| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2024-09-03 | [4.2.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵ | Natalia | |
| email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews. | |||
| 2024-07-11 | [4.2.x] Fixed auth_tests and file_storage tests on Python 3.8. | Mariusz Felisiak | |
| 2024-07-09 | [4.2.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵ | Michael Manfre | |
| checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review. | |||
| 2023-11-01 | [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. | Mariusz Felisiak | |
| Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. | |||
| 2023-03-28 | [4.2.x] Fixed #34438 -- Reallowed extending UserCreationForm. | Gary Jarrel | |
| Regression in 298d02a77a69321af8c0023df3250663e9d1362d. Backport of fcc7dc5781667932bf0bf8bec76df458836e5e95 from main | |||
| 2023-03-08 | [4.2.x] Fixed #34384 -- Fixed session validation when rotation secret keys. | David Wobrock | |
| Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7. Thanks Eric Zarowny for the report. Backport of 2396933ca99c6bfb53bda9e53968760316646e01 from main | |||
| 2023-02-04 | [4.2.x] Increased the default PBKDF2 iterations for Django 4.2. | Mariusz Felisiak | |
| See https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2. Thanks Markus Holtermann for the report. | |||
| 2023-02-01 | [4.2.x] Refs #33476 -- Applied Black's 2023 stable style. | David Smith | |
| Black 23.1.0 is released which, as the first release of the year, introduces the 2023 stable style. This incorporates most of last year's preview style. https://github.com/psf/black/releases/tag/23.1.0 Backport of 097e3a70c1481ee7b042b2edd91b2be86fb7b5b6 from main | |||
| 2023-01-04 | Refs #34074 -- Used headers argument for RequestFactory and Client in docs ↵ | David Wobrock | |
| and tests. | |||
| 2022-12-29 | Fixed #25617 -- Added case-insensitive unique username validation in ↵ | Paul Schilling | |
| UserCreationForm. Co-Authored-By: Neven Mundar <nmundar@gmail.com> | |||
| 2022-12-24 | Fixed #34165 -- Made permissions creation respect the "using" parameter. | David Wobrock | |
| 2022-11-29 | Fixed #34187 -- Made UserCreationForm save many-to-many fields. | sdolemelipone | |
| 2022-11-10 | Updated documentation and comments for RFC updates. | Nick Pope | |
| - Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents | |||
| 2022-10-27 | Fixed #34066 -- Fixed link to password reset view in ↵ | Simon Kern | |
| UserChangeForm.password's help text when using to_field. Co-Authored-By: David Sanders <shang.xiao.sanders@gmail.com> Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2022-10-26 | Completed test coverage for contrib.auth.forms. | Marcelo Galigniana | |
| 2022-10-20 | Skipped scrypt tests when OpenSSL 1.1+ is not installed. | HieuPham9720 | |
| 2022-09-27 | Completed test coverage for createsuperuser command. | Marcelo Galigniana | |
| 2022-09-01 | Fixed ReadOnlyPasswordHashWidget's template for RTL languages. | Shai Berger | |
| 2022-07-23 | Refs #33691 -- Deprecated insecure password hashers. | Claude Paroz | |
| SHA1PasswordHasher, UnsaltedSHA1PasswordHasher, and UnsaltedMD5PasswordHasher are now deprecated. | |||
| 2022-06-03 | Fixed #33764 -- Deprecated BaseUserManager.make_random_password(). | Ciaran McCormick | |
| 2022-05-25 | Renamed wrapped functions to wrapper. | Aymeric Augustin | |
| All these functions are wrapping another function. They're the wrapper, while the function they're wrapping is the wrapped. | |||
| 2022-05-17 | Increased the default PBKDF2 iterations for Django 4.2. | Carlton Gibson | |
| 2022-05-11 | Fixed #33691 -- Deprecated django.contrib.auth.hashers.CryptPasswordHasher. | Mariusz Felisiak | |
| 2022-04-20 | Refactored out RedirectURLMixin.get_success_url(). | Aymeric Augustin | |
| This also adds a default implementation of get_default_redirect_url(). | |||
| 2022-04-20 | Simplified LogoutView.get_success_url(). | Aymeric Augustin | |
| This preserves the behavior of redirecting to the logout URL without query string parameters when an insecure ?next=... parameter is given. It changes the behavior of a POST to the logout URL, as shown by the test that is changed. Currently, this results in a GET to the logout URL. However, such GET requests are deprecated. This change would be necessary in Django 5.0 anyway. This commit merely anticipates it. | |||
| 2022-04-18 | Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page ↵ | Aymeric Augustin | |
| when LOGOUT_REDIRECT_URL is set. | |||
| 2022-04-18 | Fixed various tests on MySQL with MyISAM storage engine. | Mariusz Felisiak | |
| 2022-04-01 | Fixed #33613 -- Made createsuperuser detect uniqueness of USERNAME_FIELD ↵ | Lucidiot | |
| when using Meta.constraints. | |||
| 2022-03-29 | Fixed #15619 -- Deprecated log out via GET requests. | René Fleschenberg | |
| Thanks Florian Apolloner for the implementation idea. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2022-03-24 | Refs #15619 -- Logged out with POST requests in admin. | Mariusz Felisiak | |
| 2022-03-24 | Refs #32365 -- Removed internal uses of utils.timezone.utc alias. | Carlton Gibson | |
| Remaining test case ensures that uses of the alias are mapped canonically by the migration writer. | |||
| 2022-03-10 | Fixed #33561 -- Allowed synchronization of user attributes in RemoteUserBackend. | Adrian Torres | |
| 2022-02-22 | Removed redundant QuerySet.all() calls in docs and tests. | Nick Pope | |
| Most QuerySet methods are mapped onto the Manager and, in general, it isn't necessary to call .all() on the manager. | |||
| 2022-02-07 | Refs #33476 -- Refactored code to strictly match 88 characters line length. | Mariusz Felisiak | |
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2022-02-01 | Fixed #30360 -- Added support for secret key rotation. | tschilling | |
| Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> | |||
| 2022-01-04 | Fixed CVE-2021-45115 -- Prevented DoS vector in ↵ | Florian Apolloner | |
| UserAttributeSimilarityValidator. Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu> | |||
| 2021-11-11 | Fixed #33269 -- Made AnonymousUser/PermissionsMixin.has_perms() raise ↵ | Lie Ryan | |
| ValueError on string or non-iterable perm_list. | |||
| 2021-10-12 | Fixed #33178 -- Made createsuperuser validate required fields passed in ↵ | Christophe Henry | |
| options in interactive mode. | |||
| 2021-10-12 | Refs #33178 -- Added createsuperuser tests for validation of foreign keys. | Christophe Henry | |
| 2021-10-12 | Refs #21755 -- Fixed createsuperuser crash for required foreign keys passed ↵ | Christophe Henry | |
| in options in interactive mode. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2021-10-12 | Refs #29628, Refs #33178 -- Made createsuperuser validate password against ↵ | Mariusz Felisiak | |
| required fields passed in options. | |||
| 2021-10-07 | Fixed #33151 -- Fixed createsuperuser crash for many-to-many required fields ↵ | Christophe Henry | |
| in non-interactive mode. | |||
| 2021-09-20 | Increased the default PBKDF2 iterations for Django 4.1. | Mariusz Felisiak | |
| 2021-09-06 | Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in ↵ | Mateo Radman | |
| encode() methods of remaining password hashers. | |||
| 2021-08-11 | Refs #29898 -- Changed ProjectState.real_apps to set. | Mariusz Felisiak | |
| 2021-08-02 | Refs #32956 -- Corrected usage of "insure" and "assure". | David Smith | |
| 2021-07-22 | Fixed #32275 -- Added scrypt password hasher. | ryowright | |
| Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2021-07-22 | Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in ↵ | Mariusz Felisiak | |
| encode() methods of some password hashers. | |||
| 2021-07-19 | Fixed wording of AuthViewsTestCase's docstring. | Chris Jerdonek | |
