summaryrefslogtreecommitdiff
path: root/docs
AgeCommit message (Collapse)Author
2026-04-07[6.0.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ↵Natalia
size in ASGI requests. The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews. Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main.
2026-04-07[6.0.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.Natalia
When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch. Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main.
2026-04-07[6.0.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ↵Jacob Walls
ModelAdmin.list_editable. Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
2026-04-07[6.0.x] Fixed CVE-2026-4277 -- Checked add permissions in ↵Jacob Walls
GenericInlineModelAdmin. Edit permissions were still checked as part of ordinary form validation, but because GenericInlineModelAdmin overrides get_formset(), it lacked InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic for checking permissions server-side, leaving the add case unaddressed. This change reimplements the relevant part of InlineModelAdmin.get_formset(). Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart, Markus Holtermann, and Simon Charette for reviews. Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main.
2026-04-07[6.0.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.Jacob Walls
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews. Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main.
2026-04-02[6.0.x] Fixed #36973 -- Made fields.E348 check detect further clashes ↵Clifford Gama
between managers and related_names. Clashes were only detected for self-referential relationships, i.e. ForeignKey("self"). Refs #22977. Bug in 6888375c53476011754f778deabc6cdbfa327011. Thanks JaeHyuckSa for the thorough review! Backport of fcf916884d25ed430bd7cedaea2b10035c2aa3b6 from main.
2026-04-02[6.0.x] Refs #36862 -- Reiterated security note on both variants of ↵Jacob Walls
RemoteUserMiddleware. Backport of 04bcc9913319e50b376a27c29cf9aa4e7b8247bf from main.
2026-04-02[6.0.x] Fixed #36949 -- Improved RelatedFieldWidgetWrapper <label>s.David Smith
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of 253f552c5809fa096116b601bd842ca4f3504860 from main.
2026-04-02[6.0.x] Added section for respecting maintainer time to the security policy.Natalia
This follows a post from Seth Larson (Security Developer-in-Residence at the PSF): https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies Backport of 90cd510b3b033605907f6521ef98f35d2bd6c3a0 from main.
2026-04-02[6.0.x] Fixed #36862 -- Doc'd the need for a proxy when deploying ↵Jacob Walls
RemoteUserMiddleware under ASGI. We have a flood of nuisance security reports describing ASGI deployments using RemoteUserMiddleware without a fronting proxy, which is not realistic. Backport of 2ee757ee502d5663f932dc5c35175c39af4640ce from main.
2026-04-02[6.0.x] Fixed #37017 -- Fixed setting or clearing of request.user after ↵Jacob Walls
alogin/alogout(). Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be. Backport of a32c7075cf634aee1f4f3deecd27f194097ec0c2 from main.
2026-04-01[6.0.x] Fixed #36799 -- Added a how-to guide for testing pre-releases.VIZZARD-X
Thanks Sarah Boyce for the idea and Tim McCurrach for the review. Co-authored-by: Timothy McCurrach <tim.mccurrach@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 6be668b0cc6524c9900181c5bd8273ef2f256a34 from main.
2026-03-31[6.0.x] Added stub release notes and release date for 6.0.4, 5.2.13, and 4.2.30.Jacob Walls
Backport of dff1980d61b1129c82757f70117dcea68e69a8c8 from main.
2026-03-28[6.0.x] Fixed #29762 -- Doc'd how database routers fetch related objects.VIZZARD-X
Thanks James Bligh for the review. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of edd899786851f6285abbc3c272f4f5ec0e48a74c from main.
2026-03-28[6.0.x] Refs #36526 -- Fixed bulk_update() batching example in docs.Georgios Verigakis
Backport of 4fd9e85b6031e7ddf878b280f324da6b98f7b0ed from main.
2026-03-27[6.0.x] Corrected outdated links to gunicorn documentation.Sebastian Skonieczny
Backport of a1188fc76ae4d9ff3b82feacd1ddd7b38b3e6009 from main.
2026-03-24[6.0.x] Fixed #36999 -- Removed mention of Ruby on Rails from tutorial part 2.Vinay Datta
This comparison wasn't fleshed out, so it was distracting. Backport of f3bdfd2065373272ebb637785cea2313582a8b8c from main.
2026-03-20[6.0.x] Made it clear that unreviewed tickets shouldn't be claimed or started.Jake Howard
Backport of d9adcfbd5e3ba5859cc0ce6e2e67f533efbc8f9b from main.
2026-03-19[6.0.x] Fixed #36904 -- Clarified how to hide form field labels in docs.Amar
Backport of 8401071c52d19a2bdd987a2dbe79c440f01dfae9 from main.
2026-03-16[6.0.x] Combined scripts confirm_release.sh and test_new_version.sh into ↵Natalia
verify_release.sh. This reuses the same download for both artifacts and checks both GPG signature and minimal correctness in the same script. Docs and script do_django_release.py were updated. Backport of 3abf89887993140d28676f26420ee0d46a617f51 from main.
2026-03-16[6.0.x] Corrected signature for EmailMessage.message() in email topics docs.Mike Edmunds
Fixed the EmailMessage.message() method signature in the docs to reinforce that the `policy` argument is keyword-only. (The text already describes it correctly as keyword-only.) Backport of 4b2edb3418851c09dd839f1a2cba74051fe9d420 from main.
2026-03-14[6.0.x] Fixed #35786 -- Removed outdated note about database defaults in ↵Ahmed Nassar
AddField/AlterField docs. Backport of 23f49c6b408d9b013e959f91c23813a7c0f6ed64 from main
2026-03-10[6.0.x] Fixed #36391 -- Doc'd RawSQL usage in docs/topics/db/sql.txt.Amar
Backport of 14889d8cead6af22ef71360f26610711997915d1 from main.
2026-03-09[6.0.x] Fixed #36600 -- Clarified the use cases for dispatch_uid in signal ↵Amar
connection. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of e8ab2bb83fc6d3c0f5d998d1a41ebaebacaa1a28 from main.
2026-03-06[6.0.x] Extended checks and docs for proper commit message format and edition.Jacob Walls
Thanks to Tim Schilling for the review. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of c27d368b92f321e6f91704f554dccbc18df5b075 from main.
2026-03-03[6.0.x] Refs #35859 -- Mentioned django-tasks and external resources on ↵Jake Howard
docs/topics/tasks.txt. Backport of a328c355d9625ecdc8f16b249daebba3c0ac2882 from main.
2026-03-03[6.0.x] Fixed #20775 -- Clarified that SQL for text lookups varies per database.Lakshya
Backport of 5b939808220fa879942303f4318276668d11b4d9 from main.
2026-03-03[6.0.x] Added CVE-2026-25673 and CVE-2026-25674 to security archive.Natalia
Backport of 62ab467686845e2a12a2580997a81d4bf61edfc6 from main.
2026-03-03[6.0.x] Added stub release notes for 6.0.4.Natalia
Backport of 9b1745400b09293253158059e3a8fe407e5cc553 from main.
2026-03-03[6.0.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions ↵Natalia
on file system object creation. This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
2026-03-03[6.0.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.Natalia
This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
2026-03-02[6.0.x] Fixed #36961 -- Fixed TypeError in deprecation warnings if Django is ↵Jacob Walls
imported by namespace. Backport of c1d8646ec219b8b90ebdd463f40e5767876658a0 from main.
2026-03-02[6.0.x] Ensured spelling checks pass OK.Natalia
Follow up to 659bacfe54c2a28eb2e0589c1c721f1a99720ad2.
2026-03-02[6.0.x] Aligned docs checks between GitHub Actions and local development.Natalia
Backport of 3f21cb06e76044ad753055700395e54a1fc4f1e9 from main.
2026-02-26[6.0.x] Adjusted default DoS severity level in Security Policy.Natalia
Backport of 1f2a56567c565d91d797b8a9071ff77a75b52080 from main.
2026-02-25[6.0.x] Fixed #36848 -- Mentioned BadRequest exception in docs/ref/views.txt.LincolnPuzey
Backport of 4aefc9ea51cc2d78f43b1dc2aa69732e55d18a56 from main.
2026-02-25[6.0.x] Fixed #36951 -- Removed empty exc_info from log_task_finished signal ↵Elias Hernandis
handler. Before, if no exception occurred, "None Type: None" was logged. Backport of 497d9cdc67f0bdae929fcde677b5f441e94a6c8b from main.
2026-02-25[6.0.x] Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit ↵Natalia
references from HTML truncation docs. Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.
2026-02-24[6.0.x] Applied Black's 2026 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/26.1.0 Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
2026-02-24[6.0.x] Added stub release notes and release date for 6.0.3, 5.2.12, and 4.2.29.Natalia
Backport of acd0bec51366e259b4c2b43e4c09755541cdf560 from main.
2026-02-20[6.0.x] Fixed #36920 -- Fixed alignment of fieldset legends in wide admin forms.usman
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of 8d251b512bafd7b7f736cfcabeba0ae76106f2db from main.
2026-02-20[6.0.x] Fixed #36934, Refs #35972 -- Coped with params in a tuple in ↵Jacob Walls
BuiltinLookup.as_sql(). For custom lookups subclassing BuiltinLookup and following the advice in the release notes to return params in a tuple, this change will obviate the need to audit as_sql() in addition to process_lhs() to be "resilient against either tuples or lists" as described in the release note. Regression in 8914f4703cf03e2a01683c4ba00f5ae7d3fa449d.
2026-02-10[6.0.x] Fixed #36903 -- Fixed further NameErrors when inspecting functions ↵93578237
with deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04. Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main.
2026-02-10[6.0.x] Added stub release notes for 5.2.12.Jacob Walls
Backport of 2c2d36376a0ce0edc048c077a60be6e3b953bb09 from main.
2026-02-10[6.0.x] Clarified optional nature of Contributor License Agreement.Jacob Walls
It's not clear that CLAs are needed to ensure contributors are assenting to our license (the "inbound=outbound" agreement), but we can keep them around for contributors who would like to (or are required by their employer) to submit one, without investing additional resources in checking every single contribution. See https://forum.djangoproject.com/t/cla-vs-dco-for-django-contributors/42399 and recent board minutes. Backport of 0dac3dd4a1573b3c9cef3aea6a98440decfc5460 from main.
2026-02-10[6.0.x] Refs #35444 -- Doc'd deprecation in ↵Jacob Walls
contrib.postgres.aggreggates.StringAgg.delimiter. Backport of 3c09ed81d3e90d7ce60372096c58e80548d1d2ef from main.
2026-02-06[6.0.x] Fixed #36272 -- Removed obsolete libgeoip from GeoDjango ↵SnippyCodes
installation docs. Backport of 6c2436fa8671cd41c6a5841493142308cd9541c8 from main.
2026-02-03[6.0.x] Fixed #36898 -- Documented SessionBase.is_empty().jafarkhan83
Backport of 13299a6203f4bc3e5b2552c96a51ff2b15da3c43 from main.
2026-02-03[6.0.x] Added CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, ↵Jacob Walls
CVE-2026-1287, and CVE-2026-1312 to security archive. Backport of af361d3be4725b9da1022c078b2db02b9d9b96e7 from main.
2026-02-03[6.0.x] Added stub release notes for 6.0.3.Jacob Walls
Backport of e7e43f1f91b5e4822ace888d85645eada8535daa from main.