summaryrefslogtreecommitdiff
path: root/docs
AgeCommit message (Collapse)Author
2026-03-03[6.0.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions ↵Natalia
on file system object creation. This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
2026-03-03[6.0.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.Natalia
This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
2026-03-02[6.0.x] Fixed #36961 -- Fixed TypeError in deprecation warnings if Django is ↵Jacob Walls
imported by namespace. Backport of c1d8646ec219b8b90ebdd463f40e5767876658a0 from main.
2026-03-02[6.0.x] Ensured spelling checks pass OK.Natalia
Follow up to 659bacfe54c2a28eb2e0589c1c721f1a99720ad2.
2026-03-02[6.0.x] Aligned docs checks between GitHub Actions and local development.Natalia
Backport of 3f21cb06e76044ad753055700395e54a1fc4f1e9 from main.
2026-02-26[6.0.x] Adjusted default DoS severity level in Security Policy.Natalia
Backport of 1f2a56567c565d91d797b8a9071ff77a75b52080 from main.
2026-02-25[6.0.x] Fixed #36848 -- Mentioned BadRequest exception in docs/ref/views.txt.LincolnPuzey
Backport of 4aefc9ea51cc2d78f43b1dc2aa69732e55d18a56 from main.
2026-02-25[6.0.x] Fixed #36951 -- Removed empty exc_info from log_task_finished signal ↵Elias Hernandis
handler. Before, if no exception occurred, "None Type: None" was logged. Backport of 497d9cdc67f0bdae929fcde677b5f441e94a6c8b from main.
2026-02-25[6.0.x] Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit ↵Natalia
references from HTML truncation docs. Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.
2026-02-24[6.0.x] Applied Black's 2026 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/26.1.0 Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
2026-02-24[6.0.x] Added stub release notes and release date for 6.0.3, 5.2.12, and 4.2.29.Natalia
Backport of acd0bec51366e259b4c2b43e4c09755541cdf560 from main.
2026-02-20[6.0.x] Fixed #36920 -- Fixed alignment of fieldset legends in wide admin forms.usman
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of 8d251b512bafd7b7f736cfcabeba0ae76106f2db from main.
2026-02-20[6.0.x] Fixed #36934, Refs #35972 -- Coped with params in a tuple in ↵Jacob Walls
BuiltinLookup.as_sql(). For custom lookups subclassing BuiltinLookup and following the advice in the release notes to return params in a tuple, this change will obviate the need to audit as_sql() in addition to process_lhs() to be "resilient against either tuples or lists" as described in the release note. Regression in 8914f4703cf03e2a01683c4ba00f5ae7d3fa449d.
2026-02-10[6.0.x] Fixed #36903 -- Fixed further NameErrors when inspecting functions ↵93578237
with deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04. Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main.
2026-02-10[6.0.x] Added stub release notes for 5.2.12.Jacob Walls
Backport of 2c2d36376a0ce0edc048c077a60be6e3b953bb09 from main.
2026-02-10[6.0.x] Clarified optional nature of Contributor License Agreement.Jacob Walls
It's not clear that CLAs are needed to ensure contributors are assenting to our license (the "inbound=outbound" agreement), but we can keep them around for contributors who would like to (or are required by their employer) to submit one, without investing additional resources in checking every single contribution. See https://forum.djangoproject.com/t/cla-vs-dco-for-django-contributors/42399 and recent board minutes. Backport of 0dac3dd4a1573b3c9cef3aea6a98440decfc5460 from main.
2026-02-10[6.0.x] Refs #35444 -- Doc'd deprecation in ↵Jacob Walls
contrib.postgres.aggreggates.StringAgg.delimiter. Backport of 3c09ed81d3e90d7ce60372096c58e80548d1d2ef from main.
2026-02-06[6.0.x] Fixed #36272 -- Removed obsolete libgeoip from GeoDjango ↵SnippyCodes
installation docs. Backport of 6c2436fa8671cd41c6a5841493142308cd9541c8 from main.
2026-02-03[6.0.x] Fixed #36898 -- Documented SessionBase.is_empty().jafarkhan83
Backport of 13299a6203f4bc3e5b2552c96a51ff2b15da3c43 from main.
2026-02-03[6.0.x] Added CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, ↵Jacob Walls
CVE-2026-1287, and CVE-2026-1312 to security archive. Backport of af361d3be4725b9da1022c078b2db02b9d9b96e7 from main.
2026-02-03[6.0.x] Added stub release notes for 6.0.3.Jacob Walls
Backport of e7e43f1f91b5e4822ace888d85645eada8535daa from main.
2026-02-03[6.0.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via ↵Jacob Walls
aliases with periods. Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews. Backport of 69065ca869b0970dff8fdd8fafb390bf8b3bf222 from main.
2026-02-03[6.0.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column ↵Jake Howard
aliases via control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
2026-02-03[6.0.x] Fixed CVE-2026-1285 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator for HTML input. The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for reviews. Backport of a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 from main.
2026-02-03[6.0.x] Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField ↵Jacob Walls
lookups via band index. Thanks Tarek Nakkouch for the report, and Simon Charette for the initial triage and review. Backport of 81aa5292967cd09319c45fe2c1a525ce7b6684d8 from main.
2026-02-03[6.0.x] Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI ↵Jake Howard
requests. Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews. Backport of eb22e1d6d643360e952609ef562c139a100ea4eb from main.
2026-02-03[6.0.x] Fixed CVE-2025-13473 -- Standardized timing of check_password() in ↵Jake Howard
mod_wsgi auth handler. Refs CVE-2024-39329, #20760. Thanks Stackered for the report, and Jacob Walls and Markus Holtermann for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 3eb814e02a4c336866d4189fa0c24fd1875863ed from main.
2026-02-02[6.0.x] Fixed #36788 -- Fixed horizontal form field alignment under ↵Jacob Walls
<fieldset> in the admin. Thanks Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of b665a67d61a8a4fd2ad85aeb77282bc49541723f from main.
2026-02-02[6.0.x] Added missing quotes around nonce in docs/ref/csp.txt.Jacob Walls
Backport of 986f7f2098a2186b4085183951cbebae15220556 from main.
2026-01-29[6.0.x] Fixed #36847 -- Ensured auto_now_add fields are set on pre_save().Nilesh Kumar Pahari
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222. During INSERT operations, `field.pre_save()` is called to prepare values for db insertion. The `add` param must be `True` for `auto_now_add` fields to be populated. The regression commit passed `False`, causing `auto_now_add` fields to remain `None` when used by other fields, such as `upload_to` callables. Thanks Ran Benita for the report. Backport of fe189dc43ab3eddbbceefb6834893b73ca60d5ed from main.
2026-01-27[6.0.x] Added stub release notes and release date for 6.0.2, 5.2.11, and 4.2.28.Jacob Walls
Backport of b30e09a94270fdaa4bf282bf442b758c9a6d0bb0 from main.
2026-01-26[6.0.x] Fixed #36850 -- Prevented admin filter sidebar from wrapping below ↵Nilesh Kumar Pahari
the changelist. Removed flex-wrap from .changelist-form-container and added min-width to the main content container to ensure proper layout behavior. Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d. Backport of e92d1e3b7858981185e93d717c5727544d66b66e from main.
2026-01-19[6.0.x] Refs #25508 -- Updated outdated QuerySet.__repr__() results.Clifford Gama
Backport of d6cca8b904de144946453aea93dd627c09abfca9 from main.
2026-01-15[6.0.x] Fixed #36856 -- Mentioned needsnewfeatureprocess resolution in ↵Amar Ahmed Deina
contributor docs. Co-authored-by: James Bligh <blighj@users.noreply.github.com> Backport of 07a16407452f5b62594661ae7ae589eca8cccd4d from main.
2026-01-14[6.0.x] Fixed #36855, Refs #27222 -- Mentioned multiple invocations of ↵kundan223
Field.pre_save() in 6.0 release notes. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 924156072ecf61ef9cf50fa0d4d553a4c0d416c2 from main.
2026-01-08[6.0.x] Fixed #36844 -- Clarified need for reusable apps to set ↵Amar Ahmed Deina
default_auto_field in packaging tutorial and AppConfig docs. Backport of 091ffc4e5eb35776864b853973097588a36f169e from main.
2026-01-08[6.0.x] Clarified regression nature of data loss bug in ↵Tim Graham
docs/releases/6.0.1.txt and 5.2.10.txt. Backport of 2be860d6cfb04c9b3643f7c31ce90df280c8e747 from main.
2026-01-06[6.0.x] Added stub release notes for 6.0.2.Jacob Walls
Backport of b59c215eab1d6ac98072731ea1fd58e0ebfd6909 from main.
2026-01-06[6.0.x] Added stub release notes for 5.2.11.Jacob Walls
Backport of e937be3c1dc02cd06c14875be23d452b426d0d25 from main.
2026-01-06[6.0.x] Added release date for 6.0.1.Jacob Walls
Backport of 496af73bf620ac5478082c06871bb665c620d414 from main.
2026-01-06[6.0.x] Added release date for 5.2.10.Jacob Walls
Backport of f6fd35fc6ddadc93720656b9882e28712f2492fc from main.
2026-01-05[6.0.x] Fixed #36843, #36793 -- Reverted "Fixed #27489 -- Renamed ↵Jacob Walls
permissions upon model renaming in migrations." This reverts commits f02b49d2f3bf84f5225de920ca510149f1f9f1da and 6e89271a8507fe272d11814975500a1b40303a04. Backport of 030c63d329c4814da221528e823a4aaaaa40e4f1 from main.
2025-12-31[6.0.x] Refs #33647 -- Fixed silent data truncation in bulk_create on Postgres.Simon Charette
Regression in a16eedcf9c69d8a11d94cac1811018c5b996d491. The UNNEST strategy is affected by the same problem bulk_update has wrt/ to silent data truncation due to its usage of db_type which always returns a parametrized subtype. Backport of d6ae2ed868e43671afc4d433c3d8f4d27f7eb555 from main.
2025-12-31[6.0.x] Fixed #36829 -- Reverted value of ClearableFileInput.use_fieldset to ↵Johannes Maron
True. There was unresolved discussion regarding whether to set ClearableFileInput.use_fieldset to True or False when use_fieldset was introduced in Django 4.1, since the clear checkbox appears only sometimes. Although using <fieldset> is likely desirable, since the primary motivation in #35892 was just to improve markup in the admin, and a deprecation path was not provided for general form usage, future work is deferred to #36828. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Thanks Tim Graham, Antoliny, and David Smith for triage.
2025-12-26[6.0.x] Fixed #30515 -- Documented resolve_url() in ↵Duane Hilton
docs/topics/http/shortcuts.txt. Backport of 626c15dba0662d5b9f61cc7eddf985e514293d6f from main.
2025-12-26[6.0.x] Fixed #36796 -- Handled lazy routes correctly in RoutePattern.match().kundan223
Coerce lazy route values to `str` at match time to support prefix and endpoint matching when using `gettext_lazy()` route paths. Regression in f920937c8a63df6bea220e4386f59cdb45b2e355. Thanks to Andrea Angelini for the report, and to Jake Howard and Jacob Walls for reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 7bf3ac3ee255bcfe329e3203c7a2555b1275d506 from main.
2025-12-24[6.0.x] Refs #36810 -- Avoided infinite recursion in LazyNonce.__repr__().Sean Reed
Moved nonce generation in ``django.utils.csp.LazyNonce`` to a function to avoid infinite recursion in ``SimpleLazyObject.__repr__`` for unevaluated instances. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 165c3599965e63f88649a46fcc2ff681c52f2f66 from main.
2025-12-23[6.0.x] Fixed #36305 -- Added documentation indentation guidelines to ↵ankan0503
contributing docs. Backport of bddcefb00f555196d3c488fbad71d303e9f7ede1 from main.
2025-12-22[6.0.x] Fixed #36807 -- Fixed form field alignment under <fieldset> in the ↵Jacob Walls
admin. It isn't safe to set display: flex on <fieldset>, because on Safari this interferes with display: block on child divs. Thanks Paulo Coutinho for the report and Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of 1eac2659a102d42490f9401b08782633fa51f3e3 from main.
2025-12-22[6.0.x] Fixed #36818 -- Ensured SQLite connection before accessing ↵guro-Ishiguro
max_query_params. Regression in 358fd21c47cdf7bda520ce73c5cfd82bba57827b. Backport of 84bae9c22a8ae7663c56cce5e0c611ea7c17fce1 from main.