| Age | Commit message (Collapse) | Author |
|
Bcc addresses are sent via the SMTP envelope and must never appear in
the message itself. A "Bcc" key in `extra_headers` was not excluded like
From/To/Cc/Reply-To, so it leaked into the generated message as a
visible header.
Thanks Mike Edmunds for reviews.
|
|
This reverts docs changes from commit f970a98e464320c09dde8d45009eadfb4d038a57.
|
|
|
|
(a)force_login().
Co-authored-by: Mykhailo Havelia <Arfey17.mg@gmail.com>
|
|
|
|
|
|
delete_confirmation_max_display.
|
|
transitional setting to False.
|
|
CVE-2026-48587 to security archive.
|
|
|
|
values.
Thanks to Navid Rezazadeh for the report and Jacob Walls for review.
|
|
responses.
Thanks Shai Berger for the report, and Natalia Bidart and Sarah Boyce for reviews.
|
|
UpdateCacheMiddleware.
Thanks Ahmed Badawe for the report, and Jacob Walls for reviews.
|
|
Thanks Kasper Dupont for the report, and Jacob Walls and Natalia Bidart
for reviews.
|
|
Made signed cookies derive their signer namespace from an injective
encoding of `(name, salt)` while preserving compatibility with legacy
`name + salt` cookies behind SIGNED_COOKIE_LEGACY_SALT_FALLBACK.
Thanks Peng Zhou for the report, and Shai Berger, Markus Holterman,
Jake Howard, and Paul McMillan for reviews.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Thanks JaeHyuck Sa, Jacob Walls, and Tim McCurrach for reviews.
Co-authored-by: Ülgen Sarıkavak <ulgensrkvk@gmail.com>
|
|
|
|
|
|
Peer frameworks have long since dropped their analogous checks for this
vulnerability that was fixed in ES5.
|
|
|
|
|
|
|
|
|
|
|
|
This makes the name consistent with the `savepoint_commit` and
`savepoint_rollback` functions. The previous name is maintained as a
deprecated alias.
This also frees up the `savepoint` name, which would allow the context
manager from `django-subatomic` to be included in Django.
Co-authored-by: Lily <code@lilyf.org>
|
|
* Fixed typos related to automated EMAIL_PROVIDERS -> MAILERS renaming.
* Clarified wording in some recently added/updated sections.
* Removed deprecated, extraneous `fail_silently=False` from examples.
* Moved EmailBackend API documentation out of "Email backends" intro
into a dedicated section in email.txt.
* Sorted MAILERS alphabetically in settings.txt.
|
|
Error pages, admin, and registration templates were updated to use
`{% csp_nonce %}` on their explicit `<script>`, `<link>`, and `<style>`
HTML elements.
Co-authored-by: Antoliny0919 <antoliny0919@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
|
|
See DEP 0018.
Added:
* MAILERS setting.
* django.core.mail.mailers dict-like EmailBackend factory.
* `using` argument to mail sending APIs.
* `sent_using` attribute to mail.outbox messages in locmem backend.
* MAILERS in startproject settings template, set to console backend.
* AdminLogHandler.using argument.
* BrokenLinkEmailsMiddleware.send_mail() method.
Updated:
* BaseEmailBackend to track the MAILERS alias used to construct it, and
to report errors for unknown kwargs (OPTIONS).
* EmailBackend implementations to initialize from kwargs (OPTIONS) only
when MAILERS is being used.
* smtp.EmailBackend to require `host` option and to default `port`
option based on SSL/TLS options.
* SimpleTestCase setup to substitute the locmem backend for all defined
MAILERS configurations.
* Django's tests that send mail to define MAILERS.
Deprecated:
* EMAIL_BACKEND and other backend-related EMAIL_* settings.
* mail.get_connection().
* The `connection`, `fail_silently`, `auth_user`, and `auth_password`
arguments to mail functions.
* The EmailMessage.connection attribute.
* BaseEmailBackend support for `fail_silently`. Backends that support
fail_silently (SMTP, console, file) now implement it directly.
* AdminEmailHandler.email_backend argument.
Removed undocumented features without deprecation:
* EmailMessage.get_connection() method. (send() now raises an error if a
subclass has attempted to override it.)
* EmailMessage.send() no longer sets self.connection to the connection
used for sending. (It still _uses_ a pre-existing self.connection.)
* AdminEmailHandler.connection() method. (Init now raises an error if a
subclass has attempted to override it.)
Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive
reviews and suggestions on the implementation.
Thanks to Jacob Rief for the initial implementation and multiple
iterations while refining the design.
Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
|
|
Bug in 019acad112da3d00bb81b3022fd25ccd8457e5d9.
|
|
Thank you to Benjamin Balder Bach and Jacob Walls for reviews.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
Now that calling `QuerySet.select_related()` without arguments is deprecated,
this commit deprecates the corresponding admin features.
|
|
This commit deprecates the "fetch all relations" form of
`QuerySet.select_related()` due to its poor performance characteristics, and
updates several tests relying on that feature to ignore the new warning.
|
|
This change makes `list_select_related = False` avoid unnecessary joins by only
selecting the related fields that are actually used in `list_display`.
Consequently, it avoids one code path that calls `QuerySet.select_related()`
with no arguments, which is targeted for deprecation.
|
|
|
|
Thank you James Walls and James Bligh for reviews.
Co-authored-by: Johannes Maron <johannes@maron.family>
|
|
New default tag `{% csp_nonce_attr %}` was added for explicit CSP nonce
inclusion into `<script>` and `<link>` elements.
`{% csp_nonce_attr %}` renders `nonce="<value>"` when `csp_nonce` is
present in the template context, and renders nothing otherwise.
`{% csp_nonce_attr media %}` renders a `Media` object's assets with the
nonce attr applied to each tag.
Thanks Jacob Walls for the accurate and spot on review comments.
Co-authored-by: Johannes Maron <johannes@maron.family>
|
|
corresponds to request.META under ASGI.
Because these tests always passed both WSGI environ values and HTTP
headers via `**extra`, this masked a behavior difference between WSGI
and ASGI.
What should happen: everything should be passed via `headers` but for
the default REMOTE_USER case on WSGI, which should be passed via
`**extra`.
Since that was not done, a regression made it into Django 5.2
(50f89ae850f6b4e35819fe725a08c7e579bfd099) where `.header` no longer
corresponded to the request.META key under ASGI. To cope, an ASGI user
would have started(*) sending HTTP headers that match the `.header`
attribute, which may or may not have been edited to remove the HTTP_
prefix. (Note: the default `REMOTE_USER` case did not work under ASGI,
so the change in Django 5.2 had the effect of fixing the default case
but changing the semantic of the custom case.)
(*): Unless they were getting the sync execution path, which didn't have
this bug. See the fix in 0f4fff79d33b7cc84822e66bd1fc16caf8222e3a.
Thanks Mykhailo Havelia and Sarah Boyce for reviews.
|
|
|
|
|
|
|
|
contains an asterisk.
Thank you Ahmad Sadeddin for the report and Jacob Walls for the review.
|
|
cookie with SESSION_SAVE_EVERY_REQUEST=True.
Thank you Jacob Walls and Natalia Bidart for reviews.
|
|
MemoryFileUploadHandler on ASGI.
In ASGI deployments, Content-Length is not guaranteed to reflect the
actual request body size, so relying on it to gate memory allocation
allowed the limit to be bypassed. The handler now enforces
DATA_UPLOAD_MAX_MEMORY_SIZE regardless of the declared header value.
Thanks to Kyle Agronick for the report. Refs #35289.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
HttpResponseRedirect.
|
|
algorithm.
Deprecated the default value of the algorithm argument in
django.utils.crypto.salted_hmac() and django.core.signing.base64_hmac(),
which will change from 'sha1' to 'sha256' in Django 7.0.
|
|
|
|
|
|
|
|
|