summaryrefslogtreecommitdiff
path: root/docs
AgeCommit message (Collapse)Author
2025-06-06Fixed #36419 -- Ensured for_save was propagated when resolving expressions.Clifford Gama
The for_save flag wasn't properly propagated when resolving expressions, which prevented get_db_prep_save() from being called in some cases. This affected fields like JSONField where None would be saved as JSON null instead of SQL NULL. Regression in 00c690efbc0b10f67924687f24a7b30397bf47d9. Thanks to David Sanders and Simon Charette for reviews. Co-authored-by: Adam Johnson <me@adamj.eu>
2025-06-06Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.Jake Howard
Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-06-06Updated translations from Transifex.Sarah Boyce
Forwardport of 5901cfe591139b4389171ba738be81e8f4d5cfc9 from stable/5.2.x.
2025-06-04Added CVE-2025-48432 to security archive.Natalia
2025-06-04Added stub release notes for 5.2.3.Natalia
2025-06-04Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.Natalia
Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net>
2025-06-04Fixed #36432 -- Fixed a prefetch_related crash on related target subclass ↵Simon Charette
queryset. Regression in 626d77e52a3f247358514bcf51c761283968099c. Refs #36116. Thanks Cornelis Poppema for the excellent report.
2025-06-03Fixed #36411 -- Made HttpRequest.get_preferred_type() consider media type ↵Jake Howard
parameters. HttpRequest.get_preferred_type() did not account for parameters in Accept header media types (e.g., "text/vcard; version=3.0"). This caused incorrect content negotiation when multiple types differed only by parameters, reducing specificity as per RFC 7231 section 5.3.2 (https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2). This fix updates get_preferred_type() to treat media types with parameters as distinct, allowing more precise and standards-compliant matching. Thanks to magicfelix for the report, and to David Sanders and Sarah Boyce for the reviews.
2025-06-03Fixed #36416 -- Made QuerySet.in_bulk() account for composite pks in id_list.Jacob Walls
2025-06-02Fixed #36423 -- Prevented filter_horizontal buttons from intercepting form ↵Blayze
submission. In the admin's filter_horizontal widget, optional action buttons like "Choose all", "Remove all", etc. were changed from `<a>` to `<button>` elements in #34619, but without specifying `type="button"`. As a result, when pressing Enter while focused on a form input, these buttons could be triggered and intercept form submission. Explicitly set `type="button"` on these control buttons to prevent them from acting as submit buttons. Thanks Antoliny Lee for the quick triage and review. Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a.
2025-05-28Added stub release notes and release date for 5.2.2, 5.1.10, and 4.2.22.Natalia
2025-05-26Fixed #36402, Refs #35980 -- Updated built package name in reusable apps ↵Jason Judkins
tutorial for PEP 625.
2025-05-23Fixed #36405 -- Fixed Aggregate.order_by using OuterRef.Adam Johnson
co-authored-by: Simon Charette <charette.s@gmail.com>
2025-05-23Fixed #36404 -- Fixed Aggregate.filter using OuterRef.Adam Johnson
Regression in a76035e925ff4e6d8676c65cb135c74b993b1039. Thank you to Simon Charette for the review. co-authored-by: Simon Charette <charette.s@gmail.com>
2025-05-23Fixed typo in docs/ref/forms/renderers.txt.Adam Zapletal
2025-05-23Fixed #36390 -- Deprecated RemoteUserMiddleware subclasses missing ↵Sarah Boyce
aprocess_request(). Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099. Thank you to shamoon for the report and Natalia Bidart for the review.
2025-05-20Fixed #34262 -- Added support for AnyValue for SQLite, MySQL, Oracle, and ↵ontowhee
Postgresql 16+. Thanks Simon Charette for the guidance and review. Thanks Tim Schilling for the documentation review. Thanks David Wobrock for investigation and solution proposals.
2025-05-19Fixed typo in docs/releases/6.0.txt.Jacob Walls
2025-05-19Fixed #36388 -- Made QuerySet.union() return self when called with no arguments.Colleen Dunlap
Regression in 9cb8baa0c4fa2c10789c5c8b65f4465932d4d172. Thank you to Antoine Humeau for the report and Simon Charette for the review.
2025-05-16Fixed #36392 -- Raised ValueError when subquery referencing composite pk ↵Jacob Walls
selects too many columns.
2025-05-16Fixed #33312 -- Raised explicit exception when copying deferred model instances.Simon Charette
Previously save() would crash with an attempted forced update message, and both save(force_insert=True) and bulk_create() would crash with DoesNotExist errors trying to retrieve rows with an empty primary key (id IS NULL). Implementing deferred field model instance copying might be doable in certain cases (e.g. when all the deferred fields are db generated) but that's not trivial to implement in a backward compatible way. Thanks Adam Sołtysik for the report and test and Clifford for the review.
2025-05-15Added missing import in docs/ref/contrib/admin/index.txt.antoliny0919
2025-05-15Fixed incorrect spacing in docs/ref/contrib/postgres/fields.txt.Jacob Walls
2025-05-15Fixed #35829 -- Updated admin icons using Font Awesome Free version 6.7.2.Pablo Bengoechea
Co-authored-by: Stefan <96178532+stefan6419846@users.noreply.github.com>
2025-05-14Fixed #36085 -- Added JSONField support for negative array indexing on SQLite.savanto
2025-05-13Refs #36383 -- Extended DeconstructibleSerializer to support non-identifier ↵Adam Johnson
keyword arguments. In Python, keyword arguments must normally be valid identifiers (i.e., variable names that follow Python's naming rules). However, Python dicts can have keys that aren't valid identifiers, like "foo-bar" or "123foo". This commit ensures that keyword arguments that are nt valid identifiers, are properly handled when deconstructing an object.
2025-05-13Updated guidance to propose new feature ideas in contributing docs.Lily Foote
These changes include: * Clarification of the new feature proposal and evaluation process. * Reodering "points to consider" into reporting bugs section, since these are mostly trac-specific. * Narrowing the guide on user interface bugs and features to just bugs. * Updating documentation for Someday/Maybe triage stage. Co-authored-by: Tim Schilling <schilling711@gmail.com> Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-05-13Fixed #36332 -- Corrected HttpRequest.get_full_path() and ↵Aleksandr Safonov
HttpRequest.get_full_path_info() examples.
2025-05-12Fixed #36373 -- Fixed select_related() crash on foreign object for a ↵Simon Charette
composite pk. Thanks Jacob Walls for the report and Sarah for the in-depth review.
2025-05-09Refs #35980 -- Added release note about changes in release artifacts filenames.Natalia
2025-05-09Removed "Expected" from release date for 5.2.1, 5.1.9, and 4.2.21.Natalia
2025-05-07Cleaned up CVE-2025-32873 security archive description.Natalia
2025-05-07Added CVE-2025-32873 to security archive.Natalia
2025-05-07Added stub release notes for 5.2.2.Natalia
2025-05-06Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-05-06Simplified artifact building steps in docs/internals/howto-release-django.txt.Natalia
With the recent merge of artifact build updates from https://github.com/django/django/pull/19436, there is no need to have different build instructions for 4.2.
2025-05-02Fixed #17461 -- Doc'd the presumed order of foreign keys on the intermediary ↵Clifford Gama
model of a self-referential m2m. Thanks Giannis Terzopoulos and Sarah Boyce for the reviews.
2025-04-30Made cosmetic edits and added upcoming security release to release notes.Natalia
2025-04-30Fixed #36357 -- Skipped unique_together in inspectdb output for composite ↵Baptiste Mispelon
primary keys. Thanks to Baptiste Mispelon for the report and quick fix, and to Simon Charette and Jacob Walls for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-04-30Fixed #36358 -- Corrected introspection of composite primary keys on SQLite.Simon Charette
Previously, any first field of a composite primary key with type `INTEGER` was incorrectly introspected as an `AutoField` due to SQLite treating `INTEGER PRIMARY KEY` as an alias for the `ROWID`. This change ensures that integer fields in composite PKs are not mistaken for auto-incrementing fields. Thanks Jacob Walls and Sarah Boyce for the reviews.
2025-04-30Fixed #36360 -- Fixed QuerySet.update() crash when referring annotations ↵Simon Charette
through values(). The issue was only manifesting itself when also filtering againt a related model as that forces the usage of a subquery because SQLUpdateCompiler doesn't support the UPDATE FROM syntax yet. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Gav O'Connor for the detailed report.
2025-04-27Fixed #35931 -- Documented fields and methods of the FlatPage model.koresi
Co-authored-by: Clifford Gama <53076065+cliff688@users.noreply.github.com>
2025-04-27Fixed #18296 -- Created missing custom target directory for startproject and ↵Bruno Alla
startapp.
2025-04-27Fixed #36346 -- Removed outdated section about the threaded option in Oracle ↵9r0k
driver.
2025-04-27Fixed #36335 -- Fixed typo in docs/topics/db/managers.txt.dbogar89
2025-04-24Fixed #36309 -- Made email alternatives and attachments pickleable.nessita
Regression in aba0e541caaa086f183197eaaca0ac20a730bbe4 and in d5bebc1c26d4c0ec9eaa057aefc5b38649c0ba3b. Thanks Florent Messa for the report, and Jake Howard and Claude Paroz for the review.
2025-04-23Refs #36341 -- Added release notes for 5.1.9 and 4.2.21 for fix in wordwrap ↵nessita
template filter. Revision 1e9db35836d42a3c72f3d1015c2f302eb6fee046 fixed a regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b, which also needs to be backported to the stable branches in extended support (5.1.x and 4.2.x).
2025-04-23Fixed #36341 -- Preserved whitespaces in wordwrap template filter.Matti Pohjanvirta
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b. This work improves the django.utils.text.wrap() function to ensure that empty lines and lines with whitespace only are kept instead of being dropped. Thanks Matti Pohjanvirta for the report and fix. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-04-22Fixed #36331 -- Reverted "Fixed #36055 -- Prevented overlap of object-tools ↵antoliny0919
buttons and page header in the admin." This reverts commits b1324a680add78de24c763911d0eefa19b9263bc and 02a5cbfe76382da2a0414df17017185be5bd47f9. The former caused a regression in admin sites that relied on the `object-tools` block being inside the `content` block. Thank you to Fabian Braun for the report.
2025-04-17Fixed #36326 -- Added CompositePrimaryKey support in QuerySet.raw().SaJH
Signed-off-by: SaJH <wogur981208@gmail.com>