summaryrefslogtreecommitdiff
path: root/docs/releases
AgeCommit message (Collapse)Author
2019-08-01Added CVE-2019-14233 to security release archive.Carlton Gibson
2019-08-01Added CVE-2019-14232 to the security release archive.Carlton Gibson
2019-08-01Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in ↵Florian Apolloner
django.utils.encoding.uri_to_iri(). Thanks to Guido Vranken for initial report.
2019-08-01Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index ↵Mariusz Felisiak
lookups against SQL injection. Thanks to Sage M. Abdullah for the report and initial patch. Thanks Florian Apolloner for reviews.
2019-08-01Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in ↵Florian Apolloner
strip_tags() when handling incomplete HTML entities. Thanks to Guido Vranken for initial report.
2019-08-01Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when ↵Florian Apolloner
truncating HTML. Thanks to Guido Vranken for initial report.
2019-07-31Fixed #30665 -- Added support for distinct argument to Avg() and Sum().Étienne Beaulé
2019-07-31Fixed #30160 -- Added support for LZMA and XZ templates to ↵Nick Pope
startapp/startproject management commands.
2019-07-27Refs #28147 -- Fixed setting of OneToOne and Foreign Key fields to None when ↵Jon Dufresne
using attnames. Regression in 519016e5f25d7c0a040015724f9920581551cab0.
2019-07-25Added stub release notes for security releases.Carlton Gibson
2019-07-25Fixed #30657 -- Allowed customizing Field's descriptors with a ↵Jon Dufresne
descriptor_class attribute. Allows model fields to override the descriptor class used on the model instance attribute.
2019-07-24Fixed #30647 -- Fixed crash of autoreloader when extra directory cannot be ↵Tom Forbes
resolved.
2019-07-23Fixed #30506 -- Fixed crash of autoreloader when path contains null characters.Tom Forbes
2019-07-16Fixed #29824 -- Added support for database exclusion constraints on PostgreSQL.Mads Jensen
Thanks to Nick Pope and Mariusz Felisiak for review. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-07-16Refs #29824 -- Added RangeOperators helper class.Mads Jensen
2019-07-10Updated Select2 to version 4.0.7.Johannes Hoppe
2019-07-10Fixed #30621 -- Fixed crash of __contains lookup for Date/DateTimeRangeField ↵Mariusz Felisiak
when the right hand side is the same type. Thanks Tilman Koschnick for the report and initial patch. Thanks Carlton Gibson the review. Regression in 6b048b364ca1e0e56a0d3815bf2be33ac9998355.
2019-07-10Fixed #30628 -- Adjusted expression identity to differentiate bound fields.Simon Charette
Expressions referring to different bound fields should not be considered equal. Thanks Julien Enselme for the detailed report. Regression in bc7e288ca9554ac1a0a19941302dea19df1acd21.
2019-07-09Added stub release notes for 2.2.4.Mariusz Felisiak
2019-07-08Fixed #30397 -- Added app_label/class interpolation for names of indexes and ↵can
constraints.
2019-07-08Refs #29444 -- Added support for fetching a returned non-integer insert ↵Johannes Hoppe
values on Oracle. This is currently not actively used, since the ORM will ask the SQL compiler to only return auto fields.
2019-07-02Fixed #27801 -- Made createsuperuser fall back to environment variables for ↵Hasan Ramezani
password and required fields.
2019-07-01Added CVE-2019-12781 to the security release archive.Mariusz Felisiak
2019-07-01Added release date for 2.2.3.Mariusz Felisiak
2019-07-01Fixed CVE-2019-12781 -- Made HttpRequest always trust ↵Carlton Gibson
SECURE_PROXY_SSL_HEADER if set. An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review.
2019-07-01Added stub release notes for security releases.Mariusz Felisiak
2019-06-29Updated translations from TransifexClaude Paroz
Forward port of b3f7262e6e5d9e68e37fb21af89ed6656291faa3 from stable/2.2.x
2019-06-26Fixed #30594 -- Added 'private' Cache-Control directive to never_cache() ↵nsasaki128
decorator.
2019-06-26Fixed #30588 -- Fixed crash of autoreloader when __main__ module doesn't ↵Tom Forbes
have __file__ attribute.
2019-06-21Fixed #30421 -- Allowed symmetrical intermediate table for self-referential ↵Nadège Michel
ManyToManyField.
2019-06-21Fixed typos in 1.11.19, 2.0.11, 2.1.6 release notes.Jon Dufresne
2019-06-20Fixed #30451 -- Added ASGI handler and coroutine-safety.Andrew Godwin
This adds an ASGI handler, asgi.py file for the default project layout, a few async utilities and adds async-safety to many parts of Django.
2019-06-14Fixed #12952 -- Adjusted admin log change messages to use form labels ↵Sanyam Khurana
instead of field names.
2019-06-13Fixed #30128 -- Fixed handling timedelta timezone in database functions.can
2019-06-11Fixed #27486 -- Fixed Python 3.7 DeprecationWarning in intword and ↵Jon Dufresne
filesizeformat filters. intword and filesizeformat passed floats to ngettext() which is deprecated in Python 3.7. The rationale for this warning is documented in BPO-28692: https://bugs.python.org/issue28692. For filesizeformat, the filesize value is expected to be an int -- it fills %d string formatting placeholders. It was likely coerced to a float to ensure floating point division on Python 2. Python 3 always does floating point division, so coerce to an int instead of a float to fix the warning. For intword, the number may contain a decimal component. In English, a decimal component makes the noun plural. A helper function, round_away_from_one(), was added to convert the float to an integer that is appropriate for ngettext().
2019-06-07Fixed #29379 -- Added autocomplete attribute to contrib.auth.forms fields.Hasan Ramezani
Thank you to Nick Pope for review. Co-authored-by: CHI Cheng <cloudream@gmail.com>
2019-06-05Refs #30226 -- Added User.get_user_permissions() method.Tobias Bengfort
Added to mirror the existing User.get_group_permissions().
2019-06-05Fixed #30226 -- Added BaseBackend for authentication.Tobias Bengfort
2019-06-05Fixed #30542 -- Fixed crash of numerical aggregations with filter.Étienne Beaulé
Filters in annotations crashed when used with numerical-type aggregations (i.e. Avg, StdDev, and Variance). This was caused as the source expressions no not necessarily have an output_field (such as the filter field), which lead to an AttributeError: 'WhereNode' object has no attribute output_field. Thanks to Chuan-Zheng Lee for the report. Regression in c690afb873cac8035a3cb3be7c597a5ff0e4b261 and two following commits.
2019-06-05Added stub release notes for 2.2.3.Mariusz Felisiak
2019-06-03Added CVE-2019-12308 to the security release archive.Nick Pope
2019-06-03Added CVE-2019-11358 to the security release archive.Nick Pope
2019-06-03Fixed typos in 1.11.21, 2.1.9, 2.2.2 release notes.Mariusz Felisiak
2019-06-03Applied jQuery patch for CVE-2019-11358.Carlton Gibson
2019-06-03Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before ↵Carlton Gibson
rendering clickable link.
2019-06-03Added stub release notes for security releases.Carlton Gibson
2019-05-31Fixed #28520 -- Added --start-at/--start-after options to runtests.py.Hasan Ramezani
2019-05-29Fixed #30523 -- Fixed updating file modification times on seen files in ↵Tom Forbes
auto-reloader when using StatReloader. Previously we updated the file mtimes if the file has not been seen before - i.e on the first iteration of the loop. If the mtime has been changed we triggered the notify_file_changed() method which in all cases except the translations will result in the process being terminated. To be strictly correct we need to update the mtime for either branch of the conditional. Regression in 6754bffa2b2df15a741008aa611c1bb0e8dff22b.
2019-05-29Fixed #30516 -- Fixed crash of autoreloader when re-raising exceptions with ↵Tom Forbes
custom signature. Regression in c8720e7696ca41f3262d5369365cc1bd72a216ca.
2019-05-28Fixed #30315 -- Fixed crash of ArrayAgg and StringAgg with ordering when ↵Caio Ariede
used in Subquery.