summaryrefslogtreecommitdiff
path: root/docs
AgeCommit message (Collapse)Author
2024-09-03[5.1.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵Natalia
email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-09-03[5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-30[5.1.x] Fixed #35716 -- Fixed VariableDoesNotExist when rendering admin ↵Sarah Boyce
fieldsets. Regression in 01ed59f753139afb514170ee7f7384c155ecbc2d. Thank you to Fábio Domingues and Marijke Luttekes for the report, and thank you to Natalia Bidart for the review. Backport of fd1dd767783b5a7ec1a594fcc5885e7e4178dd26 from main.
2024-08-28[5.1.x] Fixed #35688 -- Restored timezone and role setters to be PostgreSQL ↵Sarah Boyce
DatabaseWrapper methods. Following the addition of PostgreSQL connection pool support in Refs #33497, the methods for configuring the database role and timezone were moved to module-level functions. This change prevented subclasses of DatabaseWrapper from overriding these methods as needed, for example, when creating wrappers for other PostgreSQL-based backends. Thank you Christian Hardenberg for the report and to Florian Apolloner and Natalia Bidart for the review. Regression in fad334e1a9b54ea1acb8cce02a25934c5acfe99f. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 7380ac57340653854bc2cfe0ed80298cdac6061d from main.
2024-08-28[5.1.x] Removed outdated note about lack of subquery support in MySQL.Adam Johnson
Backport of 26a67943ac5c2f196621220b24f4314d84471d07 from main.
2024-08-28[5.1.x] Fixed typos in docs/howto/initial-data.txt.Jacob Walls
Backport of 920efe503f8a1b16a497a792075c987080f3280a from main.
2024-08-28[5.1.x] Fixed #35666 -- Documented stacklevel usage and testing, and ↵Simon Charette
adjusted test suite accordingly. Over the years we've had multiple instances of hit and misses when emitting warnings: either setting the wrong stacklevel or not setting it at all. This work adds assertions for the existing warnings that were declaring the correct stacklevel, but were lacking tests for it. Backport of 57307bbc7d88927989cf5b314f16d6e13ade04e6 from main.
2024-08-28[5.1.x] Refs #35405 -- Adjusted deprecation warning stacklevel in ↵Simon Charette
FieldCacheMixin.get_cache_name(). Backport of 39abd56a7fb1e2f735040df0fdfc08f57d91a49b from main.
2024-08-28[5.1.x] Refs #35326 -- Adjusted deprecation warning stacklevel in ↵Simon Charette
FileSystemStorage.OS_OPEN_FLAGS. Backport of 47f18a722624527cc72eef44cfc9d1e07ea4b4e0 from main.
2024-08-28[5.1.x] Refs #35060 -- Adjusted deprecation warning stacklevel in ↵Simon Charette
Model.save()/asave(). Backport of 52ed2b645e1dd8c9a874cfd21c4c9f2500032626 from main.
2024-08-28[5.1.x] Fixed typo in docs/ref/models/expressions.txt.Mariusz Felisiak
Backport of fed11ba4617a5fa151bbabb91eb27ec01dd7c942 from main.
2024-08-27[5.1.x] Fixed grammatical error in stub release notes for upcoming security ↵Natalia
release. Backport of b941de340daed4ce88f04a8012b9dba00ccb1359 from main.
2024-08-27[5.1.x] Added stub release notes and release date for 5.1.1, 5.0.9, and 4.2.16.Natalia
Backport of 67efd42517af0faf24872df4295b39e98ce826af from main.
2024-08-22[5.1.x] Sorted alphabetically forms list in docs/topics/auth/default.txt.nessita
Backport of 7adb6dd98d50a238f3eca8c15b16b5aec12575fd from main.
2024-08-19[5.1.x] Fixed #35678 -- Removed "usable_password" field from ↵Natalia
BaseUserCreationForm. Refs #34429: Following the implementation allowing the setting of unusable passwords via the admin site, the `BaseUserCreationForm` and `UserCreationForm` were extended to include a new field for choosing whether password-based authentication for the new user should be enabled or disabled at creation time. Given that these forms are designed to be extended when implementing custom user models, this branch ensures that this new field is moved to a new, admin-dedicated, user creation form `AdminUserCreationForm`. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for the review. Backport of 0ebed5fa95f53b87383901bbd9341ef3c974344f from main.
2024-08-13[5.1.x] Fixed #35665 -- Fixed a crash when passing an empty order_by to Window.Simon Charette
This also caused un-ordered sliced prefetches to crash as they rely on Window. Regression in e16d0c176e9b89628cdec5e58c418378c4a2436a that made OrderByList piggy-back ExpressionList without porting the empty handling that the latter provided. Supporting explicit empty ordering on Window functions and slicing is arguably a foot-gun design due to how backends will return undeterministic results but this is a problem that requires a larger discussion. Refs #35064. Thanks Andrew Backer for the report and Mariusz for the review. Backport of 602fe961e6834d665f2359087a1272e9f9806b71 from main.
2024-08-13[5.1.x] Fixed typo of --no-startup in django-admin docs.David Smith
Backport of 5ae99226669bc516ecb0ed17066ec11a898fddab from main.
2024-08-08[5.1.x] Doc'd that SessionMiddleware is required for the admin site.Jure Cuhalev
The system check "admin.E410" was already checking for this, but the requirement was not listed in docs/ref/contrib/admin/index.txt. Backport of f8ef4579ea710f93ec7edc93c6f3f216bd55d6be from main.
2024-08-08[5.1.x] Refs #35591 -- Emphasized that runserver is not suitable for production.Andrew Miller
Backport of cec62fb99e8ff63f30c7871a048ab15081142668 from main.
2024-08-08[5.1.x] Refs #31405 -- Improved LoginRequiredMiddleware documentation.Adam Johnson
co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Backport of 49815f70e4508ae21135f725da177fc2935de32c from main.
2024-08-07[5.1.x] Added stub release notes for 5.1.1.Natalia
Backport of 790f0f8868b0cde9a9bec1f0621efa53b00c87df from main.
2024-08-07[5.1.x] Finalized release notes for Django 5.1.Natalia
Backport of 8ad6dc636bd29825937e02b5b689fb278f456f63 from main.
2024-08-06[5.1.x] Added CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and ↵Sarah Boyce
CVE-2024-42005 to security archive. Backport of fdc638bf4a35b5497d0b3b4faedaf552da792f99 from main.
2024-08-06[5.1.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵Simon Charette
attacks against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-08-06[5.1.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06[5.1.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks to MProgrammer for the report.
2024-08-06[5.1.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in ↵Sarah Boyce
floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
2024-08-05[5.1.x] Fixed #35657 -- Made FileField handle db_default values.Sarah Boyce
Backport of 8deb6bb1fc427762d56646bf7306cbd11fb5bb68 from main.
2024-08-05[5.1.x] Fixed #35638 -- Updated validate_constraints to consider db_default.David Sanders
Backport of 509763c79952cde02d9f5b584af4278bdbed77b2 from main.
2024-08-05[5.1.x] Used :pypi: role in docs where appropriate.Mariusz Felisiak
Backport of 304d25667433a59409e334a93acaaa9201840508 from main.
2024-08-05[5.1.x] Fixed #35628 -- Allowed compatible GeneratedFields for ↵John Parton
ModelAdmin.date_hierarchy. Backport of 7f8d839722b72aeb3ec5a4278ae57c18283acacd from main.
2024-08-05[5.1.x] Refs #35380 -- Updated screenshots in admin docs.Natalia
Backport of 90adba85b29230acfe354bffd82bc0d3a4d63c9d from main.
2024-08-05[5.1.x] Refs #35380 -- Updated screenshots in intro docs.Natalia
Backport of fb6050e7845fe1a5fa131708be65ad89a31a2633 from main.
2024-07-31[5.1.x] Added stub release notes and release date for 5.0.8 and 4.2.15.Sarah Boyce
Backport of 3f880890699d4412cf23b59dba425111f62afb3a from main.
2024-07-25[5.1.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵Lorenzo Peña
ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
2024-07-25[5.1.x] Added contributor guidelines for performance optimizations.Sarah Boyce
Backport of 2c024c9ac096d06d9e78d1ae02b52f73a45eadf8 from main.
2024-07-25[5.1.x] Fixed #35625 -- Fixed a crash when adding a field with db_default ↵Simon Charette
and check constraint. This is the exact same issue as refs #30408 but for creating a model with a constraint containing % escapes instead of column addition. All of these issues stem from a lack of SQL and parameters separation from the BaseConstraint DDL generating methods preventing them from being mixed with other parts of the schema alteration logic that do make use of parametrization on some backends (e.g. Postgres, MySQL for DEFAULT). Prior to the addition of Field.db_default and GeneratedField in 5.0 parametrization of DDL was never exercised on model creation so this is effectively a bug with db_default as the GeneratedField case was addressed by refs #35336. Thanks Julien Chaumont for the report and Mariusz Felisiak for the review. Backport of f359990e4909db8722820849d61a6f5724338723 from main.
2024-07-24[5.1.x] Fixed #35604, Refs #35326 -- Made FileSystemStorage.exists() ↵Sarah Boyce
behaviour independent from allow_overwrite. Partially reverts 0b33a3abc2ca7d68a24f6d0772bc2b9fa603744e. Storage.exists(name) was documented to "return False if the name is available for a new file." but return True if the file exists. This is ambiguous in the overwrite file case. It will now always return whether the file exists. Thank you to Natalia Bidart and Josh Schneier for the review. Backport of 8d6a20b656ff3fa18e36954668a44a831c2f6ddd from main.
2024-07-24[5.1.x] Updated asgiref dependency for 5.1 release series.Mariusz Felisiak
Backport of df35cf578f99522dd1ba864d513be95d47bab7a5 from main.
2024-07-23[5.1.x] Updated example links in urlize docs.Matthew Somerville
goo.gl links are being removed in 2025: https://developers.googleblog.com/en/google-url-shortener-links-will-no-longer-be-available/ Backport of fb7be022cb44d8faec52f17042fa58e4c9f02daf from main.
2024-07-22[5.1.x] Refs #10941 -- Reorganized querystring template tag docs.nessita
Backport of cf03aa4e94625971852a09e869f7ee7c328b573f from main.
2024-07-18[5.1.x] Fixed #35606, Refs #34045 -- Fixed rendering of ↵Hisham Mahmood
ModelAdmin.action_checkbox for models with a __html__ method. Thank you Claude Paroz for the report. Regression in 85366fbca723c9b37d0ac9db1d44e3f1cb188db2. Backport of 182f262b15882649bbc39d769f9b721cf3660f6f from main.
2024-07-17[5.1.x] Fixed #35594 -- Added unique nulls distinct validation for expressions.Simon Charette
Thanks Mark Gensler for the report. Backport of adc0b6aac3f8a5c96e1ca282bc9f46e28d20281c from main.
2024-07-15[5.1.x] Refs #10941 -- Renamed query_string template tag to querystring.Sarah Boyce
Backport of 27043bde5b795eb4a605aeca1d3bc4345d2ca478 from main.
2024-07-15[5.1.x] Fixed #35464 -- Updated docs to note fieldsets have limited impact ↵Maryam Yusuf
on TabularInlines. Backport of b5f4d76bc400b9f2017da0a52ee4ff0d7c09be15 from main.
2024-07-09[5.1.x] Added CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, and ↵Natalia
CVE-2024-39614 to security archive. Backport of e095c7612d49dbe371e9c7edd76ba99b6bc4f9f6 from main.
2024-07-09[5.1.x] Added stub release notes for 5.0.8.Natalia
Backport of 9c356144d7d212017c85ec2cbf8f2dfca4cacdff from main.
2024-07-09[5.1.x] Made cosmetic edits to 5.0.7 release notes.Natalia
Backport of 1062bf730235ecc90f2087f1c2d346615377a006 from main.
2024-07-09[5.1.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵Sarah Boyce
get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
2024-07-09[5.1.x] Fixed CVE-2024-39330 -- Added extra file name validation in ↵Natalia
Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.