| Age | Commit message (Collapse) | Author |
|
dictionary expansion.
Backport of 3c3f46357718166069948625354b8315a8505262 from main.
|
|
the _connector kwarg.
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
|
|
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
|
|
|
|
Python < 3.10.
Regression in 321af4877b62be6849f44e00d1c7e75928e7d3a2.
|
|
with tblib 3.2+.
tblib 3.2+ makes exception subclasses with __init__() and the default
__reduce__() picklable. This broke the test for
RemoteTestResult._confirm_picklable(), which expects a specific
exception to fail unpickling.
https://github.com/ionelmc/python-tblib/blob/master/CHANGELOG.rst#320-2025-10-21
This fix defines ExceptionThatFailsUnpickling.__reduce__() in a way
that pickle.dumps(obj) succeeds, but pickle.loads(pickle.dumps(obj))
raises TypeError.
Refs #27301. This preserves the intent of the regression test from
52188a5ca6bafea0a66f17baacb315d61c7b99cd without skipping it.
Backport of 548209e620b3ca34396a360453f07c8dbb8aa6c7 from main.
|
|
Oracle and GEOS 3.12+.
Backport of 344ae16e1e21ab7c0b594d755519738f7f16eaf1 from main
|
|
via archive.extract().
Thanks stackered for the report.
Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23.
Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
|
|
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
|
|
injection in column aliases.
Thanks Eyal Gabay (EyalSec) for the report.
Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
|
|
utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior.
Python fixed a quadratic complexity processing for HTMLParser in:
https://github.com/python/cpython/commit/6eb6c5db.
Backport of 2980627502c84a9fd09272e1349dc574a2ff1fb1 from main.
|
|
Python's HTMLParser fixed parsing.
Further details about Python changes can be found in:
https://github.com/python/cpython/commit/0243f97cbadec8d985e63b1daec5d1cbc850cae3.
Refs #36499. Thank you Clifford Gama for the thorough review!
Backport of e4515dad7a6d953c0bd2414127ba36e1446ff41a from main.
|
|
Backport of 9d9b3bc71702e4bd4b7f8e1602d83fd69f871e94 from stable/5.1.x.
|
|
logging.
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 957951755259b412d5113333b32bf85871d29814 from main.
|
|
log_response() for consistency.
Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
|
|
Backport of 9d72e7daf7299ef1ece56fd657a02f77a469efe9 from main.
|
|
`log_response()`.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
|
|
`log_response()`.
Backport of ad6f99889838ccc2c30b3c02ed3868c9b565e81b from main.
|
|
Backport of 897046815944cc9a2da7ed9e8082f45ffe8110e3 from main.
|
|
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
|
|
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b.
This work improves the django.utils.text.wrap() function to ensure that
empty lines and lines with whitespace only are kept instead of being
dropped.
Thanks Matti Pohjanvirta for the report and fix.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
|
|
file_move_safe().
Regression in 58cd4902a71a3695dd6c21dc957f59c333db364c.
Thanks Baptiste Mispelon for the report.
Backport of 8ad3e80e88201f4c557f6fa79fcfc0f8a0961830 from main.
|
|
filter.
Thanks sw0rd1ight for the report.
Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
|
|
The lack of explicit cast for JSON literals on psycopg2 is fixed on 5.1+ by
0d8fbe2ade29f1b7bd9e6ba7a0281f5478603a43 but didn't qualify for a backport to
stable/4.2.x.
|
|
validate_ipv6_address()/validate_ipv46_address() crash for non-string values.
Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf.
Backport of b3c5830769d8a5dbf2f974da7116fe503c9454d9 from main.
|
|
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
HasKeyLookup usage on Oracle.
Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah
Boyce for the reviews.
|
|
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
for the reviews.
|
|
validate IPv6 and IPvFuture addresses.
Refs Python CVE-2024-11168. Django should not affected, but others who
incorrectly use internal function _urlsplit() with unsanitized input
could be at risk.
https://github.com/python/cpython/pull/103849
|
|
command tests on Python 3.12.
Updated CommandTests.test_subparser_invalid_option and CommandDBOptionChoiceTests.test_invalid_choice_db_option to use assertRaisesRegex() for compatibility with modified error messages in Python 3.12, 3.13, and 3.14+..
Backport of fc22fdd34f1e55adde161f5f2dca8db90bbfce80 from main.
|
|
email sending fails.
On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.
Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
|
|
urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
|
|
attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
|
|
django.utils.html.urlize() and AdminURLFieldWidget.
Thanks Seokchan Yoon for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
urlizetrunc template filters.
Thanks to MProgrammer for the report.
|
|
floatformat.
Thanks Elias Myllymäki for the report.
Co-authored-by: Shai Berger <shai@platonix.com>
|
|
ValueError in get_supported_language_variant().
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.
Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb.
Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
|
|
|
|
get_supported_language_variant().
Language codes are now parsed with a maximum length limit of 500 chars.
Thanks to MProgrammer for the report.
|
|
Storage's save method.
Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah
Boyce for the reviews.
|
|
checking unusuable passwords.
Refs #20760.
Thanks Michael Manfre for the fix and to Adam Johnson for the review.
|
|
urlizetrunc template filters.
Thank you to Elias Myllymäki for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
Thanks Seokchan Yoon for the report.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
|
test_skip_class_unless_db_feature() test on Python 3.12.2+.
Python 3.12.2 bring back the skipped tests in the number of running
tests. Refs
https://github.com/python/cpython/commit/0a737639dcd3b7181250f5d56694b192eaddeef0
Backport of bc8471f0aac8f0c215b9471b594d159783bac19b from main
|
|
Thanks Warwick Brown for the report.
Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9.
Backport of 2f14c2cedc9c92373471c1f98a80c81ba299584a from main.
|
|
filter.
Thanks Seokchan Yoon for the report.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Shai Berger <shai@platonix.com>
|
|
requirements.
|
|
Meta.db_table_comment on SQLite.
Thanks Юрий for the report.
Regression in 78f163a4fb3937aca2e71786fbdd51a0ef39629e.
Backport of 37fc832a54ad37e75a898a2c8f9ab0820617c4af from main
|
|
texts alignment for tablet screen size.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 729266c6f29c7a0677b24926a86a767ef3078b26 from main
|
|
on MariaDB with ONLY_FULL_GROUP_BY sql mode.
Regression in 041551d716b69ee7c81199eee86a2d10a72e15ab.
Backport of 0257426fe1fe9d146fd5813f09d909917ff59360 from main.
|