| Age | Commit message (Collapse) | Author |
|
django.utils.text.Truncator when truncating HTML text.
Thanks Wenchao Li of Alibaba Group for the report.
|
|
django.utils.encoding.uri_to_iri().
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
|
|
and URLValidator.
Thanks Seokchan Yoon for reports.
|
|
Pillow isn't installed.
Follow up to fb4c55d9ec4bb812a7fb91fa20510d91645e411b.
Backport of fcfbf08abe3e6dc54894df6988024f055abc6c40 from main
|
|
validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.
Co-authored-by: Shai Berger <shai@platonix.com>
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
|
|
Thanks to Jakob Ackermann for the report.
|
|
Accept-Language.
The parsed values of Accept-Language headers are cached in order to
avoid repetitive parsing. This leads to a potential denial-of-service
vector via excessive memory usage if the raw value of Accept-Language
headers is very large.
Accept-Language headers are now limited to a maximum length in order
to avoid this issue.
|
|
SQLite 3.37+.
Use FlexibleFieldLookupDict which is case-insensitive mapping because
SQLite 3.37+ returns some data type names upper-cased e.g. TEXT.
Backport of 974e3b8750fe96c16c9c0b115a72ee4a2171df34 from main
|
|
Backport of 694cf458f16b8d340a3195244196980b2dec34fd from main.
|
|
regular expressions.
Thanks to Benjamin Balder Bach for the report.
|
|
Thanks to Motoyasu Saburi for the report.
|
|
MyISAM storage engine.
Backport of 73766c118781a7f7052bf0a5fbee38b944964e31 from main.
|
|
against SQL injection.
Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
|
|
It's a regression in GEOS 3.8.0 fixed in GEOS 3.8.1.
Backport of 863aa7541d30247e7eb7a973ff68a7d36f16dc02 from main
|
|
test_request_lifecycle_signals_dispatched_with_thread_sensitive with asgiref 3.5.1+.
|
|
DEFAULT_INDEX_TABLESPACE is set.
Backport of aa8b9279e40da343f5b91e5aec07f868184056f4 from main
|
|
against SQL injection on PostgreSQL.
Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main.
|
|
and extra() against SQL injection in column aliases.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
|
|
check for template changes.
Regression in 68357b2ca9e88c40fc00d848799813241be39129.
Backport of 62739b6e2630e37faa68a86a59fad135cc788cd7 from main.
|
|
This reverts commit 1d9d082acf6e152c06833bb9698f88d688b95e40.
Backport of abfdb4d7f384fb06ed9b7ca37b548542df7b5dda from main
|
|
See https://github.com/pallets/jinja/pull/1621.
Backport of 1d9d082acf6e152c06833bb9698f88d688b95e40 from main
|
|
Thanks Alan Ryan for the report and initial patch.
Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main.
|
|
Thanks Keryn Knight for the report.
Backport of 394517f07886495efcf79f95c7ee402a9437bd68 from main.
Co-authored-by: Adam Johnson <me@adamj.eu>
|
|
subsystem.
Thanks to Dennis Brinkrolf for the report.
|
|
dictsort template filter.
Thanks to Dennis Brinkrolf for the report.
Co-authored-by: Adam Johnson <me@adamj.eu>
|
|
UserAttributeSimilarityValidator.
Thanks Chris Bailey for the report.
Co-authored-by: Adam Johnson <me@adamj.eu>
|
|
upstream access control based on URL paths.
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.
Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
|
|
PickleabilityTestCase.test_annotation_with_callable_default() crash on Oracle.
Grouping by LOBs is not allowed on Oracle. This moves a binary field to
a separate model.
Backport of d3a64bea51676fcf8a0ae593cf7b103939e12c87 from main
|
|
on PostgreSQL.
This makes models.BinaryField pickleable on PostgreSQL.
Regression in 3cf80d3fcf7446afdde16a2be515c423f720e54d.
Thanks Adam Zimmerman for the report.
Backport of 2c7846d992ca512d36a73f518205015c88ed088c from main.
|
|
functional indexes on SQLite.
This adjusts Expressions.rename_table_references() to only update alias
when needed.
Regression in 83fcfc9ec8610540948815e127101f1206562ead.
Co-authored-by: Simon Charette <charettes@users.noreply.github.com>
Backport of 86971c40909430a798e4e55b140004c4b1fb02ff from main.
|
|
asyncore and smtpd modules were deprecated in Python 3.10.
Backport of 569a33579c3cca5f801c544d9b52a34e3c779424 from main.
|
|
test_server_login() was a regression test for a crash when passing
Unicode strings to SMTP server using CRAM-MD5 method on Python 2.
Python 2 is no longer supported and test_server_login() passes even
without FakeSMTPChannel.smtp_AUTH() because
smtplib.SMTPAuthenticationError is raised when AUTH is not implemented.
Backport of cdad96e6330cd31185f7496aaf8eb316f2773d6d from main
|
|
3.10+.
Backport of f1bcaa9be8227dce89a320ce1ca37e1df7c80d03 from main.
|
|
Thread.setDaemon() was deprecated in Python 3.10 and will be removed in
Python 3.12.
Backport of f9f6bd63c98dc2f01412887f4a98dbfdab363fdf from main
|
|
Backport of ae48601e6d88410626c7d28572f969ab57b33598 from main
|
|
when actions are both top and bottom.
Thanks Benjamin Locher for the report.
Regression in 30e59705fc3e3e9e8370b965af794ad6173bf92b.
Backport of b0ed619303d2fb723330ca9efa3acf23d49f1d19 from main
|
|
fields in custom admin site.
Backport of 0a9aa02e6f1d1b9ceca155d281a2be624bb1d3a2 from main
|
|
Python 3.9.7+.
Thanks Michał Górny for the report.
Backport of 50ed545e2fa02c51e0d1559b83624f256e4b499b from main.
|
|
Regression in 10d126198434810529e0220b0c6896ed64ca0e88.
Backport of cbba49971bbbbe3e8c6685e4ce6ab87b1187ae87 from main
|
|
Backport of ed317e79e355bd3aacb1393b821df7b1a7267ebc from main
|
|
through_fields is a list.
Regression in c32d8f33d8e988a376e44997b8f3606d821f305e.
Backport of 20226fcd461670334646f78a0c4d133e439b12b2 from main
|
|
DecimalField.validate().
DecimalField must itself validate() values, such as NaN, which cannot be
passed to validators, such as MaxValueValidator, during the
run_validators() phase.
Regression in cc3d24d7d577f174937a0744d886c4c7123cfa85.
Backport of c542d0a07237033225c1d57337ca9474a00648f2 from main
|
|
Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5
by marking the raw SQL column reference feature for deprecation in
Django 4.0 while lifting the column format validation.
In retrospective the validation should have been kept around and the
user should have been pointed at using RawSQL expressions during the
deprecation period.
The main branch is not affected because the raw SQL column reference
support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff
per the 4.0 deprecation life cycle.
Thanks Joel Saunders for the report.
|
|
auto-created primary keys on models with invalid app_label.
Regression in b5e12d490af3debca8c55ab3c1698189fdedbbdb.
Thanks Iuri de Silvio for the report.
Backport of 7a9745fed498f69c46a3ffa5dfaff872e0e1df89 from main
|
|
on MySQL 8.0.13+.
Regression in d4ac23bee1c84d8e4610350202ac068fc90f38c0.
Thanks Omkar Deshpande for the report.
Backport of fa0433d05f213afe4c67055006320f7aba4c8108 from main
|
|
default on MySQL 8.0.13+.
MySQL 8.0.13+ supports defaults for BLOB/TEXT but not in the
ALTER COLUMN statement.
Regression in 6b16c91157512587017e9178d066ed1a683e7795.
Thanks Matt Westcott for the report.
Backport of 5e04e84d67da8163f365e9f5fcd169e2630e2873 from main
|
|
QuerySet.values_list().
Regression in 981a072dd4dec586f8fc606712ed9a2ef116eeee.
Thanks pirelle for the report.
Backport of 0393b9262dcf1b8302d35a8a470e14837ca1300b from main
|
|
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.
[1] https://bugs.python.org/issue36384
|
|
admindocs' TemplateDetailView.
|
|
DecimalFields on MySQL.
Regression in 1e38f1191de21b6e96736f58df57dfb851a28c1f.
Thanks Mohsen Tamiz for the report.
Backport of e703b152c6148ddda1b072a4353e9a41dca87f90 from main
|