| Age | Commit message (Collapse) | Author |
|
Needed by MongoDB.
|
|
order_by().
|
|
in docs/topics/email.txt.
|
|
|
|
|
|
CVE-2026-1287, and CVE-2026-1312 to security archive.
|
|
|
|
with periods.
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.
In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.
Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.
|
|
control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
|
|
django.utils.text.Truncator for HTML input.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
|
|
band index.
Thanks Tarek Nakkouch for the report, and Simon Charette for the initial
triage and review.
|
|
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
|
|
auth handler.
Refs CVE-2024-39329, #20760.
Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
the admin.
Thanks Antoliny for the review.
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
|
|
|
|
As Python 3.12 is now the floor, we can drop the shims and
use the `inspect` module.
|
|
Original inspiration drawn from Sarah Boyce's talk:
"Django needs you! (to do code review)"
|
|
|
|
|
|
The `docs` GitHub action does not install `aspell` so the seplling
checks are always passing in CI. After installing it, the following
errors are reported:
WARNING: internals/security.txt:50: : Spell check: runnable: Include a runnable proof of concept.
WARNING: ref/contrib/postgres/search.txt:292: : Spell check: lexeme: an untrusted source. The content of each lexeme is escaped so that any.
WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the .
WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the .
WARNING: ref/contrib/postgres/search.txt:314: : Spell check: Lexeme: Lexeme objects also support term weighting and prefixes:.
WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later..
WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later..
WARNING: ref/models/expressions.txt:439: : Spell check: positionally: can be supplied positionally or only by keyword. For.
WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7).
WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7).
WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai.
WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai.
WARNING: releases/4.2.21.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags..
WARNING: releases/5.1.9.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags..
WARNING: releases/5.2.1.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags..
WARNING: releases/6.1.txt:244: : Spell check: mistyped: suggestions for mistyped subcommand names and argument choices..
WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+)..
WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+)..
WARNING: releases/6.1.txt:343: : Spell check: durations: durations expressed in weeks (.
WARNING: Found 19 misspelled words
build finished with problems, 20 warnings (with warnings treated as errors).
This branch adds some of the words to the allowlist, but for others I
chose to rephrase the text in a more approachable manner.
|
|
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222.
During INSERT operations, `field.pre_save()` is called to prepare values
for db insertion. The `add` param must be `True` for `auto_now_add`
fields to be populated. The regression commit passed `False`, causing
`auto_now_add` fields to remain `None` when used by other fields, such
as `upload_to` callables.
Thanks Ran Benita for the report.
|
|
|
|
|
|
changelist.
Removed flex-wrap from .changelist-form-container and added min-width to the
main content container to ensure proper layout behavior.
Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d.
|
|
|
|
FilteredSelectMultiple.
This patch adds support for <optgroup>s in FilteredSelectMultiple widgets.
When a popup returns a new object, if the source field contains optgroup
choices, the optgroup is now also included in the response data.
Additionally, this adds error handling for invalid source_model parameters
to prevent crashes and display user-friendly error messages instead.
Co-authored-by: Michael McLarnon <mmclar@gmail.com>
|
|
|
|
|
|
https://github.com/psf/black/releases/tag/26.1.0
|
|
Co-authored-by: James Bligh <blighj@users.noreply.github.com>
|
|
Follow-up to 64ac4385c75b12a4065055b3d8d60bd5e0e61f04.
|
|
Field.pre_save() in 6.0 release notes.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
Deserializer.
Thanks Shai Berger and Natalia Bidart for reviews.
|
|
on PostgreSQL.
|
|
JSONExact.
|
|
|
|
in packaging tutorial and AppConfig docs.
|
|
5.2.10.txt.
|
|
|
|
Following up a forum post and a conversation with the Steering Council,
it was decided to remove the docs/topics/external-packages.txt to avoid
confusion with the Ecosystem page. Relevant content was moved to their
related sections, except for `django-contrib-comments` which is not
actively maintained.
Thank you Tim Schilling for the review.
|
|
|
|
|
|
|
|
|
|
|
|
model renaming in migrations."
This reverts commits f02b49d2f3bf84f5225de920ca510149f1f9f1da and 6e89271a8507fe272d11814975500a1b40303a04.
|
|
Regression in a16eedcf9c69d8a11d94cac1811018c5b996d491.
The UNNEST strategy is affected by the same problem bulk_update has wrt/
to silent data truncation due to its usage of db_type which always returns
a parametrized subtype.
|
|
There was unresolved discussion regarding whether to set
ClearableFileInput.use_fieldset to True or False when use_fieldset was
introduced in Django 4.1, since the clear checkbox appears only
sometimes. Although using <fieldset> is likely desirable, since the
primary motivation in #35892 was just to improve markup in the admin,
and a deprecation path was not provided for general form usage, future
work is deferred to #36828.
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Thanks Tim Graham, Antoliny, and David Smith for triage.
|
|
|
|
Coerce lazy route values to `str` at match time to support prefix and
endpoint matching when using `gettext_lazy()` route paths.
Regression in f920937c8a63df6bea220e4386f59cdb45b2e355.
Thanks to Andrea Angelini for the report, and to Jake Howard and Jacob
Walls for reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|