summaryrefslogtreecommitdiff
path: root/tests
AgeCommit message (Collapse)Author
2015-07-08[1.4.x] Prevented newlines from being accepted in some validators.Tim Graham
This is a security fix; disclosure to follow shortly. Thanks to Sjoerd Job Postmus for the report and draft patch.
2015-03-18[1.4.x] Made is_safe_url() reject URLs that start with control characters.Tim Graham
This is a security fix; disclosure to follow shortly.
2015-02-06[1.4.x] Fix an encoding preamble so the tests pass on 2.7.9.Carl Meyer
It seems there was a change in the parsing of encoding preambles in Python 2.7.9, compared to previous 2.7.x Pythons. This is a backport of the only piece of e520a73eeea6b185b719901ab9985ecef00e5664 that's needed to prevent an import failure under 2.7.9.
2015-01-28[1.4.x] Fixed #24238 -- Removed unused WSGIRequestHandler.get_environ()Tim Graham
Also moved the test as it wasn't running.
2015-01-26[1.4.x] Fixed #24158 -- Allowed GZipMiddleware to work with streaming responsesBenjamin Richter
Backport of django.utils.text.compress_sequence and fix for django.middleware.gzip.GZipMiddleware when using iterators as response.content.
2015-01-14[1.4.x] Fixed a static view test on Windows.Tim Graham
Backport of a6f144fd4fee0090de3a99b1f50a4142722e7946 from master
2015-01-05[1.4.x] Prevented views.static.serve() from using large memory on large files.Tim Graham
This is a security fix. Disclosure following shortly.
2015-01-05[1.4.x] Fixed is_safe_url() to handle leading whitespace.Tim Graham
This is a security fix. Disclosure following shortly.
2015-01-05[1.4.x] Stripped headers containing underscores to prevent spoofing in WSGI ↵Carl Meyer
environ. This is a security fix. Disclosure following shortly. Thanks to Jedediah Smith for the report.
2014-11-25[1.4.x] Fixed #23754 -- Always allowed reference to the primary key in the adminSimon Charette
This change allows dynamically created inlines "Add related" button to work correcly as long as their associated foreign key is pointing to the primary key of the related model. Thanks to amorce for the report, Julien Phalip for the initial patch, and Collin Anderson for the review. Backport of f9c4e14aeca7df79991bca8ac2d743953cbd095c from master
2014-10-06[1.4.x] Fixed #23604 -- Allowed related m2m fields to be references in the ↵Emmanuelle Delescolle
admin. Thanks Simon Charette for review. Backport of a24cf21722 from master
2014-09-29[1.4.x] Required numpy < 1.9 for tests; refs #23489.Tim Graham
Backport of 4743a94429 from stable/1.7.x
2014-09-08[1.4.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.Simon Charette
This fixes a regression introduced by the 53ff096982 security fix. Thanks to @a1tus for the report and Tim for the review. refs #23329. Backport of 342ccbd from master
2014-08-27[1.4.x] Fixed #23329 -- Allowed inherited and m2m fields to be referenced in ↵Simon Charette
the admin. Thanks to Trac alias Markush2010 and ross for the detailed reports. Backport of 3cbb759 from master
2014-08-11[1.4.x] Prevented data leakage in contrib.admin via query string manipulation.Simon Charette
This is a security fix. Disclosure following shortly.
2014-08-11[1.4.x] Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file ↵Tim Graham
names. This is a security fix. Disclosure following shortly.
2014-08-11[1.4.x] Prevented reverse() from generating URLs pointing to other hosts.Florian Apolloner
This is a security fix. Disclosure following shortly.
2014-07-25[1.4.x] Added tests/requirements/py2.txt.Tim Graham
This follows the convention used in other branches so we don't need a special case in the build script for 1.4.
2014-07-14[1.4.x] Revert "Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet."Ramiro Morales
This reverts commit b44519072e8a0ef56a0ae9e6e4a1fb04273eb0eb. stable/1.4.x branch is in security-fixes-only mode.
2014-07-14[1.4.x] Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet.Tim Graham
Thanks sebastien at clarisys.fr for the report and gautier for the patch. Backport of 5e2c4a4bd1 from master
2014-05-12[1.4.x] Added additional checks in is_safe_url to account for flexible parsing.Tim Graham
This is a security fix. Disclosure following shortly.
2014-05-12[1.4.x] Dropped fix_IE_for_vary/attach.Aymeric Augustin
This is a security fix. Disclosure following shortly.
2014-04-23[1.4.x] Fixed #22486 -- Restored the ability to reverse views created using ↵Tim Graham
functools.partial. Regression in 8b93b31. Thanks rcoup for the report. Backport of 3c06b2f2a3 from master
2014-04-21[1.4.x] Fixed queries that may return unexpected results on MySQL due to ↵Erik Romijn
typecasting. This is a security fix. Disclosure will follow shortly. Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master
2014-04-21[1.4.x] Prevented leaking the CSRF token through caching.Aymeric Augustin
This is a security fix. Disclosure will follow shortly. Backport of c083e3815aec23b99833da710eea574e6f2e8566 from master
2014-04-21[1.4.x] Fixed a remote code execution vulnerabilty in URL reversing.Tim Graham
Thanks Benjamin Bach for the report and initial patch. This is a security fix; disclosure to follow shortly. Backport of 8b93b31487d6d3b0fcbbd0498991ea0db9088054 from master
2014-04-19[1.4.x] Fixed random aggregation_regress test_more_more_more() failureTim Graham
The cause was assuming that an unordered queryset returns the values always in the same order. Backport of 33dd8f544205be923e2a06106909ebcd3583526b
2013-12-02[1.4.x] Fixed #21538 -- Added numpy to test/requirements/base.txtAlasdair Nicol
Thanks Tim Graham for the report Backport of c75dd664c from master
2013-11-01Fixed SyntaxError on Python 2.5 caused by a @unittest.skipIf class decoration.Loic Bistuer
2013-09-11Fixed failing test introduced by 87d2750b39.Loic Bistuer
The {% ssi %} tag in Django 1.4 doesn't support spaces in its argument. Skip the test if run from a location that contains a space.
2013-09-10[1.4.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative ↵Tim Graham
paths. Thanks Rainer Koirikivi for the report and draft patch. This is a security fix; disclosure to follow shortly. Backport of 7fe5b656c9 from master
2013-08-17[1.4.x] Fixed #20904: Test failure on OracleShai Berger
Just skip the failing test, the failure isn't really relevant; also, both the test and the reason for its failure were removed in 1.5. Thanks Tim Graham for advice on 1.5.
2013-08-16[1.4.x] Fixed #20906 -- Fixed a dependence on set-ordering in testsLuke Plant
Backport of 1ae64e96c1 from master
2013-08-16[1.4.x] Fixed #20905 -- Fixed an Oracle-specific test case failureAnssi Kääriäinen
Made a test checking ORM-generated query string case-insensitive. Backport of ee0a7c741e from master
2013-08-13Fixed regression in validation tests since example.com is available via ↵Florian Apolloner
https now.
2013-07-10[1.4.x] Fixed #19196 -- Added test/requirementsTim Graham
Backport of 4d92a0bd86 from master
2013-02-21[1.4.x] Made a couple of selenium tests wait for page loadedAnssi Kääriäinen
The admin_widgets tests were issuing click() to the browser but didn't wait for the effects of those clicks. This caused the resulting request to be processed concurrently with the test case. When using in-memory SQLite this caused weird failures. Also added wait_page_loaded() to admin selenium tests for code reuse. Fixed #19856, cherry-pick of 50677b29af39ca670274fb45087415c883c78b04
2013-02-19[1.4.x] Added a default limit to the maximum number of forms in a formset.Aymeric Augustin
This is a security fix. Disclosure and advisory coming shortly.
2013-02-19[1.4.x] Checked object permissions on admin history view.Carl Meyer
This is a security fix. Disclosure and advisory coming shortly. Patch by Russell Keith-Magee.
2013-02-19[1.4.x] Restrict the XML deserializer to prevent network and ↵Carl Meyer
entity-expansion DoS attacks. This is a security fix. Disclosure and advisory coming shortly.
2013-02-19[1.4.x] Added ALLOWED_HOSTS setting for HTTP host header validation.Carl Meyer
This is a security fix; disclosure and advisory coming shortly.
2013-02-13[1.4.x] Removed try-except in django.db.close_connection()Anssi Kääriäinen
The reason was that the except clause needed to remove a connection from the django.db.connections dict, but other parts of Django do not expect this to happen. In addition the except clause was silently swallowing the exception messages. Refs #19707, special thanks to Carl Meyer for pointing out that this approach should be taken.
2013-02-10[1.4.x] Fixed #19707 -- Reset transaction state after requestsAnssi Kääriäinen
Backpatch of a4e97cf315142e61bb4bc3ed8259b95d8586d09c.
2013-02-10[1.4.x] Fixed #19645 -- Added tests for TransactionMiddlewareAnssi Kääriäinen
Backpatch of f556df90be995a83b979cf875705d98521ab4dc7. Backpatching these tests so that it will be easier to backpatch the fix for #19707.
2012-12-10[1.4.X] Fixed a test failure in the comment tests.Florian Apolloner
Backport of 1eb0da1c5ba3096f218d1df13d02a2b8e1ac7a36 from master.
2012-12-10[1.4.X] Fixed a security issue in get_host.Florian Apolloner
Full disclosure and new release forthcoming.
2012-12-10[1.4.X] Fixed #18856 -- Ensured that redirects can't be poisoned by ↵Florian Apolloner
malicious users.
2012-12-04[1.4.x] Fixed the admin_filters tests for Postgres.Julien Phalip
Backport of c196e01100b2
2012-12-03[1.4.x] Fixed #19318 -- Ensured that the admin's SimpleListFilter options ↵Sebastián Magrí
can be displayed as selected even if the lookup's first element is not a string. Backport of 88e17156393b
2012-11-24[1.4.x] Fixed ordering-related failure in m2m_through_regress testsAnssi Kääriäinen
Backpatch of dc569c880143db07e01b3293d698ad8fe4a0136f