| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
Ensure skip_file_prefixes does not match sibling packages like django*.
Bug in f42b89f1bf49a5b89ed852b60f79342320a81c5e
and 34bd3ed944bf38792c631b55e581963d44d52284.
|
|
|
|
|
|
|
|
The new ModelAdmin.delete_confirmation_max_display attribute allows
limiting the number of related objects shown on the delete confirmation
page. When the limit is reached, a "…and N more objects." message is shown.
The feature relies on a new truncated_unordered_list template filter
added to django.contrib.admin.templatetags.admin_filters.
Thanks Jacob Tyler Walls for the review and guidance, Tobias McNulty for the report,
and terminator14 for the solution suggested.
|
|
Added new constant django.db.models.fields.BLANK_CHOICE_LABEL for
an accessible and translatable blank choice label in forms.
Deprecated django.db.models.fields.BLANK_CHOICE_DASH constant.
Added the immediately deprecated transitional setting
USE_BLANK_CHOICE_DASH.
Co-Authored-By: Marijke Luttekes <mail@marijkeluttekes.dev>
|
|
InclusionAdminNode and parse_bits().
|
|
|
|
|
|
pagination block.
Bug in 3f59711581bd22ebd0f13fb040b15b69c0eee21f.
|
|
For use in checking user permissions via has_perm().
Co-authored-by: 사재혁 <jaehyuck.sa.dev@gmail.com>
|
|
The decorator was updated to accept **kwargs and forward them to
task_class, allowing additional parameters to be passed to custom
Task subclasses.
|
|
CVE-2026-33034 to security archive.
|
|
|
|
ASGI requests.
The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.
This work adds a new check on the actual number of bytes consumed.
Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.
|
|
When a multipart file part used `Content-Transfer-Encoding: base64` and
the non-whitespace base64 bytes did not align to a multiple of 4 within
a chunk, the parser entered a loop calling `field_stream.read(1-3)` once
per whitespace byte. Each such call fetched the entire internal buffer,
sliced off 1-3 bytes, and pushed the remainder back via unget(), doing
an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace
produced CPU amplification relative to a normal upload of the same size.
The alignment loop now reads `self._chunk_size` bytes at a time, and
accumulates stripped parts in a list joined once at the end.
Thanks to Seokchan Yoon for the report and the fixing patch.
|
|
ModelAdmin.list_editable.
Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.
|
|
Edit permissions were still checked as part of ordinary form validation,
but because GenericInlineModelAdmin overrides get_formset(), it lacked
InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic
for checking permissions server-side, leaving the add case unaddressed.
This change reimplements the relevant part of InlineModelAdmin.get_formset().
Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart,
Markus Holtermann, and Simon Charette for reviews.
|
|
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart
for reviews.
|
|
managers and related_names.
Clashes were only detected for self-referential relationships, i.e. ForeignKey("self").
Refs #22977. Bug in 6888375c53476011754f778deabc6cdbfa327011.
Thanks JaeHyuckSa for the thorough review!
|
|
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
|
|
alogin/alogout().
Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be.
|
|
|
|
list_display.
|
|
It has been superseded with .quote_name(), which ensures aliases are
always quoted.
|
|
feature flag.
Now that user provided aliases are systematically quoted there is no need to
disallow the usage of the dollar sign on Postgres.
|
|
This ensures all database identifiers are quoted independently of their orign
and most importantly that user provided aliases through annotate() and alias()
which paves the way for dropping the allow list of characters such aliases can
contain.
This will require adjustments to raw SQL interfaces such as RawSQL that might
make reference to ORM managed annotations as these will now be quoted.
The `SQLCompiler.quote_name_unless_alias` method is kept for now as an alias
for the newly introduced `.quote_name` method but will be duly deprecated in
a follow up commit.
|
|
streaming responses.
|
|
A TypeError is now raised if fail_silently=True, auth_user, or auth_password
are provided along a connection.
Updated AdminEmailHandler in django.utils.log to remove redundant
fail_silently=True.
Thanks Mike Edmunds for the report and Jacob Tyler Walls for the review.
|
|
get_placeholder_sql.
The lack of ability of the get_placeholder call chain to return SQL and
parameters separated so they can be mogrified by the backend at execution time
forced implementations to dangerously interpolate potentially user controlled
values.
The get_placeholder_sql name was chosen due to its proximity to the previous
method, but other options such as Field.as_sql were considered but ultimately
rejected due to its different input signature compared to Expression.as_sql
that might have lead to confusion.
There is a lot of overlap between what Field.get_db_prep_value and
get_placeholder_sql do but folding the latter in the former would require
changing its return signature to return expression which is a way more invasive
change than what is proposed here.
Given we always call get_db_prep_value it might still be an avenue worth
exploring in the future to offer a publicly documented interface to allow field
to take an active part in the compilation chain.
Thanks Jacob for the review.
|
|
|
|
|
|
|
|
system object creation.
This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.
This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Refs CVE-2020-24583 and #31921.
Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.
|
|
This simplicaftion mitigates a potential DoS in URLField on Windows. The
usage of `urlsplit()` in `URLField.to_python()` was replaced with
`str.partition(":")` for URL scheme detection. On Windows, `urlsplit()`
performs Unicode normalization which is slow for certain characters,
making `URLField` vulnerable to DoS via specially crafted POST payloads.
Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger
for the review.
Refs #36923.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
imported by namespace.
|
|
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
Thanks Sarah Boyce and Jacob Walls for reviews.
Co-authored-by: Hrushikesh Vaidya <hrushikeshrv@gmail.com>
|
|
Before, if no exception occurred, "None Type: None" was logged.
|
|
|
|
|
|
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
|
|
in BuiltinLookup.as_sql().
Instead of cherry-picking a larger changeset (787cc96ef6197d73c7d4ad96f25500910c399603)
and removing changes unsuitable for a backport, a partial backport was applied directly
to stable/6.0.x to resolve #36934, so the release note needs to be forwardported.
Forwardport of f9b820f8ac50aad025949087e660a551691832e4 from stable/6.0.x.
|
|
Thanks David Smith for report and Tim Graham for review.
|
|
Thanks Simon Charette for the idea.
|
|
|
