| Age | Commit message (Collapse) | Author |
|
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
|
|
in BuiltinLookup.as_sql().
Instead of cherry-picking a larger changeset (787cc96ef6197d73c7d4ad96f25500910c399603)
and removing changes unsuitable for a backport, a partial backport was applied directly
to stable/6.0.x to resolve #36934, so the release note needs to be forwardported.
Forwardport of f9b820f8ac50aad025949087e660a551691832e4 from stable/6.0.x.
|
|
Thanks David Smith for report and Tim Graham for review.
|
|
Replaced outdated version of `default_key_func` in settings reference
with pointer to current version in cache topic. Rewrote description to
match parameter order and behavior of default implementation.
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
|
|
Co-authored-by: Clifford Gama <cliffygamy@gmail.com>
|
|
Thanks Simon Charette for the idea.
|
|
|
|
deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
|
|
|
|
default delimiter.
|
|
|
|
It's not clear that CLAs are needed to ensure contributors are
assenting to our license (the "inbound=outbound" agreement),
but we can keep them around for contributors who would like to
(or are required by their employer) to submit one, without
investing additional resources in checking every single contribution.
See https://forum.djangoproject.com/t/cla-vs-dco-for-django-contributors/42399
and recent board minutes.
|
|
contrib.postgres.aggreggates.StringAgg.delimiter.
|
|
Needed by MongoDB.
|
|
order_by().
|
|
in docs/topics/email.txt.
|
|
|
|
|
|
CVE-2026-1287, and CVE-2026-1312 to security archive.
|
|
|
|
with periods.
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.
In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.
Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.
|
|
control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
|
|
django.utils.text.Truncator for HTML input.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
|
|
band index.
Thanks Tarek Nakkouch for the report, and Simon Charette for the initial
triage and review.
|
|
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
|
|
auth handler.
Refs CVE-2024-39329, #20760.
Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
the admin.
Thanks Antoliny for the review.
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
|
|
|
|
As Python 3.12 is now the floor, we can drop the shims and
use the `inspect` module.
|
|
Original inspiration drawn from Sarah Boyce's talk:
"Django needs you! (to do code review)"
|
|
|
|
|
|
The `docs` GitHub action does not install `aspell` so the seplling
checks are always passing in CI. After installing it, the following
errors are reported:
WARNING: internals/security.txt:50: : Spell check: runnable: Include a runnable proof of concept.
WARNING: ref/contrib/postgres/search.txt:292: : Spell check: lexeme: an untrusted source. The content of each lexeme is escaped so that any.
WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the .
WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the .
WARNING: ref/contrib/postgres/search.txt:314: : Spell check: Lexeme: Lexeme objects also support term weighting and prefixes:.
WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later..
WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later..
WARNING: ref/models/expressions.txt:439: : Spell check: positionally: can be supplied positionally or only by keyword. For.
WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7).
WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7).
WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai.
WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai.
WARNING: releases/4.2.21.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags..
WARNING: releases/5.1.9.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags..
WARNING: releases/5.2.1.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags..
WARNING: releases/6.1.txt:244: : Spell check: mistyped: suggestions for mistyped subcommand names and argument choices..
WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+)..
WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+)..
WARNING: releases/6.1.txt:343: : Spell check: durations: durations expressed in weeks (.
WARNING: Found 19 misspelled words
build finished with problems, 20 warnings (with warnings treated as errors).
This branch adds some of the words to the allowlist, but for others I
chose to rephrase the text in a more approachable manner.
|
|
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222.
During INSERT operations, `field.pre_save()` is called to prepare values
for db insertion. The `add` param must be `True` for `auto_now_add`
fields to be populated. The regression commit passed `False`, causing
`auto_now_add` fields to remain `None` when used by other fields, such
as `upload_to` callables.
Thanks Ran Benita for the report.
|
|
|
|
|
|
changelist.
Removed flex-wrap from .changelist-form-container and added min-width to the
main content container to ensure proper layout behavior.
Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d.
|
|
|
|
FilteredSelectMultiple.
This patch adds support for <optgroup>s in FilteredSelectMultiple widgets.
When a popup returns a new object, if the source field contains optgroup
choices, the optgroup is now also included in the response data.
Additionally, this adds error handling for invalid source_model parameters
to prevent crashes and display user-friendly error messages instead.
Co-authored-by: Michael McLarnon <mmclar@gmail.com>
|
|
|
|
|
|
https://github.com/psf/black/releases/tag/26.1.0
|
|
Co-authored-by: James Bligh <blighj@users.noreply.github.com>
|
|
Follow-up to 64ac4385c75b12a4065055b3d8d60bd5e0e61f04.
|
|
Field.pre_save() in 6.0 release notes.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
Deserializer.
Thanks Shai Berger and Natalia Bidart for reviews.
|
|
on PostgreSQL.
|
|
JSONExact.
|
|
|
|
in packaging tutorial and AppConfig docs.
|