| Age | Commit message (Collapse) | Author |
|
|
|
size in ASGI requests.
The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.
This work adds a new check on the actual number of bytes consumed.
Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.
Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main.
|
|
When a multipart file part used `Content-Transfer-Encoding: base64` and
the non-whitespace base64 bytes did not align to a multiple of 4 within
a chunk, the parser entered a loop calling `field_stream.read(1-3)` once
per whitespace byte. Each such call fetched the entire internal buffer,
sliced off 1-3 bytes, and pushed the remainder back via unget(), doing
an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace
produced CPU amplification relative to a normal upload of the same size.
The alignment loop now reads `self._chunk_size` bytes at a time, and
accumulates stripped parts in a list joined once at the end.
Thanks to Seokchan Yoon for the report and the fixing patch.
Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main.
|
|
ModelAdmin.list_editable.
Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.
Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
|
|
GenericInlineModelAdmin.
Edit permissions were still checked as part of ordinary form validation,
but because GenericInlineModelAdmin overrides get_formset(), it lacked
InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic
for checking permissions server-side, leaving the add case unaddressed.
This change reimplements the relevant part of InlineModelAdmin.get_formset().
Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart,
Markus Holtermann, and Simon Charette for reviews.
Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main.
|
|
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart
for reviews.
Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main.
|
|
between managers and related_names.
Clashes were only detected for self-referential relationships, i.e. ForeignKey("self").
Refs #22977. Bug in 6888375c53476011754f778deabc6cdbfa327011.
Thanks JaeHyuckSa for the thorough review!
Backport of fcf916884d25ed430bd7cedaea2b10035c2aa3b6 from main.
|
|
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Backport of 253f552c5809fa096116b601bd842ca4f3504860 from main.
|
|
alogin/alogout().
Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be.
Backport of a32c7075cf634aee1f4f3deecd27f194097ec0c2 from main.
|
|
These were missed during manual review.
|
|
|
|
|
|
|
|
on file system object creation.
This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.
This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Refs CVE-2020-24583 and #31921.
Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.
Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
|
|
This simplicaftion mitigates a potential DoS in URLField on Windows. The
usage of `urlsplit()` in `URLField.to_python()` was replaced with
`str.partition(":")` for URL scheme detection. On Windows, `urlsplit()`
performs Unicode normalization which is slow for certain characters,
making `URLField` vulnerable to DoS via specially crafted POST payloads.
Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger
for the review.
Refs #36923.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
|
|
imported by namespace.
Backport of c1d8646ec219b8b90ebdd463f40e5767876658a0 from main.
|
|
handler.
Before, if no exception occurred, "None Type: None" was logged.
Backport of 497d9cdc67f0bdae929fcde677b5f441e94a6c8b from main.
|
|
references from HTML truncation docs.
Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.
|
|
https://github.com/psf/black/releases/tag/26.1.0
Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
|
|
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Backport of 8d251b512bafd7b7f736cfcabeba0ae76106f2db from main.
|
|
BuiltinLookup.as_sql().
For custom lookups subclassing BuiltinLookup and following the advice in the release notes
to return params in a tuple, this change will obviate the need to audit as_sql() in addition to
process_lhs() to be "resilient against either tuples or lists" as described in the release note.
Regression in 8914f4703cf03e2a01683c4ba00f5ae7d3fa449d.
|
|
with deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main.
|
|
|
|
|
|
aliases contain periods.
This prevents failures at the database layer, given that aliases in the
ON clause are not quoted.
Systematically quoting aliases even in FilteredRelation is tracked in
https://code.djangoproject.com/ticket/36795.
Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.
|
|
aliases with periods.
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.
In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.
Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.
Backport of 69065ca869b0970dff8fdd8fafb390bf8b3bf222 from main.
|
|
aliases via control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
|
|
django.utils.text.Truncator for HTML input.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
Backport of a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 from main.
|
|
lookups via band index.
Thanks Tarek Nakkouch for the report, and Simon Charette for the initial
triage and review.
Backport of 81aa5292967cd09319c45fe2c1a525ce7b6684d8 from main.
|
|
requests.
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
Backport of eb22e1d6d643360e952609ef562c139a100ea4eb from main.
|
|
mod_wsgi auth handler.
Refs CVE-2024-39329, #20760.
Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 3eb814e02a4c336866d4189fa0c24fd1875863ed from main.
|
|
Backport of d725f6856d7488ba2a397dfe47dd851420188159 from main.
|
|
<fieldset> in the admin.
Thanks Antoliny for the review.
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Backport of b665a67d61a8a4fd2ad85aeb77282bc49541723f from main.
|
|
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222.
During INSERT operations, `field.pre_save()` is called to prepare values
for db insertion. The `add` param must be `True` for `auto_now_add`
fields to be populated. The regression commit passed `False`, causing
`auto_now_add` fields to remain `None` when used by other fields, such
as `upload_to` callables.
Thanks Ran Benita for the report.
Backport of fe189dc43ab3eddbbceefb6834893b73ca60d5ed from main.
|
|
the changelist.
Removed flex-wrap from .changelist-form-container and added min-width to the
main content container to ensure proper layout behavior.
Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d.
Backport of e92d1e3b7858981185e93d717c5727544d66b66e from main.
|
|
|
|
|
|
permissions upon model renaming in migrations."
This reverts commits f02b49d2f3bf84f5225de920ca510149f1f9f1da and 6e89271a8507fe272d11814975500a1b40303a04.
Backport of 030c63d329c4814da221528e823a4aaaaa40e4f1 from main.
|
|
Regression in a16eedcf9c69d8a11d94cac1811018c5b996d491.
The UNNEST strategy is affected by the same problem bulk_update has wrt/
to silent data truncation due to its usage of db_type which always returns
a parametrized subtype.
Backport of d6ae2ed868e43671afc4d433c3d8f4d27f7eb555 from main.
|
|
True.
There was unresolved discussion regarding whether to set
ClearableFileInput.use_fieldset to True or False when use_fieldset was
introduced in Django 4.1, since the clear checkbox appears only
sometimes. Although using <fieldset> is likely desirable, since the
primary motivation in #35892 was just to improve markup in the admin,
and a deprecation path was not provided for general form usage, future
work is deferred to #36828.
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Thanks Tim Graham, Antoliny, and David Smith for triage.
|
|
Coerce lazy route values to `str` at match time to support prefix and
endpoint matching when using `gettext_lazy()` route paths.
Regression in f920937c8a63df6bea220e4386f59cdb45b2e355.
Thanks to Andrea Angelini for the report, and to Jake Howard and Jacob
Walls for reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 7bf3ac3ee255bcfe329e3203c7a2555b1275d506 from main.
|
|
Moved nonce generation in ``django.utils.csp.LazyNonce`` to a function
to avoid infinite recursion in ``SimpleLazyObject.__repr__`` for
unevaluated instances.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 165c3599965e63f88649a46fcc2ff681c52f2f66 from main.
|
|
admin.
It isn't safe to set display: flex on <fieldset>, because on Safari this
interferes with display: block on child divs.
Thanks Paulo Coutinho for the report and Antoliny for the review.
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Backport of 1eac2659a102d42490f9401b08782633fa51f3e3 from main.
|
|
max_query_params.
Regression in 358fd21c47cdf7bda520ce73c5cfd82bba57827b.
Backport of 84bae9c22a8ae7663c56cce5e0c611ea7c17fce1 from main.
|
|
https://github.com/python/cpython/pull/136809 made `color` default to
True in ArgumentParser.
Backport of d0d85cd165e54582cce98cf685252e771460a9d4 from main.
|
|
BaseDatabaseSchemaEditor.alter_field().
Regression in f9a44cc0fac653f8e0c2ab1cdfb12b2cc5c63fc2.
Now that ManyToManyField is no longer concrete the decision of whether or not
it should be altered, which is also relied on by field renaming, should take
into consideration name changes even if it doesn't have a column associated
with it, as auto-created many-to-many relationship table names are a base of it.
Note that there is room for optimization here where a rename can be entirely
avoided if ManyToManyField.db_table remains stable between .name changes, just
like we do with Field.db_column remaining stable, but since this is a
regression and meant to be backported the current patch focuses on correctness
over further improvements.
Thanks Josik for the report.
Co-authored-by: Simon Charette <charette.s@gmail.com>
Backport of 6cc1231285a20b11058143f8cb0a6b4b3999b23a from main.
|
|
querystring template tag.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 922c4cf972e04b1ce7ecee592231106724dcfd09 from main.
|
|
|
|
|
|
|