summaryrefslogtreecommitdiff
path: root/docs/releases
AgeCommit message (Collapse)Author
2024-08-06Added CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and CVE-2024-42005 to ↵Sarah Boyce
security archive.
2024-08-06Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks ↵Simon Charette
against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-08-06Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc ↵Sarah Boyce
template filters. Thanks to MProgrammer for the report.
2024-08-06Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.Sarah Boyce
Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
2024-08-05Fixed #35657 -- Made FileField handle db_default values.Sarah Boyce
2024-08-05Fixed #35638 -- Updated validate_constraints to consider db_default.David Sanders
2024-08-05Fixed #35628 -- Allowed compatible GeneratedFields for ↵John Parton
ModelAdmin.date_hierarchy.
2024-08-05Refs #35537 -- Improved documentation and test coverage for email ↵Jake Howard
attachments and alternatives.
2024-08-02Refs #35601, Refs #35599 -- Made cosmetic edits to TelInput/ColorInput docs.Mariusz Felisiak
2024-08-02Fixed #35601 -- Added TelInput widget.lucasesposito
2024-08-02Fixed #35599 -- Added ColorInput widget.arjunomray
2024-08-01Fixed #35646 -- Extended SafeExceptionReporterFilter.hidden_settings to ↵Markus Holtermann
treat `AUTH` as a sensitive match. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-07-31Fixed #35598 -- Added SearchInput widget.Jeremy Thompson
2024-07-31Added stub release notes and release date for 5.0.8 and 4.2.15.Sarah Boyce
2024-07-25Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in ↵Lorenzo Peña
get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb.
2024-07-25Fixed #35625 -- Fixed a crash when adding a field with db_default and check ↵Simon Charette
constraint. This is the exact same issue as refs #30408 but for creating a model with a constraint containing % escapes instead of column addition. All of these issues stem from a lack of SQL and parameters separation from the BaseConstraint DDL generating methods preventing them from being mixed with other parts of the schema alteration logic that do make use of parametrization on some backends (e.g. Postgres, MySQL for DEFAULT). Prior to the addition of Field.db_default and GeneratedField in 5.0 parametrization of DDL was never exercised on model creation so this is effectively a bug with db_default as the GeneratedField case was addressed by refs #35336. Thanks Julien Chaumont for the report and Mariusz Felisiak for the review.
2024-07-24Updated asgiref dependency for 5.1 release series.Mariusz Felisiak
2024-07-18Fixed #35606, Refs #34045 -- Fixed rendering of ModelAdmin.action_checkbox ↵Hisham Mahmood
for models with a __html__ method. Thank you Claude Paroz for the report. Regression in 85366fbca723c9b37d0ac9db1d44e3f1cb188db2.
2024-07-17Fixed #35594 -- Added unique nulls distinct validation for expressions.Simon Charette
Thanks Mark Gensler for the report.
2024-07-15Refs #10941 -- Renamed query_string template tag to querystring.Sarah Boyce
2024-07-09Added CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, and CVE-2024-39614 to ↵Natalia
security archive.
2024-07-09Added stub release notes for 5.0.8.Natalia
2024-07-09Made cosmetic edits to 5.0.7 release notes.Natalia
2024-07-09Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵Sarah Boyce
get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
2024-07-09Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save ↵Natalia
method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
2024-07-09Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵Michael Manfre
checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-09Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc ↵Adam Johnson
template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-04Fixed #35560 -- Made Model.full_clean() ignore GeneratedFields for constraints.Mark Gensler
Accessing generated field values on unsaved models caused a crash when validating CheckConstraints and UniqueConstraints with expressions.
2024-07-03Added stub release notes and release date for 5.0.7 and 4.2.14.Natalia
2024-07-03Refs #28900 -- Made SELECT respect the order specified by values(*selected).Simon Charette
Previously the order was always extra_fields + model_fields + annotations with respective local ordering inferred from the insertion order of *selected. This commits introduces a new `Query.selected` propery that keeps tracks of the global select order as specified by on values assignment. This is crucial feature to allow the combination of queries mixing annotations and table references. It also allows the removal of the re-ordering shenanigans perform by ValuesListIterable in order to re-map the tuples returned from the database backend to the order specified by values_list() as they'll be in the right order at query compilation time. Refs #28553 as the initially reported issue that was only partially fixed for annotations by d6b6e5d0fd4e6b6d0183b4cf6e4bd4f9afc7bf67. Thanks Mariusz Felisiak and Sarah Boyce for review.
2024-06-27Fixed #22712 -- Avoided name shadowing of "all" in ↵Andreu Vallbona
django.contrib.staticfiles.finders. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-06-21Fixed #35528 -- Added EmailMultiAlternatives.body_contains() helper method.Ronny Vedrilla
2024-06-20Fixed #35537 -- Changed EmailMessage.attachments and ↵Jake Howard
EmailMultiAlternatives.alternatives to use namedtuples. This makes it more descriptive to pull out the named fields.
2024-06-18Fixed #12978 -- Added support for RSS feed stylesheets.Baptiste Mispelon
2024-06-18Fixed #35505 -- Added extrabody block to admin/base.html.stefan.ivic
2024-05-31Updated release date for Django 5.0.7.Natalia
2024-05-29Fixed #35473 -- Fixed CVE number in security archive.samruddhiDharankar
Updated to CVE-2009-3695 from CVE-2009-3965.
2024-05-27Fixed #35479 -- Dropped support for PostgreSQL 13 and PostGIS 3.0.Mariusz Felisiak
2024-05-22Increased the default PBKDF2 iterations for Django 5.2.Natalia
2024-05-22Added stub release notes for 5.2.Natalia
2024-05-22Made cosmetic edits to 5.1 release notes.Natalia
2024-05-22Removed empty sections from 5.1 release notes.Natalia
2024-05-22Fixed #31405 -- Added LoginRequiredMiddleware.Hisham Mahmood
Co-authored-by: Adam Johnson <me@adamj.eu> Co-authored-by: Mehmet İnce <mehmet@mehmetince.net> Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-05-22Refs #35189 -- Removed no longer necessary JavaScript file collapse.js.Marijke Luttekes
2024-05-22Fixed #35189 -- Improved admin collapsible fieldsets by using <details> ↵Marijke Luttekes
elements. This work improves the accessibility of the add and change pages in the admin site by adding <details> and <summary> elements to the collapsible fieldsets. This has the nice side effect of no longer requiring custom JavaScript helpers to implement the fieldsets' show/hide capabilities. Thanks to James Scholes for the accessibility advice, and to Sarah Boyce and Tom Carrick for reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-05-22Fixed #35139 -- Prevented file read after ImageField is saved to storage.John Parton
2024-05-21Fixed #18119 -- Added a DomainNameValidator validator.Berker Peksag
Thanks Claude Paroz for the review. Co-authored-by: Nina Menezes <77671865+nmenezes0@users.noreply.github.com>
2024-05-21Fixed #35405 -- Converted get_cache_name into a cached property in ↵Adam Johnson
FieldCacheMixin. FieldCacheMixin is used by related fields to track their cached values. This work migrates get_cache_name() to be a cached property to optimize performance by reducing unnecessary function calls when working with related fields, given that its value remains constant. Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-05-21Refs #35326 -- Made cosmetic edits to 5.1 release notes.Mariusz Felisiak