| Age | Commit message (Collapse) | Author |
|
size in ASGI requests.
The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.
This work adds a new check on the actual number of bytes consumed.
Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.
Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main.
|
|
When a multipart file part used `Content-Transfer-Encoding: base64` and
the non-whitespace base64 bytes did not align to a multiple of 4 within
a chunk, the parser entered a loop calling `field_stream.read(1-3)` once
per whitespace byte. Each such call fetched the entire internal buffer,
sliced off 1-3 bytes, and pushed the remainder back via unget(), doing
an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace
produced CPU amplification relative to a normal upload of the same size.
The alignment loop now reads `self._chunk_size` bytes at a time, and
accumulates stripped parts in a list joined once at the end.
Thanks to Seokchan Yoon for the report and the fixing patch.
Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main.
|
|
ModelAdmin.list_editable.
Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.
Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
|
|
GenericInlineModelAdmin.
Edit permissions were still checked as part of ordinary form validation,
but because GenericInlineModelAdmin overrides get_formset(), it lacked
InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic
for checking permissions server-side, leaving the add case unaddressed.
This change reimplements the relevant part of InlineModelAdmin.get_formset().
Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart,
Markus Holtermann, and Simon Charette for reviews.
Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main.
|
|
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart
for reviews.
Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main.
|
|
between managers and related_names.
Clashes were only detected for self-referential relationships, i.e. ForeignKey("self").
Refs #22977. Bug in 6888375c53476011754f778deabc6cdbfa327011.
Thanks JaeHyuckSa for the thorough review!
Backport of fcf916884d25ed430bd7cedaea2b10035c2aa3b6 from main.
|
|
RemoteUserMiddleware.
Backport of 04bcc9913319e50b376a27c29cf9aa4e7b8247bf from main.
|
|
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Backport of 253f552c5809fa096116b601bd842ca4f3504860 from main.
|
|
This follows a post from Seth Larson (Security Developer-in-Residence at the PSF):
https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies
Backport of 90cd510b3b033605907f6521ef98f35d2bd6c3a0 from main.
|
|
RemoteUserMiddleware under ASGI.
We have a flood of nuisance security reports describing ASGI deployments
using RemoteUserMiddleware without a fronting proxy, which is not
realistic.
Backport of 2ee757ee502d5663f932dc5c35175c39af4640ce from main.
|
|
alogin/alogout().
Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be.
Backport of a32c7075cf634aee1f4f3deecd27f194097ec0c2 from main.
|
|
Thanks Sarah Boyce for the idea and Tim McCurrach for the review.
Co-authored-by: Timothy McCurrach <tim.mccurrach@gmail.com>
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 6be668b0cc6524c9900181c5bd8273ef2f256a34 from main.
|
|
Backport of dff1980d61b1129c82757f70117dcea68e69a8c8 from main.
|
|
Thanks James Bligh for the review.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of edd899786851f6285abbc3c272f4f5ec0e48a74c from main.
|
|
Backport of 4fd9e85b6031e7ddf878b280f324da6b98f7b0ed from main.
|
|
Backport of a1188fc76ae4d9ff3b82feacd1ddd7b38b3e6009 from main.
|
|
This comparison wasn't fleshed out, so it was distracting.
Backport of f3bdfd2065373272ebb637785cea2313582a8b8c from main.
|
|
Backport of d9adcfbd5e3ba5859cc0ce6e2e67f533efbc8f9b from main.
|
|
Backport of 8401071c52d19a2bdd987a2dbe79c440f01dfae9 from main.
|
|
verify_release.sh.
This reuses the same download for both artifacts and checks both GPG
signature and minimal correctness in the same script. Docs and script
do_django_release.py were updated.
Backport of 3abf89887993140d28676f26420ee0d46a617f51 from main.
|
|
Fixed the EmailMessage.message() method signature in the docs to
reinforce that the `policy` argument is keyword-only. (The text already
describes it correctly as keyword-only.)
Backport of 4b2edb3418851c09dd839f1a2cba74051fe9d420 from main.
|
|
AddField/AlterField docs.
Backport of 23f49c6b408d9b013e959f91c23813a7c0f6ed64 from main
|
|
Backport of 14889d8cead6af22ef71360f26610711997915d1 from main.
|
|
connection.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of e8ab2bb83fc6d3c0f5d998d1a41ebaebacaa1a28 from main.
|
|
Thanks to Tim Schilling for the review.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of c27d368b92f321e6f91704f554dccbc18df5b075 from main.
|
|
docs/topics/tasks.txt.
Backport of a328c355d9625ecdc8f16b249daebba3c0ac2882 from main.
|
|
Backport of 5b939808220fa879942303f4318276668d11b4d9 from main.
|
|
Backport of 62ab467686845e2a12a2580997a81d4bf61edfc6 from main.
|
|
Backport of 9b1745400b09293253158059e3a8fe407e5cc553 from main.
|
|
on file system object creation.
This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.
This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Refs CVE-2020-24583 and #31921.
Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.
Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
|
|
This simplicaftion mitigates a potential DoS in URLField on Windows. The
usage of `urlsplit()` in `URLField.to_python()` was replaced with
`str.partition(":")` for URL scheme detection. On Windows, `urlsplit()`
performs Unicode normalization which is slow for certain characters,
making `URLField` vulnerable to DoS via specially crafted POST payloads.
Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger
for the review.
Refs #36923.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
|
|
imported by namespace.
Backport of c1d8646ec219b8b90ebdd463f40e5767876658a0 from main.
|
|
Follow up to 659bacfe54c2a28eb2e0589c1c721f1a99720ad2.
|
|
Backport of 3f21cb06e76044ad753055700395e54a1fc4f1e9 from main.
|
|
Backport of 1f2a56567c565d91d797b8a9071ff77a75b52080 from main.
|
|
Backport of 4aefc9ea51cc2d78f43b1dc2aa69732e55d18a56 from main.
|
|
handler.
Before, if no exception occurred, "None Type: None" was logged.
Backport of 497d9cdc67f0bdae929fcde677b5f441e94a6c8b from main.
|
|
references from HTML truncation docs.
Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.
|
|
https://github.com/psf/black/releases/tag/26.1.0
Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
|
|
Backport of acd0bec51366e259b4c2b43e4c09755541cdf560 from main.
|
|
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Backport of 8d251b512bafd7b7f736cfcabeba0ae76106f2db from main.
|
|
BuiltinLookup.as_sql().
For custom lookups subclassing BuiltinLookup and following the advice in the release notes
to return params in a tuple, this change will obviate the need to audit as_sql() in addition to
process_lhs() to be "resilient against either tuples or lists" as described in the release note.
Regression in 8914f4703cf03e2a01683c4ba00f5ae7d3fa449d.
|
|
with deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main.
|
|
Backport of 2c2d36376a0ce0edc048c077a60be6e3b953bb09 from main.
|
|
It's not clear that CLAs are needed to ensure contributors are
assenting to our license (the "inbound=outbound" agreement),
but we can keep them around for contributors who would like to
(or are required by their employer) to submit one, without
investing additional resources in checking every single contribution.
See https://forum.djangoproject.com/t/cla-vs-dco-for-django-contributors/42399
and recent board minutes.
Backport of 0dac3dd4a1573b3c9cef3aea6a98440decfc5460 from main.
|
|
contrib.postgres.aggreggates.StringAgg.delimiter.
Backport of 3c09ed81d3e90d7ce60372096c58e80548d1d2ef from main.
|
|
installation docs.
Backport of 6c2436fa8671cd41c6a5841493142308cd9541c8 from main.
|
|
Backport of 13299a6203f4bc3e5b2552c96a51ff2b15da3c43 from main.
|
|
CVE-2026-1287, and CVE-2026-1312 to security archive.
Backport of af361d3be4725b9da1022c078b2db02b9d9b96e7 from main.
|
|
Backport of e7e43f1f91b5e4822ace888d85645eada8535daa from main.
|