| Age | Commit message (Collapse) | Author |
|
|
|
deprecated asyncio.iscoroutinefunction().
Follow up to bd3b1dfa2422e02ced3a894adb7544e42540c97d.
Introduced in 2ae3044d9d4dfb8371055513e440e0384f211963.
Fixes DeprecationWarning:
'asyncio.iscoroutinefunction' is deprecated and slated for removal
in Python 3.16; use inspect.iscoroutinefunction() instead.
|
|
|
|
ManifestStaticFilesStorage manifest files.
This change reuses the existing sorting of `hashed_files` in
`ManifestStaticFilesStorage.save_manifest` to also store a sorted
`paths` mapping in the manifest file. This ensures stable manifest
output that does not change unnecessarily.
|
|
When native support for tuple lookups is missing in a DB backend, it can
be emulated with an EXISTS clause. This is controlled by the backend
feature flag "supports_tuple_lookups".
The mishandling of subquery right-hand side in `TupleIn` (added to
support `CompositePrimaryKey` in Refs #373) was likely missed because
the only core backend we test with the feature flag disabled
(Oracle < 23.4) supports it natively.
Thanks to Nandana Raol for the report, and to Sarah Boyce, Jacob Walls,
and Natalia Bidart for reviews.
|
|
ContentSecurityPolicyMiddleware.
Replaced the custom CSP middleware previously used in the admin's
AdminSeleniumTestCase with the official ContentSecurityPolicyMiddleware.
This change ensures alignment with Django's built-in CSP support.
Also updates the test logic to inspect browser console logs to assert
that no CSP violations are triggered during Selenium admin tests.
|
|
This initial work adds a pair of settings to configure specific CSP
directives for enforcing or reporting policy violations, a new
`django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the
appropriate headers to responses, and a context processor to support CSP
nonces in templates for safely inlining assets.
Relevant documentation has been added for the 6.0 release notes,
security overview, a new how-to page, and a dedicated reference section.
Thanks to the multiple reviewers for their precise and valuable feedback.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
|
|
migrations.
|
|
Fixed an inconsistency between EmailMessage.attach() and .attachments
when attaching bytes content with a text/* mimetype. The attach()
function decodes UTF-8 bytes if possible and otherwise changes the
mimetype to application/octet-stream to preserve the content's unknown
encoding (refs #27007). Providing equivalent content directly in
EmailMessage.attachments did not apply the same logic, leading
to an "AttributeError: 'bytes' object has no attribute 'encode'"
in SafeMIMEText.set_payload().
Updated EmailMessage._create_mime_attachment() to match attach()'s
handling for text/* mimetypes with bytes content. Updated test cases
to accurately cover behavior on both paths.
|
|
|
|
GeoHash, IsValid on MariaDB 12.0.1+.
|
|
|
|
Follow up to f5df7ed7e62585c7d0289a88a327dab8d608efcf.
|
|
This was added in 46c7707e50400e237cbd774a31ad801669ca3905 but is
obsolete now that gis_tests are discovered separately. It's
error-prone to ignore mistyped names.
|
|
Unintentional support existed only on SQLite and Oracle.
|
|
optimizing migrations.
|
|
variable names.
Regression in 5183f7c287a9a5d61ca1103b55166cda52d9c647.
Thank you to Jon Banafato and Baptiste Mispelon for the report.
|
|
WSGIHandler.
This also aligned the Set-Cookie logic in the WSGIHandler and ASGIHandler.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
|
|
installed when using its features.
Added postgres.E005 to validate 'django.contrib.postgres' is in INSTALLED_APPS
when using:
* PostgreSQL-specific fields (ArrayField, HStoreField, range fields, SearchVectorField),
* PostgreSQL indexes (PostgresIndex and all subclasses), and
* ExclusionConstraint
The check provides immediate feedback during system checks rather than failing
later with obscure runtime and database errors.
Thanks to Simon Charette and Sarah Boyce for reviews.
|
|
Thanks to Jacob Walls for the report and previous iterations of this
fix, to Simon Charette for the logging formatter idea, and to Tim Graham
for testing and ensuring that 3rd party backends remain compatible.
This partially reverts d8f093908c504ae0dbc39d3f5231f7d7920dde37.
Refs #36112, #35448.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
Value(None, JSONField()) when used in When.condition incorrectly resolved with
for_save=True, resulting in the value being serialized as SQL NULL instead of
JSON null.
Regression in c1fa3fdd040718356e5a3b9a0fe699d73f47a940.
Thanks to Thomas McKay for the report, and to David Sanders and Simon Charettes
for the review.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
When matching which entry in the `Accept` header should be used for
a given media type, the specificity matters. However once those are
resolved, only the quality matters when selecting preference.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
Thank you to Anders Kaseorg for the report.
|
|
ForeignKey attname.
Regression in e44e8327d3d88d86895735c0e427102063ff5b55.
Thank you to Jacob Walls for the report.
Co-authored-by: Simon Charette <charette.s@gmail.com>
|
|
Refactored GIS-related JavaScript initialization to eliminate inline
scripts from templates. Added support for specifying a base layer using
the new `base_layer_name` attribute on `BaseGeometryWidget`, allowing
custom map tile providers via user-defined JavaScript.
As a result, the `gis/openlayers-osm.html` template was removed.
Thanks Sarah Boyce for reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
|
|
The documentation[0] encourages users to write functions without a
default for `app_configs`, and checks are always passed the argument.
[0] https://docs.djangoproject.com/en/5.2/topics/checks/
|
|
The "q" key was removed while addressing ticket #36411. Despite
`MediaType.params` is undocumented and considered internal, it was used
in third-party projects (Zulip reported breakage), so this work restored
the `q` key in `params`.
Thanks Anders Kaseorg for the report.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
|
|
The for_save flag wasn't properly propagated when resolving expressions, which
prevented get_db_prep_save() from being called in some cases. This affected
fields like JSONField where None would be saved as JSON null instead of SQL NULL.
Regression in 00c690efbc0b10f67924687f24a7b30397bf47d9.
Thanks to David Sanders and Simon Charette for reviews.
Co-authored-by: Adam Johnson <me@adamj.eu>
|
|
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
for consistency.
|
|
Forwardport of 5901cfe591139b4389171ba738be81e8f4d5cfc9 from stable/5.2.x.
|
|
|
|
|
|
ORDER BY clause.
Thanks to deceze for the report. Thanks to Sarah Boyce for the test.
Thanks to Simon Charette for the investigation and review.
|
|
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
|
|
queryset.
Regression in 626d77e52a3f247358514bcf51c761283968099c.
Refs #36116.
Thanks Cornelis Poppema for the excellent report.
|
|
parameters.
HttpRequest.get_preferred_type() did not account for parameters in
Accept header media types (e.g., "text/vcard; version=3.0"). This caused
incorrect content negotiation when multiple types differed only by
parameters, reducing specificity as per RFC 7231 section 5.3.2
(https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2).
This fix updates get_preferred_type() to treat media types with
parameters as distinct, allowing more precise and standards-compliant
matching.
Thanks to magicfelix for the report, and to David Sanders and Sarah
Boyce for the reviews.
|
|
|
|
order_with_respect_to.
|
|
submission.
In the admin's filter_horizontal widget, optional action buttons like
"Choose all", "Remove all", etc. were changed from `<a>` to `<button>`
elements in #34619, but without specifying `type="button"`. As a result,
when pressing Enter while focused on a form input, these buttons could
be triggered and intercept form submission.
Explicitly set `type="button"` on these control buttons to prevent them
from acting as submit buttons.
Thanks Antoliny Lee for the quick triage and review.
Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a.
|
|
|
|
co-authored-by: Simon Charette <charette.s@gmail.com>
|
|
Regression in a76035e925ff4e6d8676c65cb135c74b993b1039.
Thank you to Simon Charette for the review.
co-authored-by: Simon Charette <charette.s@gmail.com>
|
|
aprocess_request().
Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099.
Thank you to shamoon for the report and Natalia Bidart for the review.
|
|
django/contrib/admin/static/admin/img/README.md.
|
|
Postgresql 16+.
Thanks Simon Charette for the guidance and review. Thanks Tim Schilling for the
documentation review. Thanks David Wobrock for investigation and solution proposals.
|
|
Regression in 9cb8baa0c4fa2c10789c5c8b65f4465932d4d172.
Thank you to Antoine Humeau for the report and Simon Charette for the review.
|
|
ManifestStaticFilesStorage.
Signed-off-by: Samuel Cormier-Iijima <samuel@cormier-iijima.com>
|