summaryrefslogtreecommitdiff
path: root/tests
AgeCommit message (Collapse)Author
2022-04-11[3.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) ↵Mariusz Felisiak
against SQL injection on PostgreSQL. Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main.
2022-04-11[3.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), ↵Mariusz Felisiak
and extra() against SQL injection in column aliases. Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report. Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
2022-04-11[3.2.x] Fixed #33628 -- Ignored directories with empty names in autoreloader ↵Manel Clos
check for template changes. Regression in 68357b2ca9e88c40fc00d848799813241be39129. Backport of 62739b6e2630e37faa68a86a59fad135cc788cd7 from main.
2022-03-26[3.2.x] Reverted "Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+."Mariusz Felisiak
This reverts commit 1d9d082acf6e152c06833bb9698f88d688b95e40. Backport of abfdb4d7f384fb06ed9b7ca37b548542df7b5dda from main
2022-03-25[3.2.x] Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+.Mariusz Felisiak
See https://github.com/pallets/jinja/pull/1621. Backport of 1d9d082acf6e152c06833bb9698f88d688b95e40 from main
2022-02-01[3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.Mariusz Felisiak
Thanks Alan Ryan for the report and initial patch. Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main.
2022-02-01[3.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.Markus Holtermann
Thanks Keryn Knight for the report. Backport of 394517f07886495efcf79f95c7ee402a9437bd68 from main. Co-authored-by: Adam Johnson <me@adamj.eu>
2022-01-04[3.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage ↵Florian Apolloner
subsystem. Thanks to Dennis Brinkrolf for the report.
2022-01-04[3.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in ↵Florian Apolloner
dictsort template filter. Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2022-01-04[3.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in ↵Florian Apolloner
UserAttributeSimilarityValidator. Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
2021-12-07[3.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an ↵Florian Apolloner
upstream access control based on URL paths. Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports. Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
2021-12-04[3.2.x] Refs #33333 -- Fixed ↵Mariusz Felisiak
PickleabilityTestCase.test_annotation_with_callable_default() crash on Oracle. Grouping by LOBs is not allowed on Oracle. This moves a binary field to a separate model. Backport of d3a64bea51676fcf8a0ae593cf7b103939e12c87 from main
2021-12-03[3.2.x] Fixed #33333 -- Fixed setUpTestData() crash with models.BinaryField ↵Mariusz Felisiak
on PostgreSQL. This makes models.BinaryField pickleable on PostgreSQL. Regression in 3cf80d3fcf7446afdde16a2be515c423f720e54d. Thanks Adam Zimmerman for the report. Backport of 2c7846d992ca512d36a73f518205015c88ed088c from main.
2021-10-18[3.2.x] Fixed #33194 -- Fixed migrations when altering a field with ↵Hannes Ljungberg
functional indexes on SQLite. This adjusts Expressions.rename_table_references() to only update alias when needed. Regression in 83fcfc9ec8610540948815e127101f1206562ead. Co-authored-by: Simon Charette <charettes@users.noreply.github.com> Backport of 86971c40909430a798e4e55b140004c4b1fb02ff from main.
2021-10-15[3.2.x] Refs #32074 -- Removed usage of deprecated asyncore and smtpd modules.Mariusz Felisiak
asyncore and smtpd modules were deprecated in Python 3.10. Backport of 569a33579c3cca5f801c544d9b52a34e3c779424 from main.
2021-10-14[3.2.x] Refs #27131 -- Removed SMTPBackendTests.test_server_login().Mariusz Felisiak
test_server_login() was a regression test for a crash when passing Unicode strings to SMTP server using CRAM-MD5 method on Python 2. Python 2 is no longer supported and test_server_login() passes even without FakeSMTPChannel.smtp_AUTH() because smtplib.SMTPAuthenticationError is raised when AUTH is not implemented. Backport of cdad96e6330cd31185f7496aaf8eb316f2773d6d from main
2021-10-05[3.2.x] Refs #32074 -- Fixed find_module()/find_loader() warnings on Python ↵Mariusz Felisiak
3.10+. Backport of f1bcaa9be8227dce89a320ce1ca37e1df7c80d03 from main.
2021-10-05[3.2.x] Refs #32074 -- Removed usage of deprecated Thread.setDaemon().Karthikeyan Singaravelan
Thread.setDaemon() was deprecated in Python 3.10 and will be removed in Python 3.12. Backport of f9f6bd63c98dc2f01412887f4a98dbfdab363fdf from main
2021-10-05[3.2.x] Skipped test_archive tests when bz2/lzma module is not installed.Mariusz Felisiak
Backport of ae48601e6d88410626c7d28572f969ab57b33598 from main
2021-09-21[3.2.x] Fixed #33083 -- Fixed selecting all items in the admin changelist ↵Carlton Gibson
when actions are both top and bottom. Thanks Benjamin Locher for the report. Regression in 30e59705fc3e3e9e8370b965af794ad6173bf92b. Backport of b0ed619303d2fb723330ca9efa3acf23d49f1d19 from main
2021-09-18[3.2.x] Fixed #33077 -- Fixed links to related models for admin's readonly ↵Ken Whitesell
fields in custom admin site. Backport of 0a9aa02e6f1d1b9ceca155d281a2be624bb1d3a2 from main
2021-09-02[3.2.x] Fixed #33082 -- Fixed CommandTests.test_subparser_invalid_option on ↵Mariusz Felisiak
Python 3.9.7+. Thanks Michał Górny for the report. Backport of 50ed545e2fa02c51e0d1559b83624f256e4b499b from main.
2021-08-30[3.2.x] Fixed #32992 -- Restored offset extraction for fixed offset timezones.Carlton Gibson
Regression in 10d126198434810529e0220b0c6896ed64ca0e88. Backport of cbba49971bbbbe3e8c6685e4ce6ab87b1187ae87 from main
2021-08-23[3.2.x] Fixed #33030 -- Fixed broken links to GDAL docs.Märt Häkkinen
Backport of ed317e79e355bd3aacb1393b821df7b1a7267ebc from main
2021-07-26[3.2.x] Fixed #32947 -- Fixed hash() crash on reverse M2M relation when ↵Tom Wojcik
through_fields is a list. Regression in c32d8f33d8e988a376e44997b8f3606d821f305e. Backport of 20226fcd461670334646f78a0c4d133e439b12b2 from main
2021-07-21[3.2.x] Fixed #32949 -- Restored invalid number handling in ↵yakimka
DecimalField.validate(). DecimalField must itself validate() values, such as NaN, which cannot be passed to validators, such as MaxValueValidator, during the run_validators() phase. Regression in cc3d24d7d577f174937a0744d886c4c7123cfa85. Backport of c542d0a07237033225c1d57337ca9474a00648f2 from main
2021-07-01[3.2.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by().Simon Charette
Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5 by marking the raw SQL column reference feature for deprecation in Django 4.0 while lifting the column format validation. In retrospective the validation should have been kept around and the user should have been pointed at using RawSQL expressions during the deprecation period. The main branch is not affected because the raw SQL column reference support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff per the 4.0 deprecation life cycle. Thanks Joel Saunders for the report.
2021-06-22[3.2.x] Fixed #32863 -- Skipped system check for specifying type of ↵Hasan Ramezani
auto-created primary keys on models with invalid app_label. Regression in b5e12d490af3debca8c55ab3c1698189fdedbbdb. Thanks Iuri de Silvio for the report. Backport of 7a9745fed498f69c46a3ffa5dfaff872e0e1df89 from main
2021-06-10[3.2.x] Fixed #32832 -- Fixed adding BLOB/TEXT nullable field with default ↵Mariusz Felisiak
on MySQL 8.0.13+. Regression in d4ac23bee1c84d8e4610350202ac068fc90f38c0. Thanks Omkar Deshpande for the report. Backport of fa0433d05f213afe4c67055006320f7aba4c8108 from main
2021-06-10[3.2.x] Fixed #32503 -- Fixed altering BLOB/TEXT field to non-nullable with ↵Yuekui Li
default on MySQL 8.0.13+. MySQL 8.0.13+ supports defaults for BLOB/TEXT but not in the ALTER COLUMN statement. Regression in 6b16c91157512587017e9178d066ed1a683e7795. Thanks Matt Westcott for the report. Backport of 5e04e84d67da8163f365e9f5fcd169e2630e2873 from main
2021-06-04[3.2.x] Fixed #32812 -- Restored immutability of named values from ↵Takayuki Hirayama
QuerySet.values_list(). Regression in 981a072dd4dec586f8fc606712ed9a2ef116eeee. Thanks pirelle for the report. Backport of 0393b9262dcf1b8302d35a8a470e14837ca1300b from main
2021-06-02[3.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.Mariusz Felisiak
validate_ipv4_address() was affected only on Python < 3.9.5, see [1]. URLValidator() uses a regular expressions and it was affected on all Python versions. [1] https://bugs.python.org/issue36384
2021-06-02[3.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via ↵Florian Apolloner
admindocs' TemplateDetailView.
2021-06-01[3.2.x] Fixed #32793 -- Fixed loss of precision for temporal operations with ↵Mariusz Felisiak
DecimalFields on MySQL. Regression in 1e38f1191de21b6e96736f58df57dfb851a28c1f. Thanks Mohsen Tamiz for the report. Backport of e703b152c6148ddda1b072a4353e9a41dca87f90 from main
2021-05-26[3.2.x] Fixed #32783 -- Fixed crash of autoreloader when __main__ module ↵Mariusz Felisiak
doesn't have __spec__ attribute. Regression in ec6d2531c59466924b645f314ac33f54470d7ac3. Thanks JonathanNickelson for the report. Backport of 12b19a1d76e1a6f80923c8358290d605dacd65d4 from main
2021-05-26[3.2.x] Fixed #32744 -- Normalized to pathlib.Path in autoreloader check for ↵Hasan Ramezani
template changes. Backport of 68357b2ca9e88c40fc00d848799813241be39129 from main
2021-05-18[3.2.x] Fixed #32747 -- Prevented initialization of unused caches.Mariusz Felisiak
Thanks Alexander Ebral for the report. Regression in 98e05ccde440cc9b768952cc10bc8285f4924e1f. Backport of 958cdf65ae90d26236d1815bbba804729595ec7a from main
2021-05-18[3.2.x] Fixed #32733 -- Skipped system check for specifying type of ↵Rust Saiargaliev
auto-created primary keys on abstract models. Regression in b5e12d490af3debca8c55ab3c1698189fdedbbdb. Backport of a24fed399ced6be2e9dce4cf28db00c3ee21a21c from main
2021-05-18[3.2.x] Fixed #32754 -- Made AdminSite.catch_all_view() respect SCRIPT_NAME.Slava Skvortsov
Regression in ba31b0103442ac891fb3cb98f316781254e366c3. Backport of f7691d4812c578e696635718e67639d2e08eac40 from main
2021-05-13[3.2.x] Fixed #32718 -- Relaxed file name validation in FileField.Mariusz Felisiak
- Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main
2021-05-13[3.2.x] Fixed #32717 -- Fixed filtering of querysets combined with the | ↵Simon Charette
operator. Address a long standing bug in a Where.add optimization to discard equal nodes that was surfaced by implementing equality for Lookup instances in bbf141bcdc31f1324048af9233583a523ac54c94. Thanks Shaheed Haque for the report. Backport of b81c7562fc33f50166d5120138d6398dc42b13c3 from main
2021-05-12[3.2.x] Fixed #32732 -- Removed usage of deprecated 'db' and 'passwd' ↵Nick Pope
connection options in MySQL backend. The 'db' and 'passwd' connection options have been deprecated, use 'database' and 'password' instead (available since mysqlclient >= 1.3.8). This also allows the 'database' option in DATABASES['OPTIONS'] on MySQL. Backport of 1061f5243646b4c9b8a758f8a36c9e2ccdded1cf from main
2021-05-06[3.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs ↵Mariusz Felisiak
from being accepted in URLValidator on Python 3.9.5+. In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
2021-05-06[3.2.x] Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows.Carlton Gibson
The validate_file_name() sanitation introduced in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 correctly rejects the example file name as containing path elements on Windows. This breaks the test introduced in 914c72be2abb1c6dd860cb9279beaa66409ae1b2 to allow path components for storages that may allow them. Test is skipped pending a discussed storage refactoring to support this use-case. Backport of a708f39ce67af174df90c5b5e50ad1976cec7cb8 from main
2021-05-05[3.2.x] Fixed #32714 -- Prevented recreation of migration for Meta.ordering ↵Simon Charette
with OrderBy expressions. Regression in c8b659430556dca0b2fe27cf2ea0f8290dbafecd. Thanks Kevin Marsh for the report. Backport of 96f55ccf798c7592a1203f798a4dffaf173a9263 from main
2021-05-04[3.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in ↵Florian Apolloner
file uploads.
2021-04-28[3.2.x] Fixed #32632, Fixed #32657 -- Removed flawed support for Subquery ↵Simon Charette
deconstruction. Subquery deconstruction support required implementing complex and expensive equality rules for sql.Query objects for little benefit as the latter cannot themselves be made deconstructible to their reference to model classes. Making Expression @deconstructible and not BaseExpression allows interested parties to conform to the "expression" API even if they are not deconstructible as it's only a requirement for expressions allowed in Model fields and meta options (e.g. constraints, indexes). Thanks Phillip Cutter for the report. This also fixes a performance regression in bbf141bcdc31f1324048af9233583a523ac54c94. Backport of c8b659430556dca0b2fe27cf2ea0f8290dbafecd from main
2021-04-27[3.2.x] Fixed #32687 -- Restored passing process’ environment to ↵Konstantin Alekseev
underlying tool in dbshell on PostgreSQL. Regression in bbe6fbb8768e8fb1aecb96d51c049d7ceaf802d3. Backport of 6e742dabc95b00ba896434293556adeb4dbaee8a from main.
2021-04-27[3.2.x] Fixed #32682 -- Made admin changelist use Exists() instead of ↵Mariusz Felisiak
distinct() for preventing duplicates. Thanks Zain Patel for the report and Simon Charette for reviews. The exception introduced in 6307c3f1a123f5975c73b231e8ac4f115fd72c0d revealed a possible data loss issue in the admin. Backport of 187118203197801c6cb72dc8b06b714b23b6dd3d from main
2021-04-27[3.2.x] Refs #32682 -- Renamed use_distinct variable to may_have_duplicates.Mariusz Felisiak
QuerySet.distinct() is not the only way to avoid duplicate, it's also not preferred. Backport of cd74aad90e09865ae6cd8ca0377ef0a5008d14e9 from main