chango.git - django

Age	Commit message (Collapse)	Author
2026-03-03	[6.0.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions ↵	Natalia
	on file system object creation. This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
2026-03-03	[6.0.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.	Natalia
	This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
2026-03-02	[6.0.x] Fixed #36961 -- Fixed TypeError in deprecation warnings if Django is ↵	Jacob Walls
	imported by namespace. Backport of c1d8646ec219b8b90ebdd463f40e5767876658a0 from main.
2026-02-25	[6.0.x] Fixed #36951 -- Removed empty exc_info from log_task_finished signal ↵	Elias Hernandis
	handler. Before, if no exception occurred, "None Type: None" was logged. Backport of 497d9cdc67f0bdae929fcde677b5f441e94a6c8b from main.
2026-02-25	[6.0.x] Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit ↵	Natalia
	references from HTML truncation docs. Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.
2026-02-24	[6.0.x] Applied Black's 2026 stable style.	Mariusz Felisiak
	https://github.com/psf/black/releases/tag/26.1.0 Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
2026-02-20	[6.0.x] Fixed #36920 -- Fixed alignment of fieldset legends in wide admin forms.	usman
	Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of 8d251b512bafd7b7f736cfcabeba0ae76106f2db from main.
2026-02-10	[6.0.x] Fixed #36903 -- Fixed further NameErrors when inspecting functions ↵	93578237
	with deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04. Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main.
2026-02-03	[6.0.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation ↵	Jacob Walls
	aliases contain periods. This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.
2026-02-03	[6.0.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via ↵	Jacob Walls
	aliases with periods. Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews. Backport of 69065ca869b0970dff8fdd8fafb390bf8b3bf222 from main.
2026-02-03	[6.0.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column ↵	Jake Howard
	aliases via control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
2026-02-03	[6.0.x] Fixed CVE-2026-1285 -- Mitigated potential DoS in ↵	Natalia
	django.utils.text.Truncator for HTML input. The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for reviews. Backport of a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 from main.
2026-02-03	[6.0.x] Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField ↵	Jacob Walls
	lookups via band index. Thanks Tarek Nakkouch for the report, and Simon Charette for the initial triage and review. Backport of 81aa5292967cd09319c45fe2c1a525ce7b6684d8 from main.
2026-02-03	[6.0.x] Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI ↵	Jake Howard
	requests. Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews. Backport of eb22e1d6d643360e952609ef562c139a100ea4eb from main.
2026-02-03	[6.0.x] Fixed CVE-2025-13473 -- Standardized timing of check_password() in ↵	Jake Howard
	mod_wsgi auth handler. Refs CVE-2024-39329, #20760. Thanks Stackered for the report, and Jacob Walls and Markus Holtermann for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 3eb814e02a4c336866d4189fa0c24fd1875863ed from main.
2026-02-02	[6.0.x] Fixed #36788 -- Fixed horizontal form field alignment under ↵	Jacob Walls
	<fieldset> in the admin. Thanks Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of b665a67d61a8a4fd2ad85aeb77282bc49541723f from main.
2026-01-29	[6.0.x] Fixed #36847 -- Ensured auto_now_add fields are set on pre_save().	Nilesh Kumar Pahari
	Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222. During INSERT operations, `field.pre_save()` is called to prepare values for db insertion. The `add` param must be `True` for `auto_now_add` fields to be populated. The regression commit passed `False`, causing `auto_now_add` fields to remain `None` when used by other fields, such as `upload_to` callables. Thanks Ran Benita for the report. Backport of fe189dc43ab3eddbbceefb6834893b73ca60d5ed from main.
2026-01-26	[6.0.x] Fixed #36850 -- Prevented admin filter sidebar from wrapping below ↵	Nilesh Kumar Pahari
	the changelist. Removed flex-wrap from .changelist-form-container and added min-width to the main content container to ensure proper layout behavior. Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d. Backport of e92d1e3b7858981185e93d717c5727544d66b66e from main.
2026-01-05	[6.0.x] Fixed #36843, #36793 -- Reverted "Fixed #27489 -- Renamed ↵	Jacob Walls
	permissions upon model renaming in migrations." This reverts commits f02b49d2f3bf84f5225de920ca510149f1f9f1da and 6e89271a8507fe272d11814975500a1b40303a04. Backport of 030c63d329c4814da221528e823a4aaaaa40e4f1 from main.
2025-12-31	[6.0.x] Refs #33647 -- Fixed silent data truncation in bulk_create on Postgres.	Simon Charette
	Regression in a16eedcf9c69d8a11d94cac1811018c5b996d491. The UNNEST strategy is affected by the same problem bulk_update has wrt/ to silent data truncation due to its usage of db_type which always returns a parametrized subtype. Backport of d6ae2ed868e43671afc4d433c3d8f4d27f7eb555 from main.
2025-12-31	[6.0.x] Fixed #36829 -- Reverted value of ClearableFileInput.use_fieldset to ↵	Johannes Maron
	True. There was unresolved discussion regarding whether to set ClearableFileInput.use_fieldset to True or False when use_fieldset was introduced in Django 4.1, since the clear checkbox appears only sometimes. Although using <fieldset> is likely desirable, since the primary motivation in #35892 was just to improve markup in the admin, and a deprecation path was not provided for general form usage, future work is deferred to #36828. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Thanks Tim Graham, Antoliny, and David Smith for triage.
2025-12-26	[6.0.x] Fixed #36796 -- Handled lazy routes correctly in RoutePattern.match().	kundan223
	Coerce lazy route values to `str` at match time to support prefix and endpoint matching when using `gettext_lazy()` route paths. Regression in f920937c8a63df6bea220e4386f59cdb45b2e355. Thanks to Andrea Angelini for the report, and to Jake Howard and Jacob Walls for reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 7bf3ac3ee255bcfe329e3203c7a2555b1275d506 from main.
2025-12-24	[6.0.x] Refs #36810 -- Avoided infinite recursion in LazyNonce.__repr__().	Sean Reed
	Moved nonce generation in ``django.utils.csp.LazyNonce`` to a function to avoid infinite recursion in ``SimpleLazyObject.__repr__`` for unevaluated instances. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 165c3599965e63f88649a46fcc2ff681c52f2f66 from main.
2025-12-22	[6.0.x] Fixed #36807 -- Fixed form field alignment under <fieldset> in the ↵	Jacob Walls
	admin. It isn't safe to set display: flex on <fieldset>, because on Safari this interferes with display: block on child divs. Thanks Paulo Coutinho for the report and Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of 1eac2659a102d42490f9401b08782633fa51f3e3 from main.
2025-12-22	[6.0.x] Fixed #36818 -- Ensured SQLite connection before accessing ↵	guro-Ishiguro
	max_query_params. Regression in 358fd21c47cdf7bda520ce73c5cfd82bba57827b. Backport of 84bae9c22a8ae7663c56cce5e0c611ea7c17fce1 from main.
2025-12-22	[6.0.x] Fixed #36376 -- Fixed --no-color for command help in Python 3.14+.	Skyiesac
	https://github.com/python/cpython/pull/136809 made `color` default to True in ArgumentParser. Backport of d0d85cd165e54582cce98cf685252e771460a9d4 from main.
2025-12-16	[6.0.x] Fixed #36800 -- Restored ManyToManyField renaming in ↵	Clifford Gama
	BaseDatabaseSchemaEditor.alter_field(). Regression in f9a44cc0fac653f8e0c2ab1cdfb12b2cc5c63fc2. Now that ManyToManyField is no longer concrete the decision of whether or not it should be altered, which is also relied on by field renaming, should take into consideration name changes even if it doesn't have a column associated with it, as auto-created many-to-many relationship table names are a base of it. Note that there is room for optimization here where a rename can be entirely avoided if ManyToManyField.db_table remains stable between .name changes, just like we do with Field.db_column remaining stable, but since this is a regression and meant to be backported the current patch focuses on correctness over further improvements. Thanks Josik for the report. Co-authored-by: Simon Charette <charette.s@gmail.com> Backport of 6cc1231285a20b11058143f8cb0a6b4b3999b23a from main.
2025-12-15	[6.0.x] Fixed #36783 -- Ensured proper handling of multi-value QueryDicts in ↵	Marc Gibbons
	querystring template tag. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 922c4cf972e04b1ce7ecee592231106724dcfd09 from main.
2025-12-11	[6.0.x] Refs #27890 -- Avoided overwriting TMPDIR in runtests.py under ↵	Jacob Walls
	forkserver mode. This variable should only be set once. Under forkserver, this module was getting executed multiple times, causing nested temporary dirs that didn't clean up properly, raising FileNotFoundError. This similar to #27890 although a slightly different cause. Backport of cd6278c4c09e4af9b2988d585b372d9abeeb63ee from main.
2025-12-11	[6.0.x] Refs #36499 -- Adjusted test_strip_tags following Python behavior ↵	Jacob Walls
	change for incomplete entities. Backport of 7b80b2186300620931009fd62c2969f108fe7a62 from main.
2025-12-02	[6.0.x] Refs #35444 -- Fixed typo in PostgreSQL StringAgg deprecation warning.	Mariusz Felisiak

2025-12-02	[6.0.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation ↵	Shai Berger
	in XML serializer. Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main.
2025-12-02	[6.0.x] Fixed CVE-2025-13372 -- Protected FilteredRelation against SQL ↵	Jacob Walls
	injection in column aliases on PostgreSQL. Follow-up to CVE-2025-57833. Thanks Stackered for the report, and Simon Charette and Mariusz Felisiak for the reviews. Backport of 5b90ca1e7591fa36fccf2d6dad67cf1477e6293e from main.
2025-12-02	[6.0.x] Refs #35444 -- Fixed typo in PostgreSQL StringAgg deprecation warning.	Νικόλαος-Διγενής Καραγιάννης
	Backport of cb1d2854ed2b13799f2b0cc6e04019df181bacd4 from main
2025-12-01	[6.0.x] Fixed #36712 -- Evaluated type annotations lazily in template tag ↵	Jacob Walls
	registration. Ideally, this will be reverted when an upstream solution is available for https://github.com/python/cpython/issues/141560. Thanks Patrick Rauscher for the report and Augusto Pontes for the first iteration and test. Backport of 34186e731ca20a2344b1f88fd543a854d6b13a00 from main.
2025-12-01	[6.0.x] Closed temporary files in ↵	Jacob Walls
	OverwritingStorageTests.test_save_overwrite_behavior_temp_file(). Backport of a08f1693f37e9aae9eca395020cce0638cb5aa5f from main.
2025-12-01	[6.0.x] Refs #35535 -- Used intended decorator in ↵	Jacob Walls
	test_simple_block_tag_parens(). Backport of e94b19f6abdda70689aa17e399ce5fdef7897674 from main.
2025-11-26	[6.0.x] Fixed #36743 -- Increased URL max length enforced in ↵	varunkasyap
	HttpResponseRedirectBase. Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
2025-11-24	[6.0.x] Corrected assertions for True/False results in ↵	Jake Howard
	tests/auth_tests/test_handlers.py. Backport of d08ae991a83950aba5043f5a34f5af12d2effe9e from main.
2025-11-24	[6.0.x] Fixed #36751 -- Fixed empty filtered aggregation crash over ↵	Simon Charette
	annotated queryset. Regression in b8e5a8a9a2a767f584cbe89a878a42363706f939. Refs #36404. The replace_expressions method was innapropriately dealing with falsey but not None source expressions causing them to also be potentially evaluated when __bool__ was invoked (e.g. QuerySet.__bool__ evaluates the queryset). The changes introduced in b8e5a8a9a2, which were to deal with a similar issue, surfaced the problem as aggregation over an annotated queryset requires an inlining (or pushdown) of aggregate references which is achieved through replace_expressions. In cases where an empty Q object was provided as an aggregate filter, such as when the admin facetting feature was used as reported, it would wrongly be turned into None, instead of an empty WhereNode, causing a crash at aggregate filter compilation. Note that the crash signature differed depending on whether or not the backend natively supports aggregate filtering (supports_aggregate_filter_clause) as the fallback, which makes use Case / When expressions, would result in a TypeError instead of a NoneType AttributeError. Thanks Rafael Urben for the report, Antoliny and Youngkwang Yang for the triage. Backport of 2a6e0bd72d4a69725b957d6748a4b834f21b12b5 from main
2025-11-20	[6.0.x] Fixed #36748 -- Filtered non-standard placeholders from UNNEST queries.	Chris Wesseling
	Backport of 5834643f43a767fe19f2c6d10217b204e7584ec8 from main.
2025-11-18	[6.0.x] Fixed #36733 -- Escaped attributes in Stylesheet.__str__().	varunkasyap
	Thanks Mustafa Barakat for the report, Baptiste Mispelon for the triage, and Jake Howard for the review. Backport of e05f2a75695b5f5faa7682d4053db4776d4d6f93 from main.
2025-11-18	[6.0.x] Fixed #36141 -- Checked for applied replaced migrations recursively.	Georgi Yanchev
	Regression in 64b1ac7292c72d3551b2ad70b2a78c8fe4af3249. Backport of b07298a73a8d444b3618aad8005055bee5ead8cb from main.
2025-11-13	[6.0.x] Fixed #36730 -- Fixed constraint validation crash for excluded FK ↵	Adam Johnson
	attnames. Regression in e44e8327d3d88d86895735c0e427102063ff5b55. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> Backport of abfa4619fb818ff694c22e962a280673e085239e from main
2025-11-10	Refs #36680 -- Avoided manipulating PATH in AdminScriptTestCase.	Jacob Walls
	This mostly reverts 6436ec321073bf0622af815e0af08f54c97f9b30, which was fragile. Instead, if black is present, we use it to format the expected and actual results, instead of hard-coding the expected formatted value. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-11-05	[6.0.x] Fixed #36710 -- Fixed a regression in urlize for multipart domain names.	Mehraz Hossain Rumman
	Thanks Mehraz Hossain Rumman for the report and Bruno Alla for the triage. Regression in a9fe98d5bd4212d069afe8316101984aadecfbb2. Backport of 125b63ca745bace1e098ed3c7362d59136f68a8b from main.
2025-11-05	[6.0.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on ↵	Jacob Walls
	dictionary expansion. Backport of 3c3f46357718166069948625354b8315a8505262 from main.
2025-11-05	[6.0.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via ↵	Jacob Walls
	the _connector kwarg. Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of 98e642c69181c942d60a10ca0085d48c6b3068bb from main.
2025-11-05	[6.0.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in ↵	Jacob Walls
	HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2025-11-04	[6.0.x] Fixed #36704 -- Fixed system check error for proxy model with a ↵	Hal Blackburn
	composite pk. Proxy models subclassing a model with a CompositePrimaryKey were incorrectly reporting check errors because the check that requires only local fields to be used in a composite pk was evaluated against the proxy subclass, which has no fields. To fix this, composite pk field checks are not evaluated against proxy subclasses, as none of the checks are applicable to proxy subclasses. This also has the benefit of not double-reporting real check errors from an invalid superclass pk. Thanks Clifford Gama for the review. Backport of 74564946c3b42a2ef7d087047e49873847a7e1d9 from main.