| Age | Commit message (Collapse) | Author |
|
This follows a post from Seth Larson (Security Developer-in-Residence at the PSF):
https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies
Backport of 90cd510b3b033605907f6521ef98f35d2bd6c3a0 from main.
|
|
RemoteUserMiddleware under ASGI.
We have a flood of nuisance security reports describing ASGI deployments
using RemoteUserMiddleware without a fronting proxy, which is not
realistic.
Backport of 2ee757ee502d5663f932dc5c35175c39af4640ce from main.
|
|
Thanks Sarah Boyce for the idea and Tim McCurrach for the review.
Co-authored-by: Timothy McCurrach <tim.mccurrach@gmail.com>
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 6be668b0cc6524c9900181c5bd8273ef2f256a34 from main.
|
|
Backport of d9adcfbd5e3ba5859cc0ce6e2e67f533efbc8f9b from main.
|
|
verify_release.sh.
This reuses the same download for both artifacts and checks both GPG
signature and minimal correctness in the same script. Docs and script
do_django_release.py were updated.
Backport of 3abf89887993140d28676f26420ee0d46a617f51 from main.
|
|
Thanks to Tim Schilling for the review.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of c27d368b92f321e6f91704f554dccbc18df5b075 from main.
|
|
Backport of 1f2a56567c565d91d797b8a9071ff77a75b52080 from main.
|
|
It's not clear that CLAs are needed to ensure contributors are
assenting to our license (the "inbound=outbound" agreement),
but we can keep them around for contributors who would like to
(or are required by their employer) to submit one, without
investing additional resources in checking every single contribution.
See https://forum.djangoproject.com/t/cla-vs-dco-for-django-contributors/42399
and recent board minutes.
Backport of 0dac3dd4a1573b3c9cef3aea6a98440decfc5460 from main.
|
|
contributor docs.
Co-authored-by: James Bligh <blighj@users.noreply.github.com>
Backport of 07a16407452f5b62594661ae7ae589eca8cccd4d from main.
|
|
contributing docs.
Backport of bddcefb00f555196d3c488fbad71d303e9f7ede1 from main.
|
|
docs/internals/_images/contribution_process.svg.
The PDF is needed to build the PDF version of the whole docs.
Backport of 2d5a780eb5c83775f428e152517abc05b759cb8a from main.
|
|
query expressions.
Thanks Clifford Gama and Simon Charette for reviews.
Backport of 334308efae8e0c7b1523d5583af32b674a098eba from main.
|
|
reports.
This was included in the original reverted patch:
a89183e63844a937aacd3ddb73c4952ef869d2cc
Follow-up to 26b0e2bb92caf2d16cabe455792350f20d6f42ca.
Backport of e726254a380f2a35a2fcf71143e96cb5987d8102 from main.
|
|
docs/internals/howto-release-django.txt.
Backport of 60b08ad5e1701b1a9b2a03e5897670d5af32d379 from main.
|
|
At the direction of the Security Team. Thanks Markus Holtermann,
Jake Howard, and Natalia Bidart for reviews.
Backport of 09d4bf5cd9c95c588d3ec22edea5db1f5f146900 from main.
|
|
Backport of eaf7b563a5d3861026242fdb503a58f71acf17f6 from main.
|
|
Backport of ca3e0484ef31d13053af6a9d50667813e22fc282 from main.
|
|
Added ignores relating to https://github.com/PyCQA/isort/issues/2352.
Backport of d980d68609448a4c85763fa34e471ff80540888b from main.
|
|
docs/internals/howto-release-django.txt.
The practice since 2.2a1 (2019) has been to upload source distributions
as well.
Backport of cc9df52666b90e2e6fdebd2213493c1c396e804a from main.
|
|
docs/internals/contributing/writing-code/unit-tests.txt.
Backport of 19101158070429c8d314926a67ec22a88220f316 from main.
|
|
Backport of a545eb0c1ad5dcbb4e4cf22ce6cf486224c0ba8a from main.
|
|
docs/internals/howto-release-django.txt.
Backport of d5543a23d32d6438edae060081a054f617193341 from main.
|
|
docs/internals/howto-release-django.txt.
Backport of 5ddb01c76038278187d6b892a8bf38e4cc25ac2e from main.
|
|
Backport of f8d2610d94333a8b0fd283851a6cf4ac2e2e2435 from main
|
|
|
|
deprecations.
|
|
|
|
|
|
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()."
This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
|
|
|
|
|
|
The `check` docs target now runs spelling, black, and lint, so all
current documentation quality checks can be run with a single command.
Also documented the lint-docs check's availability and usage.
|
|
Lines in the docs files were manually adjusted to conform to the
79 columns limit per line (plus newline), improving readability and
consistency across the content.
|
|
|
|
|
|
docs.
|
|
favor of hmac.compare_digest().
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
Obsolete since 41384812efe209c8295a50d78b45e0ffb2992436.
(six was removed in 9285926295fbfc86b70e7be8d595d4cfbe7895b8.)
|
|
Follow up to ceecd518b19044181a3598c55ebed7c2545963cc.
|
|
Added a new 'check' rule to the docs Makefile which runs both the black
and spelling checks.
|
|
docs/internals/contributing/writing-documentation.txt.
|
|
The section on manual testing, including how to use a local checkout of
Django, is moved from the contribution intro to the submitting patches
docs. This makes it easier for reviewers and authors to follow best
practices.
|
|
- Changed EmailMessage.message() to construct a "modern email API"
email.message.EmailMessage and added policy keyword arg.
- Added support for modern MIMEPart objects in EmailMessage.attach()
(and EmailMessage constructor, EmailMessage.attachments list).
- Updated SMTP EmailBackend to use modern email.policy.SMTP.
Deprecated:
- Attaching MIMEBase objects (replace with MIMEPart)
- BadHeaderError (modern email uses ValueError)
- SafeMIMEText, SafeMIMEMultipart (unnecessary for modern email)
- django.core.mail.forbid_multi_line_headers()
(undocumented, but exposed via `__all__` and in wide use)
- django.core.mail.message.sanitize_address()
(undocumented, but in wide use)
Removed without deprecation (all undocumented):
- EmailMessage.mixed_subtype
- EmailMultiAlternatives.alternative_subtype
- Support for setting (undocumented) EmailMessage.encoding property
to a legacy email.charset.Charset object
Related changes:
- Dropped tests for incorrect RFC 2047 encoding of non-ASCII email
address localparts. This is specifically prohibited by RFC 2047, and
not supported by any known MTA or email client. (Python still
mis-applies encoded-word to non-ASCII localparts, but it is a bug that
may be fixed in the future.)
- Added tests that try to discourage using Python's legacy email APIs
in future updates to django.core.mail.
|
|
Set flake8 max-doc-length to 79 to enforce smaller line length limit
on docstrings and comments (per coding-style docs).
Updated docs to clarify both requirements are enforced by flake8 and
to remove some leftover language from the pre-black era.
|
|
|
|
In public mail APIs, changed less frequently used parameters from
keyword-or-positional to keyword-only, emitting a warning during the
required deprecation period.
|
|
deprecation of positional arguments.
This helper allows marking positional-or-keyword parameters as keyword-only with a deprecation period, in a consistent and correct manner.
|
|
|
|
|