summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2026-02-27Refs #23919 -- Used yield from in Paginator.Pierre Sassoulas
2026-02-27Fixed #27489 -- Renamed permissions upon model renaming in migrations.Artyom Kotovskiy
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-02-27Fixed #34643 -- Moved inputs beneath labels and errors in admin forms.antoliny0919
Thanks Sarah Boyce and Jacob Walls for reviews. Co-authored-by: Hrushikesh Vaidya <hrushikeshrv@gmail.com>
2026-02-26Fixed #36750 -- Made ordering of M2M objects deterministic in serializers.VIZZARD-X
Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-02-25Fixed #36951 -- Removed empty exc_info from log_task_finished signal handler.Elias Hernandis
Before, if no exception occurred, "None Type: None" was logged.
2026-02-25Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit ↵Natalia
references from HTML truncation docs.
2026-02-25Fixed #36948 -- Fixed breadcrumb text overlap at small widths in admin.Amar
Visual regression in bc03f1064e10fa247a46d4e8a98ba9b26aa4790d.
2026-02-25Fixed #36839 -- Warned when model renames encounter conflicts from stale ↵AbhimanyuGit2507
ContentTypes.
2026-02-25Refs #36873 -- Fixed changelink background image Y position.Antoliny0919
2026-02-25Fixed #36873 -- Aligned and normalized stroke width for non-multiple select ↵Antoliny0919
icons in related-widget-wrapper.
2026-02-24Fixed #36931 -- Handled LookupError in multipart parser for invalid RFC 2231 ↵sammiee5311
encoding. Added LookupError to the except clause so invalid headers are silently skipped, consistent with other malformed header handling.
2026-02-24Delete leaking loop iter vars in `smartif.py`sobolevn
While working on https://github.com/typeddjango/django-stubs/pull/3114/changes#diff-c408a224a641ee1ad26789d61b19c64c44667c1feb8fce0d58aea0338844ca66R276-R278 we have noticed that loop variables leak into the module namespace. It has two negative effects: 1. Users can access `smartif.op` and `smartif.key` public attrs, which is clearly not intenteded 2. We in `django-stubs` have to ignore these two objects from annotations Let's remove them :)
2026-02-21Fixed #36899 -- Implemented SessionBase.__bool__.Amar
2026-02-21Fixed #36935 -- Added fallback in ContentType.app_labeled_name when ↵Marco Aurélio da Rosa Haubrich
model_class() is None. Updated ContentType.app_labeled_name to include the app_label in its string representation. This removed ambiguity for content types whose models were not present in the current codebase (for example, when multiple applications share the same database). Adjusted related tests to reflect the new representation.
2026-02-20Fixed #36920 -- Fixed alignment of fieldset legends in wide admin forms.usman
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2026-02-20Refs #36938 -- Marked a test for union of ordered querysets as an expected ↵Jacob Walls
failure on Oracle. Oracle's SQL parser does not allow ORDER BY in components of a union in some cases, so xfail this test until an exception can be raised.
2026-02-20Fixed #36127 -- Applied default empty display value to links otherwise ↵SiHyunLee
containing only whitespace in admin.
2026-02-13Fixed #36857 -- Added QuerySet.totally_ordered property.VIZZARD-X
Thanks Simon Charette for the idea.
2026-02-13Fixed #36513 -- Improved text contrast for admin M2M multi-select widget.Nilesh Kumar Pahari
Explicitly set the text color for the admin M2M widget to ensure selected rows remain readable in browsers like Microsoft Edge and Firefox when the widget was not focused.
2026-02-12Improved error message in SQLite ↵Adam Johnson
`DatabaseOperations.check_expression_support()`.
2026-02-12Optimized SQLite `DatabaseOperations.check_expression_support()`.Adam Johnson
Avoided reconstructing the same tuples on every call by defining them as module-level constants.
2026-02-11Fixed #36921 -- Fixed KeyError in inline form for model not registered with ↵Sean Helvey
admin. Regression in b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010.
2026-02-10Fixed #36841 -- Made multipart parser class pluggable on HttpRequest.farhan
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2026-02-10Fixed #36890 -- Supported StringAgg(distinct=True) on SQLite with the ↵varunkasyap
default delimiter.
2026-02-10Fixed #36854 -- Updated GEOS init and finish bindings.David Smith
2026-02-09Added DatabaseFeatures.supports_inspectdb.Tim Graham
Needed by MongoDB.
2026-02-09Refs #36036 -- Added note about z argument in GEOSCoordSeq.__init__().David Smith
When dropping support for GEOS 3.13 the `GEOSCoordSeq_hasZ()` function will be available on all supported GEOS versions. Instead of the parent geometry providing the z dimension we can reply on GEOSCoordSeq functions directly. This will follow a similar implementation to what was done for the M dimension. While it could be adopted earlier we would need to guess that geometries with 3 dimensions on GEOS < 3.14 are Z geometries.
2026-02-09Refs #36036 -- Added m dimension to GEOSCoordSeq.David Smith
2026-02-06Fixed #36246 -- Caught GDALException in BaseGeometryWidget.deserialize.JaeHyuck Sa
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
2026-02-06Fixed #36644 -- Enabled empty order_by() to avoid pk ordering by first()/last().Nilesh Kumar Pahari
2026-02-06Refs #36644 -- Applied default ordering after union().Nilesh Kumar Pahari
2026-02-03Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases ↵Jacob Walls
contain periods. This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795.
2026-02-03Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases ↵Jacob Walls
with periods. Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews.
2026-02-03Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵Jake Howard
control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews.
2026-02-03Fixed CVE-2026-1285 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator for HTML input. The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for reviews.
2026-02-03Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField lookups via ↵Jacob Walls
band index. Thanks Tarek Nakkouch for the report, and Simon Charette for the initial triage and review.
2026-02-03Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests.Jake Howard
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews.
2026-02-03Fixed CVE-2025-13473 -- Standardized timing of check_password() in mod_wsgi ↵Jake Howard
auth handler. Refs CVE-2024-39329, #20760. Thanks Stackered for the report, and Jacob Walls and Markus Holtermann for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-02-03Fixed #36879 -- Identified Django client in Redis client metadata.ar3ph
2026-02-02Fixed #36893 -- Serialized elidable kwarg for RunSQL and RunPython operations.SnippyCodes
2026-02-02Refs #36788 -- Added missing CSS selector for fieldsets in the admin.Jacob Walls
2026-02-02Fixed #36788 -- Fixed horizontal form field alignment under <fieldset> in ↵Jacob Walls
the admin. Thanks Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2026-01-31Refs #34118 -- Removed asgiref coroutine detection shims.Jacob Walls
As Python 3.12 is now the floor, we can drop the shims and use the `inspect` module.
2026-01-30Fixed #36468 -- Fixed failure to close popup when adding a related object in ↵Mark Niehues
the admin. The issue manifested when there were multiple relations and only some of them participated in a filter_horizontal. Regression in cd0479ff764272add5e0aba2afcf5649a241ca00.
2026-01-30Fixed #36865 -- Removed casting from exact lookups in admin searches.mlissner
Instead of casting non-text fields to CharField (which prevents index usage), skip exact lookups when the search term fails formfield.to_python(). This preserves index usage for valid searches while gracefully handling invalid search terms by simply not including them in the query for that field. For multi-term searches like 'foo 123' on search_fields=['name', 'age__exact']: - 'foo': invalid for age, so only name lookup is used - '123': valid for both, so both lookups are used This entails a slight increase in permissiveness for search terms that can be normalized by formfield.to_python().
2026-01-29Fixed #36847 -- Ensured auto_now_add fields are set on pre_save().Nilesh Kumar Pahari
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222. During INSERT operations, `field.pre_save()` is called to prepare values for db insertion. The `add` param must be `True` for `auto_now_add` fields to be populated. The regression commit passed `False`, causing `auto_now_add` fields to remain `None` when used by other fields, such as `upload_to` callables. Thanks Ran Benita for the report.
2026-01-28Fixed #36233 -- Avoided quantizing integers stored in DecimalField on SQLite.Samriddha9619
Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-01-28Fixed #36878 -- Unified data type for *_together options in ModelState.Markus Holtermann
Ever since the beginning of Django's migration framework, there's been a bit of an inconsistency on how index_together and unique_together values have been stored on the ModelState[^1]. It's only really obvious, when looking at the current code for `from_model()`[^2] and the `rename_field()` state alteration code[^3]. The problem in the autodetector's detection of the `*_together` options as raised in the ticket, reinforces the inconsistency[^4]: the old value is being normalized to a set of tuples, whereas the new value is taken as-is. Why this hasn't been caught before, is likely to the fact, that we never really look at a `to_state` that comes from migration operations in the autodetector. Instead, in both usages in Django[^5], [^6] the `to_state` is a `ProjectState.from_apps()`. And that state is consistently using sets of tuples and not lists of lists. [^1]: https://github.com/django/django/commit/67dcea711e92025d0e8676b869b7ef15dbc6db73#diff-5dd147e9e978e645313dd99eab3a7bab1f1cb0a53e256843adb68aeed71e61dcR85-R87 [^2]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/state.py#L842 [^3]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/state.py#L340-L345 [^4]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/autodetector.py#L1757-L1771 [^5]: https://github.com/django/django/blob/2351c1b12cc9cf82d642f769c774bc3ea0cc4006/django/core/management/commands/makemigrations.py#L215-L219 [^6]: https://github.com/django/django/blob/2351c1b12cc9cf82d642f769c774bc3ea0cc4006/django/core/management/commands/migrate.py#L329-L332
2026-01-26Fixed #36776 -- Clarified dev server runs in WSGI mode.jafarkhan83