summaryrefslogtreecommitdiff
path: root/tests
AgeCommit message (Collapse)Author
2024-09-03[5.0.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵Natalia
email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-09-03[5.0.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-06[5.0.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection ↵Simon Charette
attacks against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-08-06[5.0.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06[5.0.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks to MProgrammer for the report.
2024-08-06[5.0.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in ↵Sarah Boyce
floatformat. Thanks Elias Myllymäki for the report. Co-authored-by: Shai Berger <shai@platonix.com>
2024-08-05[5.0.x] Fixed #35657 -- Made FileField handle db_default values.Sarah Boyce
Backport of 8deb6bb1fc427762d56646bf7306cbd11fb5bb68 from main.
2024-08-05[5.0.x] Fixed #35638 -- Updated validate_constraints to consider db_default.David Sanders
Backport of 509763c79952cde02d9f5b584af4278bdbed77b2 from main.
2024-08-05[5.0.x] Fixed #35628 -- Allowed compatible GeneratedFields for ↵John Parton
ModelAdmin.date_hierarchy. Backport of 7f8d839722b72aeb3ec5a4278ae57c18283acacd from main.
2024-07-26[5.0.x] Added missing skips in constraint tests.Tim Graham
Backport of b6ad8b687adf011245270df17a38c1a42792e3d7 from main.
2024-07-26[5.0.x] Refs #35625 -- Corrected CheckConstraint argument name in ↵Mariusz Felisiak
migrations.test_operations.
2024-07-25[5.0.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ↵Lorenzo Peña
ValueError in get_supported_language_variant(). LocaleMiddleware didn't handle the ValueError raised by get_supported_language_variant() when language codes were over 500 characters. Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb. Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
2024-07-25[5.0.x] Fixed #35625 -- Fixed a crash when adding a field with db_default ↵Simon Charette
and check constraint. This is the exact same issue as refs #30408 but for creating a model with a constraint containing % escapes instead of column addition. All of these issues stem from a lack of SQL and parameters separation from the BaseConstraint DDL generating methods preventing them from being mixed with other parts of the schema alteration logic that do make use of parametrization on some backends (e.g. Postgres, MySQL for DEFAULT). Prior to the addition of Field.db_default and GeneratedField in 5.0 parametrization of DDL was never exercised on model creation so this is effectively a bug with db_default as the GeneratedField case was addressed by refs #35336. Thanks Julien Chaumont for the report and Mariusz Felisiak for the review. Backport of f359990e4909db8722820849d61a6f5724338723 from main.
2024-07-22[5.0.x] Fixed mail.tests.MailTests.test_backend_arg() test on Python 3.13+.Mariusz Felisiak
There is no point in asserting Python error messages. Backport of 4ee68bb4f50dbe842461f8f340bb1633fddd4a53 from main.
2024-07-18[5.0.x] Fixed #35606, Refs #34045 -- Fixed rendering of ↵Hisham Mahmood
ModelAdmin.action_checkbox for models with a __html__ method. Thank you Claude Paroz for the report. Regression in 85366fbca723c9b37d0ac9db1d44e3f1cb188db2. Backport of 182f262b15882649bbc39d769f9b721cf3660f6f from main.
2024-07-17[5.0.x] Fixed #35594 -- Added unique nulls distinct validation for expressions.Simon Charette
Thanks Mark Gensler for the report. Backport of adc0b6aac3f8a5c96e1ca282bc9f46e28d20281c from main.
2024-07-17[5.0.x] Refs #30581 -- Made unattached UniqueConstraint(fields) validation ↵Simon Charette
testable. The logic allowing UniqueConstraint(fields).validate to preserve backward compatiblity with Model.unique_error_message failed to account for cases where the constraint might not be attached to a model which is a common pattern during testing. This changes allows for arbitrary UniqueConstraint(fields) to be tested in isolation without requiring actual models backing them up. Co-authored-by: Mark G <mark.gensler@protonmail.com> Backport of 13922580cccfb9ab2922ff4943dd39da56dfbd8c from main.
2024-07-15[5.0.x] Refs #35560 -- Corrected required feature flags in ↵Mariusz Felisiak
GeneratedModelUniqueConstraint. Backport of 2d3bb414cfb2778cc64f22e7203102d7389f81e6 from main.
2024-07-09[5.0.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in ↵Sarah Boyce
get_supported_language_variant(). Language codes are now parsed with a maximum length limit of 500 chars. Thanks to MProgrammer for the report.
2024-07-09[5.0.x] Fixed CVE-2024-39330 -- Added extra file name validation in ↵Natalia
Storage's save method. Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
2024-07-09[5.0.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵Michael Manfre
checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-09[5.0.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and ↵Adam Johnson
urlizetrunc template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-08[5.0.x] Refs #35560 -- Corrected CheckConstraint argument name in ↵Mariusz Felisiak
model_fields tests.
2024-07-04[5.0.x] Fixed #35560 -- Made Model.full_clean() ignore GeneratedFields for ↵Mark Gensler
constraints. Accessing generated field values on unsaved models caused a crash when validating CheckConstraints and UniqueConstraints with expressions. Backport of 1005c2abd1ef0c156f449641e38c33e473989d37 from main.
2024-06-25[5.0.x] Refs #35059 -- Used asyncio.Event in ↵Carlton Gibson
ASGITest.test_asyncio_cancel_error to enforce specific interleaving. Sleep call leads to a hard to trace error in CI. Using an Event is more deterministic, and should be less prone to environment variations. Bug in 11393ab1316f973c5fbb534305750740d909b4e4. Backport of f4a08b6ddfcacadfe9ff8364bf1c6c54f5dd370f from main.
2024-05-04[5.0.x] Fixed #35426 -- Updated querysets to be a required argument of ↵sobolevn
GenericPrefetch. Backport of 9a27c76021f934201cccf12215514a3091325ec8 from main.
2024-05-03[5.0.x] Refs #35359 -- Fixed OperationTests.test_add_generate_field() test ↵Sarah Boyce
on PostgreSQL. Concat() in Django 5.0 is not immutable on PostgreSQL and cannot be used in GeneratedField, see 6364b6ee1071381eb3a23ba6b821fc0d6f0fce75.
2024-05-03[5.0.x] Fixed #35422 -- Fixed migrations crash when altering GeneratedField ↵Mariusz Felisiak
referencing rename field. Thanks Sarah Boyce for the report and Simon Charette for the implementation idea. Backport of 91a4b9a8ec2237434f06866f39c7977e889aeae6 from main.
2024-05-02[5.0.x] Fixed #35359 -- Fixed migration operations ordering when adding ↵DevilsAutumn
fields referenced by GeneratedField.expression. Thank you to Simon Charette for the review. Backport of 9aeb38c296c69532c7e64b5e3d706a5eb17b3f12 from main.
2024-05-02[5.0.x] Refs #34007, Refs #35359 -- Added Q.referenced_based_fields property.David Sanders
Thank you to Mariusz Felisiak and Natalia Bidart for the reviews. Backport of 97d48cd3c6f409584b5cc19fbddfca917bae78fd from main
2024-04-16[5.0.x] Fixed #35373 -- Fixed a crash when indexing a generated field on SQLite.Simon Charette
Generated fields have to be excluded from the INSERT query against the remade table including the index. Thanks Moshe Dicker for the report, David Sanders and Mariusz Felisiak for the review. Backport of d048f0d311cc9cb9578d687968f2d24a0a9efddb from main.
2024-04-12[5.0.x] Refs #35194 -- Adjusted a generated field test to work on Postgres ↵Simon Charette
15.6+. Postgres >= 12.18, 13.14, 14.11, 15.6, 16.2 changed the way the immutability of generated and default expressions is detected in postgres/postgres@743ddaf. The adjusted test semantic is presereved by switching from __icontains to __contains as both make use of a `%` literal which requires proper escaping. Refs #35336. Thanks bcail for the report. Backport of 73b62a21265c4a417004d64d13a896469e2558f3 from main.
2024-04-10[5.0.x] Fixed #35350 -- Fixed save() with pk set on models with GeneratedFields.Sarah Boyce
Thanks Matt Hegarty for the report and Simon Charette and Natalia Bidart for the reviews. Regression in f333e35. Backport of 8b53560eea9f10a1271d3bdf765dc6f969c7d9d5 from main.
2024-04-05[5.0.x] Refs #35336 -- Fixed SchemaTests.test_add_generated_field_contains() ↵Mariusz Felisiak
test on PostgreSQL. Concat() in Django 5.0 is not immutable on PostgreSQL and cannot be used in GeneratedField, see 6364b6ee1071381eb3a23ba6b821fc0d6f0fce75.
2024-04-02[5.0.x] Fixed #35336 -- Addressed crash when adding a GeneratedField with % ↵Simon Charette
literals. A longer term solution is likely to have a better separation of parametrized DDL altogether to handle checks, constraints, defaults, and generated fields but such a change would require a significant refactor that isn't suitable for a backport. Thanks Adrian Garcia for the report. Backport of 888b9042b3598bab6557c62de82505eec9ea62ed from main
2024-04-01[5.0.x] Fixed #35344, Refs #34838 -- Corrected output_field of resolved ↵Johannes Westphal
columns for GeneratedFields in aliased tables. Thanks Simon Charette for the review. Backport of 5f180216409d75290478c71ddb0ff8a68c91dc16 from main
2024-03-26[5.0.x] Fixed #35329 -- Fixed migrations crash when adding partial unique ↵Mariusz Felisiak
constraints with nulls_distinct. Bug in 595a2abb58e04caa4d55fb2589bb80fb2a8fdfa1. Thanks Lucas Lemke Saunitti for the report. Backport of b98271a6e42107233311d17f5d7bc74fbb47f22c from main
2024-03-14[5.0.x] Fixed #35273 -- Fixed rendering AdminFileWidget's attributes.Johannes Maron
Regression in 8a6c0203c4e92908c2b26ba54feba4ce7e76d081. Backport of e69019555d683fd6a831f87cb09e3deb86e4e7c7 from main
2024-03-08[5.0.x] Fixed #35223 -- Made Model.full_clean() ignore fields with ↵Ben Cail
db_default when validating empty values. Thanks Brian Ibbotson for the report. Regression in 7414704e88d73dafbcfbb85f9bc54cb6111439d3. Backport of 1570ef02f34037d32218d463342592debccf915c from main.
2024-03-04[5.0.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().Shai Berger
Thanks Seokchan Yoon for the report. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-02-29[5.0.x] Fixed #35198 -- Fixed facet filters crash on querysets with no ↵Shafiya Adzhani
primary key. Thanks Simon Alef for the report. Regression in 868e2fcddae6720d5713924a785339d1665f1bb9. Backport of a738281265bba5d00711ab62d4d37923764a27eb from main
2024-02-21[5.0.x] Fixed #35238 -- Fixed database serialization crash when base ↵AlexCLeduc
managers use prefetch_related(). Regression in 139135627650ed6aaaf4c755b82c3bd43f2b8f51 following deprecation in eedbf930287cb72e9afab1f7208c24b1146b0c4ec. Backport of a084c5d35a6d00abd261338a374a4424764b4aee from main
2024-02-15[5.0.x] Fixed #35173 -- Fixed ModelAdmin.lookup_allowed() for lookups on ↵Hisham Mahmood
foreign keys when not included in ModelAdmin.list_filter. Regression in f80669d2f5a5f1db9e9b73ca893fefba34f955e7. Thanks Sarah Boyce for the review. Backport of 8db593de05c3516c939b7d4b9eb91e8791f4c79a from main
2024-02-10[5.0.x] Refs #34900, Refs #34118 -- Updated assertion in ↵Daniel Garcia Moreno
test_skip_class_unless_db_feature() test on Python 3.12.2+. Python 3.12.2 bring back the skipped tests in the number of running tests. Refs https://github.com/python/cpython/commit/0a737639dcd3b7181250f5d56694b192eaddeef0 Backport of bc8471f0aac8f0c215b9471b594d159783bac19b from main
2024-02-08[5.0.x] Fixed #35174 -- Fixed Signal.asend()/asend_robust() crash when all ↵Vašek Dohnal
receivers are asynchronous. Regression in e83a88566a71a2353cebc35992c110be0f8628af. Backport of 1b5338d03ecc962af8ab4678426bc60b0672b8dd from main
2024-02-08[5.0.x] Fixed #35172 -- Fixed intcomma for string floats.Mariusz Felisiak
Thanks Warwick Brown for the report. Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9. Backport of 2f14c2cedc9c92373471c1f98a80c81ba299584a from main
2024-02-06[5.0.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ↵Adam Johnson
filter. Thanks Seokchan Yoon for the report. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Shai Berger <shai@platonix.com>
2024-02-04[5.0.x] Fixed #35149 -- Fixed crashes of db_default with unresolvable output ↵Simon Charette
field. Field.db_default accepts either literal Python values or compilables (as_sql) and wrap the former ones in Value internally. While 1e38f11 added support for automatic resolving of output fields for types such as str, int, float, and other unambigous ones it's cannot do so for all types such as dict or even contrib.postgres and contrib.gis primitives. When a literal, non-compilable, value is provided it likely make the most sense to bind its output field to the field its attached to avoid forcing the user to provide an explicit `Value(output_field)`. Thanks David Sanders for the report. Backport of e67d7d70fa10c06aca36b9057f82054eda45269d from main
2024-02-04[5.0.x] Refs #35149 -- Made equivalent db_default alterations noops.Simon Charette
This allows for an easier transition of preserving the literal nature of non-compilable db_default. Backport of fe1cb62f5c3f87fafc4a6b52fee2ccc6c80c41e2 from main
2024-02-04[5.0.x] Fixed #35162 -- Fixed crash when adding fields with db_default on MySQL.Simon Charette
MySQL doesn't allow literal DEFAULT values to be used for BLOB, TEXT, GEOMETRY or JSON columns and requires expression to be used instead. Regression in 7414704e88d73dafbcfbb85f9bc54cb6111439d3. Backport of dfc77637ea5c1aa81caa72b1cf900e6931d61b54 from main