summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2024-12-04[5.1.x] Bumped version for 5.1.4 release.5.1.4Sarah Boyce
2024-12-04[5.1.x] Fixed CVE-2024-53908 -- Prevented SQL injections in direct ↵Simon Charette
HasKeyLookup usage on Oracle. Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
2024-12-04[5.1.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-12-02[5.1.x] Fixed #35950 -- Restored refreshing of relations when fields deferred.Adam Johnson
Thank you to Simon Charette and Sarah Boyce for the review. Regression in 73df8b54a2fab53bec4c7573cda5ad8c869c2fd8. Backport of 2f6b096b83c55317c7ceef2d8d5dc3bee33293dc from main.
2024-11-26[5.1.x] Fixed #35942 -- Fixed createsuperuser crash on Python 3.13+ when ↵Tommy Allen
username is unavailable. Thanks Mariusz Felisiak and Jacob Tyler Walls for reviews. Backport of c635decb00ac957daf81c08541cdc9cf46f6d86d from main.
2024-11-05[5.1.x] Post-release version bump.Mariusz Felisiak
2024-11-05[5.1.x] Bumped version for 5.1.3 release.5.1.3Mariusz Felisiak
2024-10-31[5.1.x] Fixed #35876 -- Displayed non-ASCII fieldset names when rendering ↵Sarah Boyce
ModelAdmin.fieldsets. Thank you to Namhong Kim for the report, and to Mariusz Felisiak and Marijke Luttekes for the review. Regression in 01ed59f753139afb514170ee7f7384c155ecbc2d. Backport of 2c029c718f45341cdd43ee094c24488743c633e6 from main.
2024-10-28[5.1.x] Refs #34900 -- Removed usage of deprecated glob.glob1().earthyoung
Backport of 555f2412cba4c5844408042e92f3bf9fa5c2392c from main.
2024-10-17[5.1.x] Fixed #35841 -- Restored support for DB-IP databases in GeoIP2.Nick Pope
Thanks Felix Farquharson for the report and Claude Paroz for the review. Regression in 40b5b1596f7505416bd30d5d7582b5a9004ea7d5. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 3fad712a91a8a8f6f6f904aff3d895e3b06b24c7 from main.
2024-10-17[5.1.x] Fixed #35845 -- Updated DomainNameValidator to require entire string ↵Justin Thurman
to be a valid domain name. Bug in 4971a9afe5642569f3dcfcd3972ebb39e88dd457. Thank you to kazet for the report and Claude Paroz for the review. Backport of 99dcc59237f384d7ade98acfd1cae8d90e6d60ab from main.
2024-10-08[5.1.x] Post-release version bump.Natalia
2024-10-08[5.1.x] Bumped version for 5.1.2 release.5.1.2Natalia
2024-10-08[5.1.x] Fixed #35809 -- Set background color for selected rows in the ↵nessita
admin's form select widget. Regression in b47bdb4cd9149ee2a39bf1cc9996a36a940bd7d9. Thank you Giannis Terzopoulos for the review, and Tom Carrick and Sarah Boyce for the review. Backport of 679d57816d716cbc7cff3b364ae265d70444ebd9 from main.
2024-10-07[5.1.x] Updated translations from Transifex.nessita
2024-09-26[5.1.x] Fixed #35734 -- Used JSONB_BUILD_OBJECT database function on ↵John Parton
PostgreSQL when using server-side bindings. Regression in 81ccf92f154c6d9eac3e30bac0aa67574d0ace15. Backport of f22ff4561ada77be98ca4db3ce117caca897696e from main.
2024-09-11[5.1.x] Fixed #35732 -- Wrapped ConcatPair expression in parentheses to ↵Gastón Avila
ensure operator precedence. When ConcatPair was updated to use || this lost the implicit wrapping from CONCAT(...). This broke the WHERE clauses when used in combination with PostgreSQL trigram similarity. Regression in 6364b6ee1071381eb3a23ba6b821fc0d6f0fce75. Backport of c3ca6075cc0ad425bcf905fe14062f38eb9fbcbf from main. Co-authored-by: Emiliano Cuenca <106986074+emicuencac@users.noreply.github.com>
2024-09-03[5.1.x] Post-release version bump.Natalia
2024-09-03[5.1.x] Bumped version for 5.1.1 release.5.1.1Natalia
2024-09-03[5.1.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵Natalia
email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-09-03[5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-30[5.1.x] Fixed #35716 -- Fixed VariableDoesNotExist when rendering admin ↵Sarah Boyce
fieldsets. Regression in 01ed59f753139afb514170ee7f7384c155ecbc2d. Thank you to Fábio Domingues and Marijke Luttekes for the report, and thank you to Natalia Bidart for the review. Backport of fd1dd767783b5a7ec1a594fcc5885e7e4178dd26 from main.
2024-08-28[5.1.x] Fixed #35688 -- Restored timezone and role setters to be PostgreSQL ↵Sarah Boyce
DatabaseWrapper methods. Following the addition of PostgreSQL connection pool support in Refs #33497, the methods for configuring the database role and timezone were moved to module-level functions. This change prevented subclasses of DatabaseWrapper from overriding these methods as needed, for example, when creating wrappers for other PostgreSQL-based backends. Thank you Christian Hardenberg for the report and to Florian Apolloner and Natalia Bidart for the review. Regression in fad334e1a9b54ea1acb8cce02a25934c5acfe99f. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 7380ac57340653854bc2cfe0ed80298cdac6061d from main.
2024-08-28[5.1.x] Refs #35405 -- Adjusted deprecation warning stacklevel in ↵Simon Charette
FieldCacheMixin.get_cache_name(). Backport of 39abd56a7fb1e2f735040df0fdfc08f57d91a49b from main.
2024-08-28[5.1.x] Refs #35326 -- Adjusted deprecation warning stacklevel in ↵Simon Charette
FileSystemStorage.OS_OPEN_FLAGS. Backport of 47f18a722624527cc72eef44cfc9d1e07ea4b4e0 from main.
2024-08-28[5.1.x] Refs #35060 -- Adjusted deprecation warning stacklevel in ↵Simon Charette
Model.save()/asave(). Backport of 52ed2b645e1dd8c9a874cfd21c4c9f2500032626 from main.
2024-08-27[5.1.x] Refs #34609 -- Fixed deprecation warning stack level in format_html().Adam Johnson
Co-authored-by: Simon Charette <charette.s@gmail.com> Backport of 2b71b2c8dcd40f2604310bb3914077320035b399 from main.
2024-08-19[5.1.x] Fixed #35678 -- Removed "usable_password" field from ↵Natalia
BaseUserCreationForm. Refs #34429: Following the implementation allowing the setting of unusable passwords via the admin site, the `BaseUserCreationForm` and `UserCreationForm` were extended to include a new field for choosing whether password-based authentication for the new user should be enabled or disabled at creation time. Given that these forms are designed to be extended when implementing custom user models, this branch ensures that this new field is moved to a new, admin-dedicated, user creation form `AdminUserCreationForm`. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for the review. Backport of 0ebed5fa95f53b87383901bbd9341ef3c974344f from main.
2024-08-13[5.1.x] Fixed #35665 -- Fixed a crash when passing an empty order_by to Window.Simon Charette
This also caused un-ordered sliced prefetches to crash as they rely on Window. Regression in e16d0c176e9b89628cdec5e58c418378c4a2436a that made OrderByList piggy-back ExpressionList without porting the empty handling that the latter provided. Supporting explicit empty ordering on Window functions and slicing is arguably a foot-gun design due to how backends will return undeterministic results but this is a problem that requires a larger discussion. Refs #35064. Thanks Andrew Backer for the report and Mariusz for the review. Backport of 602fe961e6834d665f2359087a1272e9f9806b71 from main.
2024-08-07[5.1.x] Post-release version bump.Natalia
2024-08-07[5.1.x] Bumped version for 5.1 release.5.1Natalia
2024-08-07[5.1.x] Updated translations from Transifex.Natalia
2024-08-06[5.1.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵Simon Charette
attacks against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-08-06[5.1.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06[5.1.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks to MProgrammer for the report.
2024-08-06[5.1.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in ↵Sarah Boyce
floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
2024-08-05[5.1.x] Fixed #35657 -- Made FileField handle db_default values.Sarah Boyce
Backport of 8deb6bb1fc427762d56646bf7306cbd11fb5bb68 from main.
2024-08-05[5.1.x] Fixed #35638 -- Updated validate_constraints to consider db_default.David Sanders
Backport of 509763c79952cde02d9f5b584af4278bdbed77b2 from main.
2024-08-05[5.1.x] Refs #35638 -- Avoided wrapping expressions with Value in ↵David Sanders
_get_field_value_map() and renamed to _get_field_expression_map(). Backport of 91a038754bb516d29cb79f0fed4025436b5c5346 from main.
2024-08-05[5.1.x] Fixed #35628 -- Allowed compatible GeneratedFields for ↵John Parton
ModelAdmin.date_hierarchy. Backport of 7f8d839722b72aeb3ec5a4278ae57c18283acacd from main.
2024-08-05[5.1.x] Fixed #35645, Refs #35558 -- Added "medium" color in the admin CSS ↵Natalia
to improve accessibility of headings. Backport of 6e66c77089fa5498066d2aa593979e4f76f5bedc from main.
2024-08-03[5.1.x] Fixed #35655 -- Reverted "Fixed #35295 -- Used INSERT with multiple ↵Sarah Boyce
rows on Oracle 23c." This reverts commit 175b04942afaff978013db61495f3b39ea12989b due to a crash when Oracle > 23.3. Backport of 5424151f96252e1289e9a6f7eb842cd1dc87850a from main.
2024-08-02[5.1.x] Fixed #35643 -- Fixed a crash when ordering a QuerySet by a ↵Simon Charette
reference containing "__". Regression in b0ad41198b3e333f57351e3fce5a1fb47f23f376. Refs #34013. The initial logic did not consider that annotation aliases can include lookup or transform separators. Thanks Gert Van Gool for the report and Mariusz Felisiak for the review. Backport of a16f13a8661297eda12c4177bb01fa2e5b5ccc56 from main.
2024-07-25[5.1.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵Lorenzo Peña
ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
2024-07-25[5.1.x] Fixed #35625 -- Fixed a crash when adding a field with db_default ↵Simon Charette
and check constraint. This is the exact same issue as refs #30408 but for creating a model with a constraint containing % escapes instead of column addition. All of these issues stem from a lack of SQL and parameters separation from the BaseConstraint DDL generating methods preventing them from being mixed with other parts of the schema alteration logic that do make use of parametrization on some backends (e.g. Postgres, MySQL for DEFAULT). Prior to the addition of Field.db_default and GeneratedField in 5.0 parametrization of DDL was never exercised on model creation so this is effectively a bug with db_default as the GeneratedField case was addressed by refs #35336. Thanks Julien Chaumont for the report and Mariusz Felisiak for the review. Backport of f359990e4909db8722820849d61a6f5724338723 from main.
2024-07-24[5.1.x] Bumped version for 5.1 release candidate 1.5.1rc1Natalia
2024-07-24[5.1.x] Fixed #35604, Refs #35326 -- Made FileSystemStorage.exists() ↵Sarah Boyce
behaviour independent from allow_overwrite. Partially reverts 0b33a3abc2ca7d68a24f6d0772bc2b9fa603744e. Storage.exists(name) was documented to "return False if the name is available for a new file." but return True if the file exists. This is ambiguous in the overwrite file case. It will now always return whether the file exists. Thank you to Natalia Bidart and Josh Schneier for the review. Backport of 8d6a20b656ff3fa18e36954668a44a831c2f6ddd from main.
2024-07-18[5.1.x] Fixed #35603 -- Prevented F.__contains__() from hanging.Simon Charette
Regression in 94b6f101f7dc363a8e71593570b17527dbb9f77f. Backport of 6b3f55446fdc62bd277903fd188a1781e4d92d29 from main.
2024-07-18[5.1.x] Fixed #35606, Refs #34045 -- Fixed rendering of ↵Hisham Mahmood
ModelAdmin.action_checkbox for models with a __html__ method. Thank you Claude Paroz for the report. Regression in 85366fbca723c9b37d0ac9db1d44e3f1cb188db2. Backport of 182f262b15882649bbc39d769f9b721cf3660f6f from main.
2024-07-17[5.1.x] Fixed #35594 -- Added unique nulls distinct validation for expressions.Simon Charette
Thanks Mark Gensler for the report. Backport of adc0b6aac3f8a5c96e1ca282bc9f46e28d20281c from main.