summaryrefslogtreecommitdiff
path: root/docs
AgeCommit message (Collapse)Author
2026-02-09Added DatabaseFeatures.supports_inspectdb.Tim Graham
Needed by MongoDB.
2026-02-09Refs #36644 -- Documented no pk ordering in first()/last() after empty ↵Jacob Walls
order_by().
2026-02-09Fixed #36908 -- Removed unnecessary "fail_silently" param from quick example ↵SnippyCodes
in docs/topics/email.txt.
2026-02-06Fixed #36272 -- Removed obsolete libgeoip from GeoDjango installation docs.SnippyCodes
2026-02-03Fixed #36898 -- Documented SessionBase.is_empty().jafarkhan83
2026-02-03Added CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, ↵Jacob Walls
CVE-2026-1287, and CVE-2026-1312 to security archive.
2026-02-03Added stub release notes for 6.0.3.Jacob Walls
2026-02-03Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases ↵Jacob Walls
with periods. Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews.
2026-02-03Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵Jake Howard
control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews.
2026-02-03Fixed CVE-2026-1285 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator for HTML input. The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for reviews.
2026-02-03Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField lookups via ↵Jacob Walls
band index. Thanks Tarek Nakkouch for the report, and Simon Charette for the initial triage and review.
2026-02-03Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests.Jake Howard
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews.
2026-02-03Fixed CVE-2025-13473 -- Standardized timing of check_password() in mod_wsgi ↵Jake Howard
auth handler. Refs CVE-2024-39329, #20760. Thanks Stackered for the report, and Jacob Walls and Markus Holtermann for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-02-02Fixed #36788 -- Fixed horizontal form field alignment under <fieldset> in ↵Jacob Walls
the admin. Thanks Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2026-02-02Added missing quotes around nonce in docs/ref/csp.txt.Jacob Walls
2026-01-31Refs #34118 -- Removed asgiref coroutine detection shims.Jacob Walls
As Python 3.12 is now the floor, we can drop the shims and use the `inspect` module.
2026-01-30Added documentation on reviewing patches.Tim Schilling
Original inspiration drawn from Sarah Boyce's talk: "Django needs you! (to do code review)"
2026-01-30Fixed typos in docs/ref/models/querysets.txt.Jacob Walls
2026-01-29Made explicit that aspell is a requirement to run spell checks on docs.Natalia
2026-01-29Fixed docs spelling errors accumulated over time.Natalia
The `docs` GitHub action does not install `aspell` so the seplling checks are always passing in CI. After installing it, the following errors are reported: WARNING: internals/security.txt:50: : Spell check: runnable: Include a runnable proof of concept. WARNING: ref/contrib/postgres/search.txt:292: : Spell check: lexeme: an untrusted source. The content of each lexeme is escaped so that any. WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the . WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the . WARNING: ref/contrib/postgres/search.txt:314: : Spell check: Lexeme: Lexeme objects also support term weighting and prefixes:. WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later.. WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later.. WARNING: ref/models/expressions.txt:439: : Spell check: positionally: can be supplied positionally or only by keyword. For. WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7). WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7). WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai. WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai. WARNING: releases/4.2.21.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/5.1.9.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/5.2.1.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/6.1.txt:244: : Spell check: mistyped: suggestions for mistyped subcommand names and argument choices.. WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+).. WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+).. WARNING: releases/6.1.txt:343: : Spell check: durations: durations expressed in weeks (. WARNING: Found 19 misspelled words build finished with problems, 20 warnings (with warnings treated as errors). This branch adds some of the words to the allowlist, but for others I chose to rephrase the text in a more approachable manner.
2026-01-29Fixed #36847 -- Ensured auto_now_add fields are set on pre_save().Nilesh Kumar Pahari
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222. During INSERT operations, `field.pre_save()` is called to prepare values for db insertion. The `add` param must be `True` for `auto_now_add` fields to be populated. The regression commit passed `False`, causing `auto_now_add` fields to remain `None` when used by other fields, such as `upload_to` callables. Thanks Ran Benita for the report.
2026-01-28Doc'd the minimum version of bash for releasing Django.Jacob Walls
2026-01-27Added stub release notes and release date for 6.0.2, 5.2.11, and 4.2.28.Jacob Walls
2026-01-26Fixed #36850 -- Prevented admin filter sidebar from wrapping below the ↵Nilesh Kumar Pahari
changelist. Removed flex-wrap from .changelist-form-container and added min-width to the main content container to ensure proper layout behavior. Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d.
2026-01-25Fixed #36812 -- Dropped support for MariaDB < 10.11.Skyiesac
2026-01-22Fixed #13883 -- Rendered named choice groups with <optgroup> in ↵seanhelvey
FilteredSelectMultiple. This patch adds support for <optgroup>s in FilteredSelectMultiple widgets. When a popup returns a new object, if the source field contains optgroup choices, the optgroup is now also included in the response data. Additionally, this adds error handling for invalid source_model parameters to prevent crashes and display user-friendly error messages instead. Co-authored-by: Michael McLarnon <mmclar@gmail.com>
2026-01-19Refs #25508 -- Updated outdated QuerySet.__repr__() results.Clifford Gama
2026-01-19Fixed unbalanced parentheses in docs.Clifford Gama
2026-01-18Applied Black's 2026 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/26.1.0
2026-01-15Fixed #36856 -- Mentioned needsnewfeatureprocess resolution in contributor docs.Amar Ahmed Deina
Co-authored-by: James Bligh <blighj@users.noreply.github.com>
2026-01-14Bumped linter versions in requirements files and tox.ini.Jacob Walls
Follow-up to 64ac4385c75b12a4065055b3d8d60bd5e0e61f04.
2026-01-14Fixed #36855, Refs #27222 -- Mentioned multiple invocations of ↵kundan223
Field.pre_save() in 6.0 release notes. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-01-12Refs #36769 -- Raised SuspiciousOperation for unexpected nested tags in XML ↵Jacob Walls
Deserializer. Thanks Shai Berger and Natalia Bidart for reviews.
2026-01-10Fixed #36827 -- Added support for exclusion constraints using Hash indexes ↵Haki Benita
on PostgreSQL.
2026-01-09Refs #35381 -- Added missing deprecation note for using None as RHS of ↵Clifford Gama
JSONExact.
2026-01-08Fixed a typo in docs/ref/forms/models.txt.Jacob Walls
2026-01-08Fixed #36844 -- Clarified need for reusable apps to set default_auto_field ↵Amar Ahmed Deina
in packaging tutorial and AppConfig docs.
2026-01-08Clarified regression nature of data loss bug in docs/releases/6.0.1.txt and ↵Tim Graham
5.2.10.txt.
2026-01-08Added guidance on AI-assisted code submission to contributing docs.Natalia
2026-01-08Relocated content from docs/topics/external-packages.txt where appropriate.Natalia
Following up a forum post and a conversation with the Steering Council, it was decided to remove the docs/topics/external-packages.txt to avoid confusion with the Ecosystem page. Relevant content was moved to their related sections, except for `django-contrib-comments` which is not actively maintained. Thank you Tim Schilling for the review.
2026-01-08Dropped unnecessary usage of "seealso" in BoundField docs.Natalia
2026-01-06Added stub release notes for 6.0.2.Jacob Walls
2026-01-06Added stub release notes for 5.2.11.Jacob Walls
2026-01-06Added release date for 6.0.1.Jacob Walls
2026-01-06Added release date for 5.2.10.Jacob Walls
2026-01-05Fixed #36843, #36793 -- Reverted "Fixed #27489 -- Renamed permissions upon ↵Jacob Walls
model renaming in migrations." This reverts commits f02b49d2f3bf84f5225de920ca510149f1f9f1da and 6e89271a8507fe272d11814975500a1b40303a04.
2025-12-31Refs #33647 -- Fixed silent data truncation in bulk_create on Postgres.Simon Charette
Regression in a16eedcf9c69d8a11d94cac1811018c5b996d491. The UNNEST strategy is affected by the same problem bulk_update has wrt/ to silent data truncation due to its usage of db_type which always returns a parametrized subtype.
2025-12-31Fixed #36829 -- Reverted value of ClearableFileInput.use_fieldset to True.Johannes Maron
There was unresolved discussion regarding whether to set ClearableFileInput.use_fieldset to True or False when use_fieldset was introduced in Django 4.1, since the clear checkbox appears only sometimes. Although using <fieldset> is likely desirable, since the primary motivation in #35892 was just to improve markup in the admin, and a deprecation path was not provided for general form usage, future work is deferred to #36828. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Thanks Tim Graham, Antoliny, and David Smith for triage.
2025-12-26Fixed #30515 -- Documented resolve_url() in docs/topics/http/shortcuts.txt.Duane Hilton
2025-12-26Fixed #36796 -- Handled lazy routes correctly in RoutePattern.match().kundan223
Coerce lazy route values to `str` at match time to support prefix and endpoint matching when using `gettext_lazy()` route paths. Regression in f920937c8a63df6bea220e4386f59cdb45b2e355. Thanks to Andrea Angelini for the report, and to Jake Howard and Jacob Walls for reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>