| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2024-08-06 | Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks ↵ | Simon Charette | |
| against JSON fields. Thanks Eyal (eyalgabay) for the report. | |||
| 2024-08-06 | Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵ | Mariusz Felisiak | |
| django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | |||
| 2024-08-06 | Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc ↵ | Sarah Boyce | |
| template filters. Thanks to MProgrammer for the report. | |||
| 2024-08-06 | Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat. | Sarah Boyce | |
| Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com> | |||
| 2024-08-05 | Fixed #35657 -- Made FileField handle db_default values. | Sarah Boyce | |
| 2024-08-05 | Fixed #35638 -- Updated validate_constraints to consider db_default. | David Sanders | |
| 2024-08-05 | Used :pypi: role in docs where appropriate. | Mariusz Felisiak | |
| 2024-08-05 | Fixed #35628 -- Allowed compatible GeneratedFields for ↵ | John Parton | |
| ModelAdmin.date_hierarchy. | |||
| 2024-08-05 | Refs #35380 -- Updated screenshots in admin docs. | Natalia | |
| 2024-08-05 | Refs #35380 -- Updated screenshots in intro docs. | Natalia | |
| 2024-08-05 | Refs #35537 -- Improved documentation and test coverage for email ↵ | Jake Howard | |
| attachments and alternatives. | |||
| 2024-08-02 | Refs #35601, Refs #35599 -- Made cosmetic edits to TelInput/ColorInput docs. | Mariusz Felisiak | |
| 2024-08-02 | Fixed #35601 -- Added TelInput widget. | lucasesposito | |
| 2024-08-02 | Fixed #35599 -- Added ColorInput widget. | arjunomray | |
| 2024-08-01 | Fixed #35646 -- Extended SafeExceptionReporterFilter.hidden_settings to ↵ | Markus Holtermann | |
| treat `AUTH` as a sensitive match. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
| 2024-07-31 | Fixed #35598 -- Added SearchInput widget. | Jeremy Thompson | |
| 2024-07-31 | Added stub release notes and release date for 5.0.8 and 4.2.15. | Sarah Boyce | |
| 2024-07-29 | Fixed #35546 -- Emphasised accepted ticket requirement in contributing docs. | Maryam Yusuf | |
| 2024-07-29 | Referenced joining the triage and review team as motivation to do PR reviews. | Maryam Yusuf | |
| 2024-07-25 | Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in ↵ | Lorenzo Peña | |
| get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. | |||
| 2024-07-25 | Added contributor guidelines for performance optimizations. | Sarah Boyce | |
| 2024-07-25 | Fixed #35625 -- Fixed a crash when adding a field with db_default and check ↵ | Simon Charette | |
| constraint. This is the exact same issue as refs #30408 but for creating a model with a constraint containing % escapes instead of column addition. All of these issues stem from a lack of SQL and parameters separation from the BaseConstraint DDL generating methods preventing them from being mixed with other parts of the schema alteration logic that do make use of parametrization on some backends (e.g. Postgres, MySQL for DEFAULT). Prior to the addition of Field.db_default and GeneratedField in 5.0 parametrization of DDL was never exercised on model creation so this is effectively a bug with db_default as the GeneratedField case was addressed by refs #35336. Thanks Julien Chaumont for the report and Mariusz Felisiak for the review. | |||
| 2024-07-24 | Fixed #35604, Refs #35326 -- Made FileSystemStorage.exists() behaviour ↵ | Sarah Boyce | |
| independent from allow_overwrite. Partially reverts 0b33a3abc2ca7d68a24f6d0772bc2b9fa603744e. Storage.exists(name) was documented to "return False if the name is available for a new file." but return True if the file exists. This is ambiguous in the overwrite file case. It will now always return whether the file exists. Thank you to Natalia Bidart and Josh Schneier for the review. | |||
| 2024-07-24 | Fixed #35541 -- Fixed paginator border in admin CSS. | arjunomray | |
| 2024-07-24 | Updated asgiref dependency for 5.1 release series. | Mariusz Felisiak | |
| 2024-07-23 | Updated example links in urlize docs. | Matthew Somerville | |
| goo.gl links are being removed in 2025: https://developers.googleblog.com/en/google-url-shortener-links-will-no-longer-be-available/ | |||
| 2024-07-22 | Refs #10941 -- Reorganized querystring template tag docs. | nessita | |
| 2024-07-18 | Fixed #35606, Refs #34045 -- Fixed rendering of ModelAdmin.action_checkbox ↵ | Hisham Mahmood | |
| for models with a __html__ method. Thank you Claude Paroz for the report. Regression in 85366fbca723c9b37d0ac9db1d44e3f1cb188db2. | |||
| 2024-07-17 | Fixed #35594 -- Added unique nulls distinct validation for expressions. | Simon Charette | |
| Thanks Mark Gensler for the report. | |||
| 2024-07-15 | Refs #10941 -- Renamed query_string template tag to querystring. | Sarah Boyce | |
| 2024-07-15 | Fixed #35464 -- Updated docs to note fieldsets have limited impact on ↵ | Maryam Yusuf | |
| TabularInlines. | |||
| 2024-07-12 | Refs #35506 -- Reverted "global URLconf" to "root URLconf" in tutorial 1. | Tim Graham | |
| 2024-07-09 | Added CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, and CVE-2024-39614 to ↵ | Natalia | |
| security archive. | |||
| 2024-07-09 | Added stub release notes for 5.0.8. | Natalia | |
| 2024-07-09 | Made cosmetic edits to 5.0.7 release notes. | Natalia | |
| 2024-07-09 | Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵ | Sarah Boyce | |
| get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report. | |||
| 2024-07-09 | Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save ↵ | Natalia | |
| method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews. | |||
| 2024-07-09 | Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵ | Michael Manfre | |
| checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review. | |||
| 2024-07-09 | Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc ↵ | Adam Johnson | |
| template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | |||
| 2024-07-08 | Fixed 35506 -- Clarified initial references to URLconf in tutorial 1. | lucas-r-oliveira | |
| 2024-07-04 | Removed outdated note about limitations in Clickjacking protection. | Mariusz Felisiak | |
| There is no need to list old browser versions or point users to workarounds. | |||
| 2024-07-04 | Replaced usage of "patch" with more precise terms in contributing docs. | Andreu Vallbona | |
| 2024-07-04 | Relocated database setup details to install docs to simplify tutorial 2. | Kudz | |
| Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
| 2024-07-04 | Fixed #35560 -- Made Model.full_clean() ignore GeneratedFields for constraints. | Mark Gensler | |
| Accessing generated field values on unsaved models caused a crash when validating CheckConstraints and UniqueConstraints with expressions. | |||
| 2024-07-04 | Removed unneeded hyphens in "counterintuitive". | Carlton Gibson | |
| Follow-up to 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which added counterintuitive to the wordlist. Removes unneeded (antiquated) hyphenated usages. See e.g. https://www.merriam-webster.com/dictionary/counterintuitive | |||
| 2024-07-03 | Added stub release notes and release date for 5.0.7 and 4.2.14. | Natalia | |
| 2024-07-03 | Refs #28900 -- Made SELECT respect the order specified by values(*selected). | Simon Charette | |
| Previously the order was always extra_fields + model_fields + annotations with respective local ordering inferred from the insertion order of *selected. This commits introduces a new `Query.selected` propery that keeps tracks of the global select order as specified by on values assignment. This is crucial feature to allow the combination of queries mixing annotations and table references. It also allows the removal of the re-ordering shenanigans perform by ValuesListIterable in order to re-map the tuples returned from the database backend to the order specified by values_list() as they'll be in the right order at query compilation time. Refs #28553 as the initially reported issue that was only partially fixed for annotations by d6b6e5d0fd4e6b6d0183b4cf6e4bd4f9afc7bf67. Thanks Mariusz Felisiak and Sarah Boyce for review. | |||
| 2024-07-03 | Fixed #35511 -- Documented when the py binary is unavailable on Windows. | alexgmin | |
| 2024-07-01 | Fixed #23790 -- Warned about renaming AppConfig.label in ↵ | Andrew Miller | |
| docs/ref/applications.txt. | |||
| 2024-07-01 | Fixed typo in source file linking Sphinx extension. | Michael | |
