summaryrefslogtreecommitdiff
path: root/tests/utils_tests
AgeCommit message (Collapse)Author
2025-04-02[5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in ↵Sarah Boyce
url_has_allowed_host_and_scheme() on Windows. Thank you sw0rd1ight for the report. Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.
2025-03-01[5.2.x] Applied Black's 2025 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/25.1.0 Backport of ff3aaf036f0cb66cd8f404cd51c603e68aaa7676 from main
2025-01-23[5.2.x] Fixed #36013 -- Removed use of IDNA-2003 in django.utils.html.Mike Edmunds
Removed obsolete and potentially problematic IDNA 2003 ("punycode") encoding of international domain names in smart_urlquote() and Urlizer, which are used (only) by AdminURLFieldWidget and the urlize/urlizetrunc template filters. Changed to use percent-encoded UTF-8, which defers IDNA details to the browser (like other URLs rendered by Django). Backport of 29ba75e6e57414f0e6f9528d08a520b8b931fb28 from main.
2025-01-20[5.2.x] Fixed #36017 -- Used EmailValidator in urlize to detect emails.greg
Backport of 61dae11df52fae71fc3050974ac459f362c9dfd7 from main.
2025-01-15Fixed #36098 -- Fixed validate_ipv6_address()/validate_ipv46_address() crash ↵Mariusz Felisiak
for non-string values. Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf.
2025-01-14Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.Michael Manfre
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-01-07Fixed #36023 -- Handled controls chars in content_disposition_header.Alex Vandiver
To use the simple `filename="..."` form, the value must conform to the official grammar from RFC6266[^1]: filename-parm = "filename" "=" value value = <value, defined in [RFC2616], Section 3.6> ; token | quoted-string The `quoted-string` definition comes from RFC 9110[^2]: ``` quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text The backslash octet ("\") can be used as a single-octet quoting mechanism within quoted-string and comment constructs. Recipients that process the value of a quoted-string MUST handle a quoted-pair as if it were replaced by the octet following the backslash. quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) A sender SHOULD NOT generate a quoted-pair in a quoted-string except where necessary to quote DQUOTE and backslash octets occurring within that string. ``` That is, quoted strings are able to express horizontal tabs, space characters, and everything in the range from 0x21 to 0x7e, expect for 0x22 (`"`) and 0x5C (`\`), which can still be expressed but must be escaped with their own `\`. We ignore the case of `obs-text`, which is defined as the range 0x80-0xFF, since its presence is there for permissive parsing of accidental high-bit characters, and it should not be generated by conforming implementations. Transform this character range into a regex and apply it in addition to the "is ASCII" check. This ensures that all simple filenames are expressed in the simple format, and that all filenames with newlines and other control characters are properly expressed with the percent-encoded `filename*=...`form. [^1]: https://datatracker.ietf.org/doc/html/rfc6266#section-4.1 [^2]: https://datatracker.ietf.org/doc/html/rfc9110#name-quoted-strings
2024-12-17Fixed #36012 -- Made mailto punctuation percent-encoded in Urlizer.Mike Edmunds
Urlizer was not properly encoding email addresses containing punctuation in generated mailto links. Per RFC 6068, fixed by percent encoding (urllib.parse.quote) the local and domain address parts.
2024-12-04Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-09-03Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc ↵Sarah Boyce
template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-30Dropped safeguards against very old versions of gettext.Claude Paroz
gettext 0.19 was released in 2014.
2024-08-28Fixed #35666 -- Documented stacklevel usage and testing, and adjusted test ↵Simon Charette
suite accordingly. Over the years we've had multiple instances of hit and misses when emitting warnings: either setting the wrong stacklevel or not setting it at all. This work adds assertions for the existing warnings that were declaring the correct stacklevel, but were lacking tests for it.
2024-08-27Refs #34609 -- Fixed deprecation warning stack level in format_html().Adam Johnson
Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-20Fixed #35668 -- Added mapping support to format_html_join.nabil-rady
2024-08-12Fixed #35648 -- Raised NotImplementedError in SafeString.__add__ for ↵Matthias Kestenholz
non-string RHS. This change ensures SafeString addition operations handle non-string RHS properly, allowing them to implement __radd__ for better compatibility.
2024-08-12Refs #35648 -- Added test for addition between SafeString and str in ↵Matthias Kestenholz
utils_tests.
2024-08-06Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc ↵Sarah Boyce
template filters. Thanks to MProgrammer for the report.
2024-07-09Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc ↵Adam Johnson
template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-06-18Fixed #12978 -- Added support for RSS feed stylesheets.Baptiste Mispelon
2024-03-04Refs CVE-2024-27351 -- Forwardported release notes and tests.Shai Berger
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-02-07Fixed #30686 -- Used Python HTMLParser in utils.text.Truncator.David Smith
2024-02-07Refs #30686 -- Fixed text truncation for negative or zero lengths.David Smith
2024-02-06Refs #30686 -- Improved test coverage of Truncator.David Smith
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2024-01-09Fixed #35097 -- Tested parse_datetime() with bare date.Tim Graham
Regression test for behavior change in f35ab74752adb37138112657c1bc8b91f50e799b.
2024-01-04Used enterClassContext() where appropriate.Mariusz Felisiak
2023-12-31Used addCleanup() in tests where appropriate.Mariusz Felisiak
2023-11-28Refs #34986 -- Fixed some test assertions for PyPy.Nick Pope
These failures were due to minor inconsistencies or implementation differences between CPython and PyPy.
2023-11-28Refs #34986 -- Fixed mocking in ↵Nick Pope
utils_tests.test_http.HttpDateProcessingTests.test_parsing_rfc850. Mocking in the `datetime` module can be tricky. In CPython the datetime C module is used, but PyPy uses a pure Python implementation. This caused issues with the prior approach to mocking `datetime.datetime`. See https://docs.python.org/3/library/unittest.mock-examples.html#partial-mocking
2023-11-24Fixed #34983 -- Deprecated django.utils.itercompat.is_iterable().Nick Pope
2023-10-23Refs #34899 -- Extracted Field.flatchoices to flatten_choices helper function.Nick Pope
Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>
2023-10-23Refs #31262 -- Added __eq__() and __getitem__() to BaseChoiceIterator.Nick Pope
This makes it easier to work with lazy iterators used for callables, etc. when extracting items or comparing to lists, e.g. during testing. Also added `BaseChoiceIterator.__iter__()` to make it clear that subclasses must implement this and added `__all__` to the module. Co-authored-by: Adam Johnson <me@adamj.eu> Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>
2023-10-04Fixed CVE-2023-43665 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator when truncating HTML text. Thanks Wenchao Li of Alibaba Group for the report.
2023-09-04Fixed CVE-2023-41164 -- Fixed potential DoS in ↵Mariusz Felisiak
django.utils.encoding.uri_to_iri(). Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-08-30 Fixed #31262 -- Added support for mappings on model fields and ↵Nick Pope
ChoiceField's choices.
2023-08-28Fixed #34787 -- Fixed autoreloader crash when run from installed script on ↵sarahboyce
Windows.
2023-08-22Removed unnecessary trailing commas in tests.konsti
2023-08-20Fixed utils_tests.test_lazyobject.SimpleLazyObjectPickleTestCase.Mariusz Felisiak
SimpleLazyObjectPickleTestCase executes database queries so it must inherit from django.test.TestCase.
2023-07-12Refs #30116 -- Simplified tests related with dictionary order.Mariusz Felisiak
Dicts preserve order since Python 3.6.
2023-06-12Allowed custom formatting of lazy() objects.Nick Pope
This allows for formatting of lazy objects which have a custom formatter defined by overriding the default implementation from `object`.
2023-06-12Allowed multiplication of lazy() objects with int return type.Nick Pope
2023-06-12Made proxy class in lazy() prepare eagerly.Ran Benita
Previously, the proxy class was prepared lazily: lazy_identity = lazy(identity, int) lazy_identity(10) # prepared here lazy_identity(10) This has a slight advantage that if the lazy doesn't end up getting used, the preparation work is skipped, however that's not very likely. Besides this laziness, it is also inconsistent in that the methods which are wrapped directly (__str__ etc.) are prepared already when __proxy__ is defined, and there is a weird half-initialized state. This change it so that everything is prepared already on the first line of the example above.
2023-06-12Added more tests for django.utils.functional.lazy().Nick Pope
2023-06-08Made bytes and str return types no longer mutually exclusive in lazy().Ran Benita
They are no longer special cased.
2023-06-08Refs #34445 -- Fixed string-casting of non-string lazy objects when value ↵Ran Benita
may be bytes. If the result type is bytes, then calling bytes() on it does nothing. If the result type is not bytes, we should not cast to bytes, just because the return value may be bytes.
2023-06-06Fixed #34609 -- Deprecated calling format_html() without arguments.devilsautumn
2023-05-23Refs #34118 -- Fixed ↵Mariusz Felisiak
FunctionalTests.test_cached_property_reuse_different_names() on Python 3.12+. Python 3.12+ no longer wraps exceptions in __set_name__, see https://github.com/python/cpython/commit/55c99d97e14618dfce41472dd4446f763b0da13f
2023-04-14Refs #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates on ↵Mariusz Felisiak
different days and interval less than 1 day. Follow up to 813015d67e2557fa859a07930a9becec4e5f64a0. Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8.
2023-04-13Fixed #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates and ↵nessita
interval less than 1 day. Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8. Thanks Lorenzo Peña for the report.