21[5.0.x] Fixed #35238 -- Fixed database serialization crash when base ↵AlexCLeduc
managers use prefetch_related(). Regression in 139135627650ed6aaaf4c755b82c3bd43f2b8f51 following deprecation in eedbf930287cb72e9afab1f7208c24b1146b0c4ec. Backport of a084c5d35a6d00abd261338a374a4424764b4aee from main
2024-02-17[5.0.x] Fixed #35187 -- Fixed @sensitive_variables/sensitive_post_parameters ↵Mariusz Felisiak
decorators crash with .pyc-only builds. Thanks Jon Janzen for the implementation idea. Thanks Marcus Hoffmann for the report. Regression in 38e391e95fe5258bc6d2467332dc9cd44ce6ba52. Backport of d1be05b3e9209fd0787841c71a95819d81061187 from main
2024-02-15[5.0.x] Fixed #35173 -- Fixed ModelAdmin.lookup_allowed() for lookups on ↵Hisham Mahmood
foreign keys when not included in ModelAdmin.list_filter. Regression in f80669d2f5a5f1db9e9b73ca893fefba34f955e7. Thanks Sarah Boyce for the review. Backport of 8db593de05c3516c939b7d4b9eb91e8791f4c79a from main