summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2025-05-06[5.2.x] Bumped version for 5.2.1 release.5.2.1Natalia
2025-05-06[5.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
2025-04-30[5.2.x] Fixed #36357 -- Skipped unique_together in inspectdb output for ↵Baptiste Mispelon
composite primary keys. Thanks to Baptiste Mispelon for the report and quick fix, and to Simon Charette and Jacob Walls for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 66f9eb0ff1e7147406318c5ba609729678e4e6f6 from main.
2025-04-30[5.2.x] Fixed #36358 -- Corrected introspection of composite primary keys on ↵Simon Charette
SQLite. Previously, any first field of a composite primary key with type `INTEGER` was incorrectly introspected as an `AutoField` due to SQLite treating `INTEGER PRIMARY KEY` as an alias for the `ROWID`. This change ensures that integer fields in composite PKs are not mistaken for auto-incrementing fields. Thanks Jacob Walls and Sarah Boyce for the reviews. Backport of 07100db6f46255ec6ef70b860495f977473684d6 from main.
2025-04-30[5.2.x] Refs #36052, #32234 -- Removed ↵Simon Charette
create_test_table_with_composite_primary_key flag in favor of using CompositePrimaryKey. Now that Django properly supports creating models with composite primary keys, the tests should use a `CompositePrimaryKey` field instead of a feature flag to inline backend specific SQL for creating a composite PK. Specifcially, the inspectdb's test_composite_primary_key was adjusted to use schema editor instead of per-backend raw SQL. Backport of 4c75858135589f3a00e32eb4d476074536371a32 from main.
2025-04-30[5.2.x] Fixed #36360 -- Fixed QuerySet.update() crash when referring ↵Simon Charette
annotations through values(). The issue was only manifesting itself when also filtering againt a related model as that forces the usage of a subquery because SQLUpdateCompiler doesn't support the UPDATE FROM syntax yet. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Gav O'Connor for the detailed report. Backport of 8ef4e0bd423ac3764004c73c3d1098e7a51a2945 from main.
2025-04-24[5.2.x] Fixed #36309 -- Made email alternatives and attachments pickleable.nessita
Regression in aba0e541caaa086f183197eaaca0ac20a730bbe4 and in d5bebc1c26d4c0ec9eaa057aefc5b38649c0ba3b. Thanks Florent Messa for the report, and Jake Howard and Claude Paroz for the review. Backport of 0596263c3136bc26cffa670e5322bd0aa56c4d34 from main.
2025-04-23[5.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter.Matti Pohjanvirta
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b. This work improves the django.utils.text.wrap() function to ensure that empty lines and lines with whitespace only are kept instead of being dropped. Thanks Matti Pohjanvirta for the report and fix. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
2025-04-22[5.2.x] Fixed #36331 -- Reverted "Fixed #36055 -- Prevented overlap of ↵antoliny0919
object-tools buttons and page header in the admin." This reverts commits b1324a680add78de24c763911d0eefa19b9263bc and 02a5cbfe76382da2a0414df17017185be5bd47f9. The former caused a regression in admin sites that relied on the `object-tools` block being inside the `content` block. Thank you to Fabian Braun for the report. Backport of 1bc805e23b73a580b82a1d416ab0fb59a1073047 from main.
2025-04-17[5.2.x] Fixed #36314 -- Fixed MinimumLengthValidator error message translation.Ahmed Nassar
Regression in ec7d69035a408b357f1803ca05a7c991cc358cfa. Thank you Gabriel Trouvé for the report and Claude Paroz for the review. Backport of d469db978ea6a705549b9519313d9adc198e4232 from main.
2025-04-11[5.2.x] Fixed #36288 -- Addressed improper handling of duplicates in ↵Simon Charette
values_list(). Now that selected aliases are stored in sql.Query.selected: dict[str, Any] the values_list() method must ensures that duplicate field name references are assigned unique aliases. Refs #28900. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Thanks Claude for the report. Backport of 21f8be76d43aa1ee5ae41c1e0a428cfea1f231c1 from main.
2025-04-07[5.2.x] Fixed #36301 -- Fixed select_for_update(of) crash when using ↵Simon Charette
values()/values_list(). Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which allowed for annotations to be SELECT'ed before model field references through values()/values_list() and broke assumptions the select_for_update(of) table infererence logic had about model fields always being first. Refs #28900. Thanks OutOfFocus4 for the report and Sarah for the test. Backport of 71a19a0e475165dbc14c1fe02f552013ee670e4c from main
2025-04-07[5.2.x] Fixed #36298 -- Truncated the overwritten file content in ↵Sarah Boyce
file_move_safe(). Regression in 58cd4902a71a3695dd6c21dc957f59c333db364c. Thanks Baptiste Mispelon for the report. Backport of 8ad3e80e88201f4c557f6fa79fcfc0f8a0961830 from main.
2025-04-05[5.2.x] Fixed #36299 -- Prevented field selection on QuerySet.alias() after ↵Simon Charette
values(). Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Jeff Iadarola for the report and tests. Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com> Backport of 12b771a1ec4bbfe82405176f5601e6441855a303 from main
2025-04-04[5.2.x] Fixed #36289 -- Fixed bulk_create() crash with nullable geometry ↵Simon Charette
fields on PostGIS. Swapped to an allow list instead of a deny list for field types to determine if the UNNEST optimization can be enabled to avoid further surprises with other types that would require further specialization to adapt. Regression in a16eedcf9c69d8a11d94cac1811018c5b996d491. Thanks Joshua Goodwin for the report and Sarah Boyce for the test. Backport of 764af7a3d6c0b543dcf659a2c327f214da768fe4 from main
2025-04-03[5.2.x] Fixed #36290 -- Made TupleIn() lookup discard tuples containing None.Simon Charette
Just like the In() lookup discards of None members TupleIn() should discard tuples containing any None as NULL != NULL in SQL and the framework expects such queries to be elided under some circumstances. Refs #31667, #36116. Thanks Basptise Mispelon for bisecting the regression to 626d77e. Backport of f7f38f3a0b44d8c6d14344dae66b6ce52cd77b55 from main
2025-04-03[5.2.x] Fixed #36292 -- Fixed crash when aggregating over a group mixing ↵Simon Charette
transforms and references. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900 Thanks Patrick Altman for the report. Backport of 543e17c4405dfdac4f18759fc78b190406d14239 from main
2025-04-02[5.2.x] Post-release version bump.Sarah Boyce
2025-04-02[5.2.x] Bumped version for 5.2 release.5.2Sarah Boyce
2025-04-02[5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in ↵Sarah Boyce
url_has_allowed_host_and_scheme() on Windows. Thank you sw0rd1ight for the report. Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.
2025-04-01[5.2.x] Fixed #36284, Refs #31170 -- Ensured related lookup popups are ↵nessita
closed properly. In the admin, when selecting related objects via the helpers defined in `RelatedObjectLookups.js`, the `dismissRelatedLookupPopup` function was attempting to access `window.relatedWindows`, which does not exist in real execution, causing related lookup popups to remain open. This change ensures that this code correctly accesses the module-local `relatedWindows` by explicitly assigning it to `window.relatedWindows`. Regression in 91bebf1adb43561b54bac18e76224759dc70acb3. Thanks Matthias Kestenholz for the report, the fix ideas, and testing. Co-authored-by: Matthias Kestenholz <mk@feinheit.ch> Backport of a245604277eb9edeba234dacf199890766462709 from main.
2025-04-01[5.2.x] Fixed #36283 -- Reverted "Fixed #35798, Refs #31641 -- Prevented ↵Mariusz Felisiak
admin navigation sidebar loading flicker." This reverts commit 747b417a220b0412ed806001a383959449aac6da that caused a visual regression when both navigation and filter sidebars are visible. Backport of 12385b4fa7059aab8e4f671853cc09ae8509501f from main.
2025-03-31[5.2.x] Updated translations from Transifex.Sarah Boyce
2025-03-31[5.2.x] Refs #36055 -- Prevented overlap of object-tools buttons and page ↵Mariusz Felisiak
header in the admin on small screens. Visual regression in b1324a680add78de24c763911d0eefa19b9263bc. Backport of 02a5cbfe76382da2a0414df17017185be5bd47f9 from main.
2025-03-30[5.2.x] Fixed warnings per flake8 7.2.0.Mariusz Felisiak
https://github.com/PyCQA/flake8/releases/tag/7.2.0 Backport of 281910ff8e9ae98fa78ee5d26ae3f0b713ccf418 from main
2025-03-28[5.2.x] Refs #34619 -- Fixed labels width in FilteredSelectMultiple in the ↵Mariusz Felisiak
admin. Visual regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a. Backport of a0f50c2a483678d31bd1ad6f08fd3a0b8399e27b from main.
2025-03-26[5.2.x] Refs #34619 -- Corrected selector description in the admin.Mariusz Felisiak
Backport of 0d92428d77fafff373e05dd5a6cdb62bd1dfbda0 from main
2025-03-21[5.2.x] Fixed #36266 -- Renamed HIDE_PRODUCTION_WARNING environment variable ↵Johanan Oppong Amoateng
to DJANGO_RUNSERVER_HIDE_WARNING. Backport of 5adadf6e8c74ab14d432e9d682ca1914789386de from main.
2025-03-19[5.2.x] Updated source translation catalogs.Mariusz Felisiak
2025-03-19[5.2.x] Bumped version for 5.2 release candidate 1.5.2rc1Sarah Boyce
2025-03-17[5.2.x] Fixed #36252 -- Handled duplicate automatic imports in the shell ↵hesham942
command. Backport of e804a07d76fc85468f27f7130ae1442fabcd650d from main.
2025-03-12[5.2.x] Fixed #36234 -- Restored single_object argument to ↵Adam Johnson
LogEntry.objects.log_actions(). Thank you Adam Johnson for the report and fix. Thank you Sarah Boyce for your spot on analysis. Regression in c09bceef68e5abb79accedd12dade16aa6577a09, which is partially reverted in this branch. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Backport of 27b68bcadf1ab2e9f7fd223aed42db352ccdc62d from main.
2025-03-07[5.2.x] Fixed #36224 -- Fixed shell imports when settings not configured.Sarah Boyce
Thank you Raffaella for the report. Thank you Tim Schilling and Natalia Bidart for the reviews. Backport of de1117ea8eabe0ee0aa048e5a4e249eab7c4245e from main.
2025-03-06[5.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template ↵Sarah Boyce
filter. Thanks sw0rd1ight for the report. Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
2025-03-05[5.2.x] Clarified cryptic comment in django/core/cache/backends/redis.py.Tim Graham
Backport of 9a729fb61add16d89a4b42b491aec2d22f1ae69a from main.
2025-03-04[5.2.x] Fixed #36217 -- Restored pre_save/post_save signal emission via ↵antoliny0919
LogEntry.save() for single-object deletion in the admin. Regression in 40b3975e7d3e1464a733c69171ad7d38f8814280. Thanks smiling-watermelon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Backport of c09bceef68e5abb79accedd12dade16aa6577a09 from main.
2025-03-01[5.2.x] Applied Black's 2025 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/25.1.0 Backport of ff3aaf036f0cb66cd8f404cd51c603e68aaa7676 from main
2025-02-19[5.2.x] Bumped version for 5.2 beta 1.5.2b1Sarah Boyce
2025-02-18[5.2.x] Fixed #35167 -- Delegated to super() in JSONField.get_db_prep_save().Jacob Walls
Avoids reports of bulk_update() sending Cast expressions to JSONField.get_prep_value(). Co-authored-by: Simon Charette <charette.s@gmail.com> Backport of 0bf412111be686b6b23e00863f5d449d63557dbf from main.
2025-02-18[5.2.x] Fixed #36197 -- Fixed improper many-to-many count() and exists() for ↵Simon Charette
non-pk to_field. Regression in 66e47ac69a7e71cf32eee312d05668d8f1ba24bb. Thanks mfontana-elem for the report and Sarah for the tests. Backport of c3a23aa02faa1cf1d32e43d66858e793cd9ecac4 from main.
2025-02-18[5.2.x] Fixed #31170 -- Added change event trigger to dismissRelatedLookupPopup.Кайрат Макым
Backport of 51398f8bd568a6324a8cafe20c068d0974913ad5 from main.
2025-02-18[5.2.x] Refs #31170 -- Added JavaScript tests for RelatedObjectLookups.js.Кайрат Макым
Backport of 91bebf1adb43561b54bac18e76224759dc70acb3 from main.
2025-02-18[5.2.x] Fixed #36179 -- Unhexed entries and removed duplicates in ↵mimi89999
auth/common-passwords.txt.gz. Backport of 727731d76d9dfd5304d536478d862778f6dd6d9b from main.
2025-02-17[5.2.x] Fixed #36191 -- Truncated the overwritten file content in ↵Gaël Utard
FileSystemStorage. Backport of 0d1dd6bba0c18b7feb6caa5cbd8df80fbac54afd from main.
2025-02-16[5.2.x] Fixed #35967 -- Deferred test suite fixtures serialization after all ↵Simon Charette
dbs setup. While the top-level objects fed to serialization are bound to the test database being created nothing prevents code invoked during serialization from performing queries against other connections entries that haven't been swapped yet. The reported example of that is a database router directing all reads to a test mirror for a set of models involving auto-created many-to-many fields. It might be tempting to address the many-to-many field case but this a symptom of a larger problem where the test framework yields the flow execution to user code that could interact with non-test databases in unexpected ways. Deferring test database fixture serialization until the point where all connections entries have been swapped for their test equivalent ensures that no code triggered during serialization can interact with non-test databases. Thanks Jake Howard for the report and Jacob Walls for the initial investigation. Backport of dc69a63f844b2ef3bc3371edde91644cf0bef0ee from main
2025-02-15[5.2.x] Refs #36181 -- Removed the obsolete SubqueryConstraint machinery.Mariusz Felisiak
Adding proper support for subquery right-hand-sides to TupleIn made it obsolete. Backport of d386405e04dac50656af50d100a14efdf8c58e8f from main Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-02-15[5.2.x] Fixed #36173 -- Stabilized identity of Concat with an explicit ↵Simon Charette
output_field. When Expression.__init__() overrides make use of *args, **kwargs captures their argument values are respectively bound as a tuple and dict instances. These composite values might themselves contain values that require special identity treatments such as Concat(output_field) as it's a Field instance. Refs #30628 which introduced bound Field differentiation but lacked argument captures handling. Thanks erchenstein for the report. Backport of df2c4952df6d93c575fb8a3c853dc9d4c2449f36 from main
2025-02-14[5.2.x] Fixed #36102 -- Moved i18n comments directly above the translatable ↵Julien Palard
string. xgettext only extracts comment blocks if there is no program code between the comment and the string that gets extracted. For details, see: https://www.gnu.org/software/gettext/manual/html_node/xgettext-Invocation.html#Operation-mode Black formatting has been turned off in some places to ensure the comments are not moved, which previously resulted in them being removed from the po files when scripts/manage_translations.py was run. Backport of 6fcd0440aaa7601aa258d1c956eecfaedf72fbf4 from main.
2025-02-13[5.2.x] Corrected SHORT_DATE_FORMAT for Korean (ko).Kim Yeongbin
Backport of 14b46c1b848d846fad55c8634daeabd8787cf0d6 from main
2025-02-13[5.2.x] Fixed #36158 -- Refactored shell command to improve auto-imported ↵Natalia
objects reporting. Backport of 56e23b2319cc29e6f8518f8f21f95a530dddb930 from main.