summaryrefslogtreecommitdiff
path: root/tests
AgeCommit message (Collapse)Author
2025-09-03[5.1.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL ↵Jake Howard
injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
2025-08-13[5.1.x] Fixed #36499 -- Adjusted ↵Natalia
utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior. Python fixed a quadratic complexity processing for HTMLParser in: https://github.com/python/cpython/commit/6eb6c5db. Backport of 2980627502c84a9fd09272e1349dc574a2ff1fb1 from main.
2025-08-13[5.1.x] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors following ↵Natalia
Python's HTMLParser fixed parsing. Further details about Python changes can be found in: https://github.com/python/cpython/commit/0243f97cbadec8d985e63b1daec5d1cbc850cae3. Refs #36499. Thank you Clifford Gama for the thorough review! Backport of e4515dad7a6d953c0bd2414127ba36e1446ff41a from main.
2025-08-04[5.1.x] Refs #36535 -- Doc'd that docutils < 0.22 is required.Natalia
2025-06-06[5.1.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response ↵Jake Howard
logging. Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 957951755259b412d5113333b32bf85871d29814 from main.
2025-06-06[5.1.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use ↵Natalia
log_response() for consistency. Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
2025-06-06[5.1.x] Refactored logging_tests to reuse assertions for log records.Natalia
Backport of 9d72e7daf7299ef1ece56fd657a02f77a469efe9 from main.
2025-06-04[5.1.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in ↵Natalia
`log_response()`. Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
2025-05-22[5.1.x] Added helpers in csrf_tests and logging_tests to assert logs from ↵Natalia
`log_response()`. Backport of ad6f99889838ccc2c30b3c02ed3868c9b565e81b from main.
2025-05-22[5.1.x] Refs #26688 -- Added tests for `log_response()` internal helper.Natalia
Backport of 897046815944cc9a2da7ed9e8082f45ffe8110e3 from main.
2025-05-06[5.1.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
2025-04-23[5.1.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter.Matti Pohjanvirta
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b. This work improves the django.utils.text.wrap() function to ensure that empty lines and lines with whitespace only are kept instead of being dropped. Thanks Matti Pohjanvirta for the report and fix. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
2025-04-23[5.1.x] Fixed warnings per flake8 7.2.0.Mariusz Felisiak
https://github.com/PyCQA/flake8/releases/tag/7.2.0 Backport of 281910ff8e9ae98fa78ee5d26ae3f0b713ccf418 from main.
2025-04-07[5.1.x] Fixed #36298 -- Truncated the overwritten file content in ↵Sarah Boyce
file_move_safe(). Regression in 58cd4902a71a3695dd6c21dc957f59c333db364c. Thanks Baptiste Mispelon for the report. Backport of 8ad3e80e88201f4c557f6fa79fcfc0f8a0961830 from main.
2025-04-02[5.1.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in ↵Sarah Boyce
url_has_allowed_host_and_scheme() on Windows. Thank you sw0rd1ight for the report. Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.
2025-03-25[5.1.x] Pinned black == 24.10.0 in GitHub actions, pre-commit and test ↵Sarah Boyce
requirements.
2025-03-12[5.1.x] Fixed #36234 -- Restored single_object argument to ↵Adam Johnson
LogEntry.objects.log_actions(). Thank you Adam Johnson for the report and fix. Thank you Sarah Boyce for your spot on analysis. Regression in c09bceef68e5abb79accedd12dade16aa6577a09, which is partially reverted in this branch. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Backport of 27b68bcadf1ab2e9f7fd223aed42db352ccdc62d from main.
2025-03-06[5.1.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template ↵Sarah Boyce
filter. Thanks sw0rd1ight for the report. Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
2025-03-04[5.1.x] Fixed #36217 -- Restored pre_save/post_save signal emission via ↵antoliny0919
LogEntry.save() for single-object deletion in the admin. Regression in 40b3975e7d3e1464a733c69171ad7d38f8814280. Thanks smiling-watermelon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Backport of c09bceef68e5abb79accedd12dade16aa6577a09 from main.
2025-02-18[5.1.x] Fixed #36197 -- Fixed improper many-to-many count() and exists() for ↵Simon Charette
non-pk to_field. Regression in 66e47ac69a7e71cf32eee312d05668d8f1ba24bb. Thanks mfontana-elem for the report and Sarah for the tests. Backport of c3a23aa02faa1cf1d32e43d66858e793cd9ecac4 from main.
2025-02-17[5.1.x] Fixed #36191 -- Truncated the overwritten file content in ↵Gaël Utard
FileSystemStorage. Backport of 0d1dd6bba0c18b7feb6caa5cbd8df80fbac54afd from main.
2025-02-13[5.1.x] Fixed #36182 -- Returned "?" if all parameters are removed in ↵Sarah Boyce
querystring template tag. Thank you to David Feeley for the report and Natalia Bidart for the review. Backport of 05002c153c5018e4429a326a6699c7c45e5ea957 from main.
2025-02-01[5.1.x] Fixed #36140 -- Allowed BaseUserCreationForm to define non required ↵nessita
password fields. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks buffgecko12 for the report and Sarah Boyce for the review. Backport of d15454a6e84a595ffc8dc1b926282f484f782a8f from main.
2025-01-15[5.1.x] Fixed #36098 -- Fixed ↵Mariusz Felisiak
validate_ipv6_address()/validate_ipv46_address() crash for non-string values. Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf. Backport of b3c5830769d8a5dbf2f974da7116fe503c9454d9 from main.
2025-01-14[5.1.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.Michael Manfre
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-12-17[5.1.x] Fixed #34856 -- Fixed references to index_together in historical ↵Andrés Reverón Molina
migrations. While AlterUniqueTogether has been documented to be still allowed in historical migrations for the foreseeable future it has been crashing since 2abf417c815c20 was merged because the latter removed support for Meta.index_together which the migration framework uses to render models to perform schema changes. CreateModel(options["unique_together"]) was also affected. Refs #27236. Co-authored-by: Simon Charette <charette.s@gmail.com> Backport of b44efdfe543c9b9f12690b59777e6b275cb08103 from main.
2024-12-16[5.1.x] Refs #29850 -- Removed obsolete ↵Tim Graham
test_window_frame_raise_not_supported_error. This NotSupportedError was removed in 6375cee490725969b4f67b3c988ef01350c1ad6d because it will never be reached due to the same exception raised by Window.as_sql(). Backport of 94436dee57ce677e6ffcbb0438e0441d5c261d62 from main.
2024-12-04[5.1.x] Fixed CVE-2024-53908 -- Prevented SQL injections in direct ↵Simon Charette
HasKeyLookup usage on Oracle. Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
2024-12-04[5.1.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-12-02[5.1.x] Fixed #35950 -- Restored refreshing of relations when fields deferred.Adam Johnson
Thank you to Simon Charette and Sarah Boyce for the review. Regression in 73df8b54a2fab53bec4c7573cda5ad8c869c2fd8. Backport of 2f6b096b83c55317c7ceef2d8d5dc3bee33293dc from main.
2024-11-26[5.1.x] Fixed #35942 -- Fixed createsuperuser crash on Python 3.13+ when ↵Tommy Allen
username is unavailable. Thanks Mariusz Felisiak and Jacob Tyler Walls for reviews. Backport of c635decb00ac957daf81c08541cdc9cf46f6d86d from main.
2024-10-31[5.1.x] Fixed #35876 -- Displayed non-ASCII fieldset names when rendering ↵Sarah Boyce
ModelAdmin.fieldsets. Thank you to Namhong Kim for the report, and to Mariusz Felisiak and Marijke Luttekes for the review. Regression in 01ed59f753139afb514170ee7f7384c155ecbc2d. Backport of 2c029c718f45341cdd43ee094c24488743c633e6 from main.
2024-10-30[5.1.x] Refs #35844 -- Expanded compatibility for expected error messages in ↵Tainara Palmeira
command tests on Python 3.12 and 3.13. Updated CommandTests.test_subparser_invalid_option and CommandDBOptionChoiceTests.test_invalid_choice_db_option to use assertRaisesRegex() for compatibility with modified error messages in Python 3.12, 3.13, and 3.14+.. Backport of fc22fdd34f1e55adde161f5f2dca8db90bbfce80 from main.
2024-10-17[5.1.x] Fixed #35841 -- Restored support for DB-IP databases in GeoIP2.Nick Pope
Thanks Felix Farquharson for the report and Claude Paroz for the review. Regression in 40b5b1596f7505416bd30d5d7582b5a9004ea7d5. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 3fad712a91a8a8f6f6f904aff3d895e3b06b24c7 from main.
2024-10-17[5.1.x] Refs #35841 -- Adjusted GeoIP2 tests for easier test case extension.Nick Pope
These changes will make it easier to introduce tests for alternate databases that may have different results without the need to duplicate lots of the tests definition. Backport of 5873f10177ebda66d38e698218cf85dc6397e7d9 from main.
2024-10-17[5.1.x] Refs #35841 -- Updated GeoIP2 test database files.Nick Pope
The mmdb files were taken from https://github.com/maxmind/MaxMind-DB/commit/679e37e18a4a3009949c2213ec2c0bb8090c10c7. Backport of c37f249ffa4b735d1492cda11981dedb947ee437 from main.
2024-10-17[5.1.x] Fixed #35845 -- Updated DomainNameValidator to require entire string ↵Justin Thurman
to be a valid domain name. Bug in 4971a9afe5642569f3dcfcd3972ebb39e88dd457. Thank you to kazet for the report and Claude Paroz for the review. Backport of 99dcc59237f384d7ade98acfd1cae8d90e6d60ab from main.
2024-10-08[5.1.x] Fixed #35809 -- Set background color for selected rows in the ↵nessita
admin's form select widget. Regression in b47bdb4cd9149ee2a39bf1cc9996a36a940bd7d9. Thank you Giannis Terzopoulos for the review, and Tom Carrick and Sarah Boyce for the review. Backport of 679d57816d716cbc7cff3b364ae265d70444ebd9 from main.
2024-09-11[5.1.x] Fixed #35732 -- Wrapped ConcatPair expression in parentheses to ↵Gastón Avila
ensure operator precedence. When ConcatPair was updated to use || this lost the implicit wrapping from CONCAT(...). This broke the WHERE clauses when used in combination with PostgreSQL trigram similarity. Regression in 6364b6ee1071381eb3a23ba6b821fc0d6f0fce75. Backport of c3ca6075cc0ad425bcf905fe14062f38eb9fbcbf from main. Co-authored-by: Emiliano Cuenca <106986074+emicuencac@users.noreply.github.com>
2024-09-05[5.1.x] Fixed #32831 -– Allowed cache tests to be retried via a new ↵Wassef Ben Ahmed
"retry" decorator. Backport of 957c54d945fedb58febff05e4ce82377cc43f9f4 from main.
2024-09-03[5.1.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵Natalia
email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-09-03[5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and ↵Sarah Boyce
urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-30[5.1.x] Fixed #35716 -- Fixed VariableDoesNotExist when rendering admin ↵Sarah Boyce
fieldsets. Regression in 01ed59f753139afb514170ee7f7384c155ecbc2d. Thank you to Fábio Domingues and Marijke Luttekes for the report, and thank you to Natalia Bidart for the review. Backport of fd1dd767783b5a7ec1a594fcc5885e7e4178dd26 from main.
2024-08-28[5.1.x] Fixed #35688 -- Restored timezone and role setters to be PostgreSQL ↵Sarah Boyce
DatabaseWrapper methods. Following the addition of PostgreSQL connection pool support in Refs #33497, the methods for configuring the database role and timezone were moved to module-level functions. This change prevented subclasses of DatabaseWrapper from overriding these methods as needed, for example, when creating wrappers for other PostgreSQL-based backends. Thank you Christian Hardenberg for the report and to Florian Apolloner and Natalia Bidart for the review. Regression in fad334e1a9b54ea1acb8cce02a25934c5acfe99f. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 7380ac57340653854bc2cfe0ed80298cdac6061d from main.
2024-08-28[5.1.x] Fixed #35666 -- Documented stacklevel usage and testing, and ↵Simon Charette
adjusted test suite accordingly. Over the years we've had multiple instances of hit and misses when emitting warnings: either setting the wrong stacklevel or not setting it at all. This work adds assertions for the existing warnings that were declaring the correct stacklevel, but were lacking tests for it. Backport of 57307bbc7d88927989cf5b314f16d6e13ade04e6 from main.
2024-08-28[5.1.x] Refs #35405 -- Adjusted deprecation warning stacklevel in ↵Simon Charette
FieldCacheMixin.get_cache_name(). Backport of 39abd56a7fb1e2f735040df0fdfc08f57d91a49b from main.
2024-08-28[5.1.x] Refs #35326 -- Adjusted deprecation warning stacklevel in ↵Simon Charette
FileSystemStorage.OS_OPEN_FLAGS. Backport of 47f18a722624527cc72eef44cfc9d1e07ea4b4e0 from main.
2024-08-28[5.1.x] Refs #35060 -- Adjusted deprecation warning stacklevel in ↵Simon Charette
Model.save()/asave(). Backport of 52ed2b645e1dd8c9a874cfd21c4c9f2500032626 from main.
2024-08-28[5.1.x] Refs #34900 -- Updated requirements for Python 3.13.Mariusz Felisiak
Backport of 07a4d23283586bc4578eb9c82a7ad14af3724057 from main.
2024-08-27[5.1.x] Refs #34609 -- Fixed deprecation warning stack level in format_html().Adam Johnson
Co-authored-by: Simon Charette <charette.s@gmail.com> Backport of 2b71b2c8dcd40f2604310bb3914077320035b399 from main.