summaryrefslogtreecommitdiff
path: root/tests
AgeCommit message (Collapse)Author
2025-10-01[5.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal ↵Sarah Boyce
via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
2025-10-01[5.2.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), ↵Mariusz Felisiak
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-09-18[5.2.x] Fixed OGRInspectTest.test_time_field with memory Spatialite database.David Smith
Backport of 82b3b84a78055844ee07d5d97843a4fc72872e28 from main.
2025-09-17[5.2.x] Fixed #36601 -- Fixed color contrast of FilteredSelectMultiple ↵antoliny0919
widget chosen labels in TabularInlines. Regression in a0f50c2a483678d31bd1ad6f08fd3a0b8399e27b. Backport of 1e7728888dbbff437ad9847c82b84feb81f785df from main.
2025-09-03[5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL ↵Jake Howard
injection in column aliases. Thanks Eyal Gabay (EyalSec) for the report. Backport of 51711717098d3f469f795dfa6bc3758b24f69ef7 from main.
2025-08-29[5.2.x] Fixed #36431 -- Returned tuples for multi-column ForeignObject in ↵SaJH
values()/values_list(). Thanks Jacob Walls and Simon Charette for tests. Signed-off-by: SaJH <wogur981208@gmail.com> Backport of bb7a7701b1a0e8fffe14dcebf5d5bac7f176c02a from main
2025-08-22[5.2.x] Refs #35530 -- Corrected deprecation message in auth.alogin().Mariusz Felisiak
Follow up to ceecd518b19044181a3598c55ebed7c2545963cc. Backport of b3166e1e15824aedb7a609dfda18ef36ea023d06 from main.
2025-08-13[5.2.x] Fixed #36499 -- Adjusted ↵Natalia
utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior. Python fixed a quadratic complexity processing for HTMLParser in: https://github.com/python/cpython/commit/6eb6c5db. Backport of 2980627502c84a9fd09272e1349dc574a2ff1fb1 from main.
2025-08-13[5.2.x] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors following ↵Natalia
Python's HTMLParser fixed parsing. Further details about Python changes can be found in: https://github.com/python/cpython/commit/0243f97cbadec8d985e63b1daec5d1cbc850cae3. Refs #36499. Thank you Clifford Gama for the thorough review! Backport of e4515dad7a6d953c0bd2414127ba36e1446ff41a from main.
2025-08-13[5.2.x] Refs #34378, #36143, #36416 -- Fixed isolation of ↵Jacob Walls
LookupTests.test_in_bulk_preserve_ordering_with_batch_size(). `max_query_params` is a property, so it must be patched on the class. Backport of a68e8565cdd4fc3f8b738fc516095dab142b9d65 from main.
2025-08-05[5.2.x] Fixed #36530 -- Extended fields.E347 to check for ManyToManyField ↵jkhall81
involving CompositePrimaryKey on either side. Thanks to Jacob Walls for the report. Backport of 2013092b693be0ebdf36f41dc61615a2de1bbe31 from main.
2025-08-04[5.2.x] Fixed #34871, #36518 -- Implemented unresolved lookups expression ↵Simon Charette
replacement. This allows the proper resolving of lookups when performing constraint validation involving Q and Case objects. Thanks Andrew Roberts for the report and Sarah for the tests and review. Backport of 079d31e698fa08dd92e2bc4f3fe9b4817a214419 from main.
2025-08-04[5.2.x] Fixed #36198 -- Implemented unresolved transform expression replacement.Simon Charette
This allows the proper resolving of F("field__transform") when performing constraint validation. Thanks Tom Hall for the report and Sarah for the test. Prerequisite for #36518. Backport of fc303551077c3e023fe4f9d01fc1b3026c816fa4 from main.
2025-07-28[5.2.x] Fixed #36522 -- Added support for filtering composite pks using a ↵Simon Charette
tuple of expressions. Thanks Jacob Walls for the report, and Sarah Boyce and Mariusz Felisiak for reviews. Backport of 0a4999b422702c64e21f5a10a4d60300b7074401 from main.
2025-07-16[5.2.x] Added SimpleTestCase.enterContext() on Python < 3.11.Natalia
This reverts commit 47a618d45c6e40dd59f4cdd46fd5fc7d11626f6d and uses a solution similar to ed4f83782d9f3404ad600f6131ef78244ff1e162 instead.
2025-07-10[5.2.x] Fixed #36502 -- Restored UNNEST strategy for foreign key bulk ↵Simon Charette
inserts on PostgreSQL. Regression in 764af7a3d6c0b543dcf659a2c327f214da768fe4. Backport of 0fe218842e0e396e3ab3982bd21227968a9e7fd8 from main.
2025-07-02Fixed AttributeError for enterContext() on Python < 3.11.Natalia
On Jenkins with Python 3.10: Traceback (most recent call last): File "[...]/python3.10/tests/composite_pk/test_filter.py", line 559, in setUp self.enterContext(feature_patch) AttributeError: 'CompositePKFilterTupleLookupFallbackTests' object has no attribute 'enterContext'
2025-06-30[5.2.x] Fixed #36464 -- Fixed "__in" tuple lookup on backends lacking native ↵Simon Charette
support. When native support for tuple lookups is missing in a DB backend, it can be emulated with an EXISTS clause. This is controlled by the backend feature flag "supports_tuple_lookups". The mishandling of subquery right-hand side in `TupleIn` (added to support `CompositePrimaryKey` in Refs #373) was likely missed because the only core backend we test with the feature flag disabled (Oracle < 23.4) supports it natively. Thanks to Nandana Raol for the report, and to Sarah Boyce, Jacob Walls, and Natalia Bidart for reviews. Backport of 192bc7a7be92e20cc250907fb4083df689715679 from main.
2025-06-16[5.2.x] Fixed #36453 -- Made When.condition resolve with for_save=False.Clifford Gama
Value(None, JSONField()) when used in When.condition incorrectly resolved with for_save=True, resulting in the value being serialized as SQL NULL instead of JSON null. Regression in c1fa3fdd040718356e5a3b9a0fe699d73f47a940. Thanks to Thomas McKay for the report, and to David Sanders and Simon Charettes for the review. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Backport of 104cbfd44b9eff010daf0ef0e1ce434385855b13 from main.
2025-06-16[5.2.x] Fixed #36447 -- Selected preferred media type based on quality.Jake Howard
When matching which entry in the `Accept` header should be used for a given media type, the specificity matters. However once those are resolved, only the quality matters when selecting preference. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead. Thank you to Anders Kaseorg for the report. Backport of 12c1557060fc94fe5e1fbddc4578a4e29d38f77c from main.
2025-06-10[5.2.x] Refs #36419 -- Fixed BulkUpdateTests.test_json_field_sql_null() ↵Mariusz Felisiak
crash on Oracle. Follow up to c1fa3fdd040718356e5a3b9a0fe699d73f47a940. Backport of f5441e42da691ee2e7aeeb9be70f98e2bce6d17d from main.
2025-06-09[5.2.x] Fixed #36446 -- Restored "q" in internal MediaType.params property.Natalia
The "q" key was removed while addressing ticket #36411. Despite `MediaType.params` is undocumented and considered internal, it was used in third-party projects (Zulip reported breakage), so this work restored the `q` key in `params`. Thanks Anders Kaseorg for the report. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead. Backport of cf5f36bf903a2854f5e395149cee707115b83744 from main.
2025-06-06[5.2.x] Fixed #36419 -- Ensured for_save was propagated when resolving ↵Clifford Gama
expressions. The for_save flag wasn't properly propagated when resolving expressions, which prevented get_db_prep_save() from being called in some cases. This affected fields like JSONField where None would be saved as JSON null instead of SQL NULL. Regression in 00c690efbc0b10f67924687f24a7b30397bf47d9. Thanks to David Sanders and Simon Charette for reviews. Co-authored-by: Adam Johnson <me@adamj.eu> Backport of c1fa3fdd040718356e5a3b9a0fe699d73f47a940 from main.
2025-06-06[5.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response ↵Jake Howard
logging. Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 957951755259b412d5113333b32bf85871d29814 from main.
2025-06-06[5.2.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use ↵Natalia
log_response() for consistency. Backport of ff835f439cb1ecd8d74a24de12e3c03e5477dc9d from main.
2025-06-06[5.2.x] Refactored logging_tests to reuse assertions for log records.Natalia
Backport of 9d72e7daf7299ef1ece56fd657a02f77a469efe9 from main.
2025-06-04[5.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in ↵Natalia
`log_response()`. Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
2025-06-04[5.2.x] Fixed #36432 -- Fixed a prefetch_related crash on related target ↵Simon Charette
subclass queryset. Regression in 626d77e52a3f247358514bcf51c761283968099c. Refs #36116. Thanks Cornelis Poppema for the excellent report. Backport of 08187c94ed02c45ad40a32244dedeaa7ac71ca87 from main.
2025-06-03[5.2.x] Fixed #36411 -- Made HttpRequest.get_preferred_type() consider media ↵Jake Howard
type parameters. HttpRequest.get_preferred_type() did not account for parameters in Accept header media types (e.g., "text/vcard; version=3.0"). This caused incorrect content negotiation when multiple types differed only by parameters, reducing specificity as per RFC 7231 section 5.3.2 (https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2). This fix updates get_preferred_type() to treat media types with parameters as distinct, allowing more precise and standards-compliant matching. Thanks to magicfelix for the report, and to David Sanders and Sarah Boyce for the reviews. Backport of c075508b4de8edf9db553b409f8a8ed2f26ecead from main.
2025-06-03[5.2.x] Fixed #36416 -- Made QuerySet.in_bulk() account for composite pks in ↵Jacob Walls
id_list. Backport of 26313bc21932d0d3af278ab387549d63b1f64575 from main.
2025-06-02[5.2.x] Fixed #36423 -- Prevented filter_horizontal buttons from ↵Blayze
intercepting form submission. In the admin's filter_horizontal widget, optional action buttons like "Choose all", "Remove all", etc. were changed from `<a>` to `<button>` elements in #34619, but without specifying `type="button"`. As a result, when pressing Enter while focused on a form input, these buttons could be triggered and intercept form submission. Explicitly set `type="button"` on these control buttons to prevent them from acting as submit buttons. Thanks Antoliny Lee for the quick triage and review. Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a. Backport of 90429625a85f1f77dfea200c91bd2dabab57974f from main.
2025-05-23[5.2.x] Fixed #36405 -- Fixed OrderableAggMixin.order_by using OuterRef.Adam Johnson
co-authored-by: Simon Charette <charette.s@gmail.com> Backport of c2615a050036eda0bca090c707191076220cee9f from main.
2025-05-23[5.2.x] Fixed #36404 -- Fixed Aggregate.filter using OuterRef.Adam Johnson
Regression in a76035e925ff4e6d8676c65cb135c74b993b1039. Thank you to Simon Charette for the review. co-authored-by: Simon Charette <charette.s@gmail.com> Backport of b8e5a8a9a2a767f584cbe89a878a42363706f939 from main.
2025-05-23[5.2.x] Fixed #36390 -- Deprecated RemoteUserMiddleware subclasses missing ↵Sarah Boyce
aprocess_request(). Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099. Thank you to shamoon for the report and Natalia Bidart for the review. Backport of 1704c49a9b149b66b6a0e67abc8c95293bc35649 from main.
2025-05-22[5.2.x] Added helpers in csrf_tests and logging_tests to assert logs from ↵Natalia
`log_response()`. Backport of ad6f99889838ccc2c30b3c02ed3868c9b565e81b from main.
2025-05-22[5.2.x] Refs #26688 -- Added tests for `log_response()` internal helper.Natalia
Backport of 897046815944cc9a2da7ed9e8082f45ffe8110e3 from main.
2025-05-19[5.2.x] Fixed #36388 -- Made QuerySet.union() return self when called with ↵Colleen Dunlap
no arguments. Regression in 9cb8baa0c4fa2c10789c5c8b65f4465932d4d172. Thank you to Antoine Humeau for the report and Simon Charette for the review. Backport of 802baf5da5b8d8b44990a8214a43b951e7ab8b39 from main.
2025-05-16[5.2.x] Fixed #36392 -- Raised ValueError when subquery referencing ↵Jacob Walls
composite pk selects too many columns. Backport of 994dc6d8a1bae717baa236b65e11cf91ce181c53 from main.
2025-05-12[5.2.x] Fixed #36373 -- Fixed select_related() crash on foreign object for a ↵Simon Charette
composite pk. Thanks Jacob Walls for the report and Sarah for the in-depth review. Backport of 8be0c0d6901669661fca578f474cd51cd284d35a from main.
2025-05-06[5.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
2025-05-06[5.2.x] Refs #36052, #32234 -- Fixed inspectdb tests for CompositePrimaryKey ↵Mariusz Felisiak
on Oracle. Tests regression in 4c75858135589f3a00e32eb4d476074536371a32. Backport of dd133054cb98f77577c06d7ef1f2391a865784bc from main
2025-04-30[5.2.x] Fixed #36357 -- Skipped unique_together in inspectdb output for ↵Baptiste Mispelon
composite primary keys. Thanks to Baptiste Mispelon for the report and quick fix, and to Simon Charette and Jacob Walls for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 66f9eb0ff1e7147406318c5ba609729678e4e6f6 from main.
2025-04-30[5.2.x] Fixed #36358 -- Corrected introspection of composite primary keys on ↵Simon Charette
SQLite. Previously, any first field of a composite primary key with type `INTEGER` was incorrectly introspected as an `AutoField` due to SQLite treating `INTEGER PRIMARY KEY` as an alias for the `ROWID`. This change ensures that integer fields in composite PKs are not mistaken for auto-incrementing fields. Thanks Jacob Walls and Sarah Boyce for the reviews. Backport of 07100db6f46255ec6ef70b860495f977473684d6 from main.
2025-04-30[5.2.x] Refs #36052, #32234 -- Removed ↵Simon Charette
create_test_table_with_composite_primary_key flag in favor of using CompositePrimaryKey. Now that Django properly supports creating models with composite primary keys, the tests should use a `CompositePrimaryKey` field instead of a feature flag to inline backend specific SQL for creating a composite PK. Specifcially, the inspectdb's test_composite_primary_key was adjusted to use schema editor instead of per-backend raw SQL. Backport of 4c75858135589f3a00e32eb4d476074536371a32 from main.
2025-04-30[5.2.x] Fixed #36360 -- Fixed QuerySet.update() crash when referring ↵Simon Charette
annotations through values(). The issue was only manifesting itself when also filtering againt a related model as that forces the usage of a subquery because SQLUpdateCompiler doesn't support the UPDATE FROM syntax yet. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Gav O'Connor for the detailed report. Backport of 8ef4e0bd423ac3764004c73c3d1098e7a51a2945 from main.
2025-04-29[5.2.x] Used addCleanup() instead of try-finally blocks in inspectdb tests.Baptiste Mispelon
Backport of 2722cb61ccae84f593e6d2c28814e3c628743994 from main.
2025-04-24[5.2.x] Fixed #36309 -- Made email alternatives and attachments pickleable.nessita
Regression in aba0e541caaa086f183197eaaca0ac20a730bbe4 and in d5bebc1c26d4c0ec9eaa057aefc5b38649c0ba3b. Thanks Florent Messa for the report, and Jake Howard and Claude Paroz for the review. Backport of 0596263c3136bc26cffa670e5322bd0aa56c4d34 from main.
2025-04-23[5.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter.Matti Pohjanvirta
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b. This work improves the django.utils.text.wrap() function to ensure that empty lines and lines with whitespace only are kept instead of being dropped. Thanks Matti Pohjanvirta for the report and fix. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
2025-04-22[5.2.x] Fixed #36331 -- Reverted "Fixed #36055 -- Prevented overlap of ↵antoliny0919
object-tools buttons and page header in the admin." This reverts commits b1324a680add78de24c763911d0eefa19b9263bc and 02a5cbfe76382da2a0414df17017185be5bd47f9. The former caused a regression in admin sites that relied on the `object-tools` block being inside the `content` block. Thank you to Fabian Braun for the report. Backport of 1bc805e23b73a580b82a1d416ab0fb59a1073047 from main.
2025-04-17[5.2.x] Fixed #36314 -- Fixed MinimumLengthValidator error message translation.Ahmed Nassar
Regression in ec7d69035a408b357f1803ca05a7c991cc358cfa. Thank you Gabriel Trouvé for the report and Claude Paroz for the review. Backport of d469db978ea6a705549b9519313d9adc198e4232 from main.