summaryrefslogtreecommitdiff
path: root/tests
AgeCommit message (Collapse)Author
2025-11-05[4.2.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on ↵Jacob Walls
dictionary expansion. Backport of 3c3f46357718166069948625354b8315a8505262 from main.
2025-11-05[4.2.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via ↵Jacob Walls
the _connector kwarg. Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-05[4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in ↵Jacob Walls
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-03[4.2.x] Skipped test_compressed_file_based_raster_creation() test on GDAL 3.5+.Mariusz Felisiak
2025-11-03[4.2.x] Fixed RelatedGeoModelTest.test_related_union_aggregate() crash on ↵Mariusz Felisiak
Python < 3.10. Regression in 321af4877b62be6849f44e00d1c7e75928e7d3a2.
2025-10-22[4.2.x] Made RemoteTestResultTest.test_pickle_errors_detection() compatible ↵Mariusz Felisiak
with tblib 3.2+. tblib 3.2+ makes exception subclasses with __init__() and the default __reduce__() picklable. This broke the test for RemoteTestResult._confirm_picklable(), which expects a specific exception to fail unpickling. https://github.com/ionelmc/python-tblib/blob/master/CHANGELOG.rst#320-2025-10-21 This fix defines ExceptionThatFailsUnpickling.__reduce__() in a way that pickle.dumps(obj) succeeds, but pickle.loads(pickle.dumps(obj)) raises TypeError. Refs #27301. This preserves the intent of the regression test from 52188a5ca6bafea0a66f17baacb315d61c7b99cd without skipping it. Backport of 548209e620b3ca34396a360453f07c8dbb8aa6c7 from main.
2025-10-20[4.2.x] Fixed RelatedGeoModelTest.test_related_union_aggregate() test on ↵Mariusz Felisiak
Oracle and GEOS 3.12+. Backport of 344ae16e1e21ab7c0b594d755519738f7f16eaf1 from main
2025-10-01[4.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal ↵Sarah Boyce
via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
2025-10-01[4.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), ↵Mariusz Felisiak
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-09-03[4.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL ↵Jake Howard
injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
2025-08-13[4.2.x] Fixed #36499 -- Adjusted ↵Natalia
utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior. Python fixed a quadratic complexity processing for HTMLParser in: https://github.com/python/cpython/commit/6eb6c5db. Backport of 2980627502c84a9fd09272e1349dc574a2ff1fb1 from main.
2025-08-13[4.2.x] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors following ↵Natalia
Python's HTMLParser fixed parsing. Further details about Python changes can be found in: https://github.com/python/cpython/commit/0243f97cbadec8d985e63b1daec5d1cbc850cae3. Refs #36499. Thank you Clifford Gama for the thorough review! Backport of e4515dad7a6d953c0bd2414127ba36e1446ff41a from main.
2025-08-04[4.2.x] Refs #36535 -- Doc'd that docutils < 0.22 is required.Natalia
Backport of 9d9b3bc71702e4bd4b7f8e1602d83fd69f871e94 from stable/5.1.x.
2025-06-06[4.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response ↵Jake Howard
logging. Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 957951755259b412d5113333b32bf85871d29814 from main.
2025-06-06[4.2.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use ↵Natalia
log_response() for consistency. Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
2025-06-06[4.2.x] Refactored logging_tests to reuse assertions for log records.Natalia
Backport of 9d72e7daf7299ef1ece56fd657a02f77a469efe9 from main.
2025-06-04[4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in ↵Natalia
`log_response()`. Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
2025-05-22[4.2.x] Added helpers in csrf_tests and logging_tests to assert logs from ↵Natalia
`log_response()`. Backport of ad6f99889838ccc2c30b3c02ed3868c9b565e81b from main.
2025-05-22[4.2.x] Refs #26688 -- Added tests for `log_response()` internal helper.Natalia
Backport of 897046815944cc9a2da7ed9e8082f45ffe8110e3 from main.
2025-05-06[4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
2025-04-23[4.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter.Matti Pohjanvirta
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b. This work improves the django.utils.text.wrap() function to ensure that empty lines and lines with whitespace only are kept instead of being dropped. Thanks Matti Pohjanvirta for the report and fix. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
2025-04-07[4.2.x] Fixed #36298 -- Truncated the overwritten file content in ↵Sarah Boyce
file_move_safe(). Regression in 58cd4902a71a3695dd6c21dc957f59c333db364c. Thanks Baptiste Mispelon for the report. Backport of 8ad3e80e88201f4c557f6fa79fcfc0f8a0961830 from main.
2025-03-06[4.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template ↵Sarah Boyce
filter. Thanks sw0rd1ight for the report. Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
2025-01-17[4.2.x] Refs #34060 -- Adjusted CVE-2024-53908 regression test for psycopg2.Simon Charette
The lack of explicit cast for JSON literals on psycopg2 is fixed on 5.1+ by 0d8fbe2ade29f1b7bd9e6ba7a0281f5478603a43 but didn't qualify for a backport to stable/4.2.x.
2025-01-15[4.2.x] Fixed #36098 -- Fixed ↵Mariusz Felisiak
validate_ipv6_address()/validate_ipv46_address() crash for non-string values. Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf. Backport of b3c5830769d8a5dbf2f974da7116fe503c9454d9 from main.
2025-01-14[4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.Natalia
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-12-04[4.2.x] Fixed CVE-2024-53908 -- Prevented SQL injections in direct ↵Simon Charette
HasKeyLookup usage on Oracle. Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
2024-12-04[4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-12-03[4.2.x] Refs CVE-2024-11168 -- Updated vendored _urlsplit() to properly ↵Mariusz Felisiak
validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. https://github.com/python/cpython/pull/103849
2024-10-30[4.2.x] Refs #35844 -- Expanded compatibility for expected error messages in ↵Tainara Palmeira
command tests on Python 3.12. Updated CommandTests.test_subparser_invalid_option and CommandDBOptionChoiceTests.test_invalid_choice_db_option to use assertRaisesRegex() for compatibility with modified error messages in Python 3.12, 3.13, and 3.14+.. Backport of fc22fdd34f1e55adde161f5f2dca8db90bbfce80 from main.
2024-09-03[4.2.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵Natalia
email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-09-03[4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-07-31[4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵Simon Charette
attacks against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-07-31[4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-31[4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks to MProgrammer for the report.
2024-07-31[4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in ↵Sarah Boyce
floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
2024-07-25[4.2.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵Lorenzo Peña
ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
2024-07-11[4.2.x] Fixed auth_tests and file_storage tests on Python 3.8.Mariusz Felisiak
2024-07-09[4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵Sarah Boyce
get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
2024-07-09[4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in ↵Natalia
Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
2024-07-09[4.2.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵Michael Manfre
checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-09[4.2.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and ↵Adam Johnson
urlizetrunc template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-03-04[4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().Shai Berger
Thanks Seokchan Yoon for the report. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-02-10[4.2.x] Refs #34900, Refs #34118 -- Updated assertion in ↵Daniel Garcia Moreno
test_skip_class_unless_db_feature() test on Python 3.12.2+. Python 3.12.2 bring back the skipped tests in the number of running tests. Refs https://github.com/python/cpython/commit/0a737639dcd3b7181250f5d56694b192eaddeef0 Backport of bc8471f0aac8f0c215b9471b594d159783bac19b from main
2024-02-08[4.2.x] Fixed #35172 -- Fixed intcomma for string floats.Mariusz Felisiak
Thanks Warwick Brown for the report. Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9. Backport of 2f14c2cedc9c92373471c1f98a80c81ba299584a from main.
2024-02-06[4.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ↵Adam Johnson
filter. Thanks Seokchan Yoon for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Shai Berger <shai@platonix.com>
2024-01-29[4.2.x] Pinned black == 23.12.1 in GitHub actions, pre-commit and test ↵nessita
requirements.
2023-11-30[4.2.x] Fixed #35006 -- Fixed migrations crash when altering ↵Mariusz Felisiak
Meta.db_table_comment on SQLite. Thanks Юрий for the report. Regression in 78f163a4fb3937aca2e71786fbdd51a0ef39629e. Backport of 37fc832a54ad37e75a898a2c8f9ab0820617c4af from main
2023-11-27[4.2.x] Fixed #34982 -- Fixed admin's read-only password widget and help ↵Tom Carrick
texts alignment for tablet screen size. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Backport of 729266c6f29c7a0677b24926a86a767ef3078b26 from main
2023-11-27[4.2.x] Fixed #34992 -- Fixed DatabaseFeatures.allows_group_by_selected_pks ↵Nathaniel Conroy
on MariaDB with ONLY_FULL_GROUP_BY sql mode. Regression in 041551d716b69ee7c81199eee86a2d10a72e15ab. Backport of 0257426fe1fe9d146fd5813f09d909917ff59360 from main.