| Age | Commit message (Collapse) | Author |
|---|
|
Backport of 8726605e2d48fd733ae224344a11cc2163012f2d from main.
|
|
Backport of e8c6322b4f2ab4df610bb480003a54c88f32210e from main.
|
|
As originally written, this test interfered with
admin_views.tests.SeleniumTests.test_inline_uuid_pk_add_with_popup.
To fix this, register the new ModelAdmin with a different AdminSite.
Backport of 280256499c5b2d636949f3c8cb52159a8e4c26bb from main.
|
|
The artifacts downloaded from media.djangoproject.com use a lowercase
"django-" prefix but the script searched for capital D. Error was:
"ls: cannot access 'Django-*.tar.gz': No such file or directory"
The tarball and wheel smoke-tests used the same `test_one` folder inside
the same working directory, so the second invocation failed with
"CommandError: '/tmp/tmp.1234567890' already exists".
Backport of 78a3ffbb4cec25ed003f16cf4b1aa0b4bcdc2590 from main.
|
|
and CVE-2026-33034 to security archive.
Backport of 3330dc2dd97f60ab32d3c912d2649859d063265c from main.
|
|
|
|
|
|
size in ASGI requests.
The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.
This work adds a new check on the actual number of bytes consumed.
Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.
Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main.
|
|
When a multipart file part used `Content-Transfer-Encoding: base64` and
the non-whitespace base64 bytes did not align to a multiple of 4 within
a chunk, the parser entered a loop calling `field_stream.read(1-3)` once
per whitespace byte. Each such call fetched the entire internal buffer,
sliced off 1-3 bytes, and pushed the remainder back via unget(), doing
an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace
produced CPU amplification relative to a normal upload of the same size.
The alignment loop now reads `self._chunk_size` bytes at a time, and
accumulates stripped parts in a list joined once at the end.
Thanks to Seokchan Yoon for the report and the fixing patch.
Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main.
|
|
ModelAdmin.list_editable.
Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.
Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
|
|
GenericInlineModelAdmin.
Edit permissions were still checked as part of ordinary form validation,
but because GenericInlineModelAdmin overrides get_formset(), it lacked
InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic
for checking permissions server-side, leaving the add case unaddressed.
This change reimplements the relevant part of InlineModelAdmin.get_formset().
Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart,
Markus Holtermann, and Simon Charette for reviews.
Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main.
|
|
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart
for reviews.
Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main.
|
|
Backport of dff1980d61b1129c82757f70117dcea68e69a8c8 from main.
|
|
Although Django was not affected by the security issue patched in
black 26.3.0, it's worth upgrading to satisfy the zizmor check.
|
|
https://github.com/psf/black/releases/tag/26.1.0
Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
|
|
verify_release.sh.
This reuses the same download for both artifacts and checks both GPG
signature and minimal correctness in the same script. Docs and script
do_django_release.py were updated.
Backport of 3abf89887993140d28676f26420ee0d46a617f51 from main.
|
|
Backport of 62ab467686845e2a12a2580997a81d4bf61edfc6 from main.
|
|
|
|
|
|
on file system object creation.
This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.
This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Refs CVE-2020-24583 and #31921.
Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.
Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
|
|
This simplicaftion mitigates a potential DoS in URLField on Windows. The
usage of `urlsplit()` in `URLField.to_python()` was replaced with
`str.partition(":")` for URL scheme detection. On Windows, `urlsplit()`
performs Unicode normalization which is slow for certain characters,
making `URLField` vulnerable to DoS via specially crafted POST payloads.
Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger
for the review.
Refs #36923.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
|
|
MAX_LENGTH_HTML change.
|
|
|
|
Backport of 3f21cb06e76044ad753055700395e54a1fc4f1e9 from main.
|
|
references from HTML truncation docs.
Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.
|
|
requirements.
|
|
Added ignores relating to https://github.com/PyCQA/isort/issues/2352.
Backport of d980d68609448a4c85763fa34e471ff80540888b from main.
|
|
Backport of acd0bec51366e259b4c2b43e4c09755541cdf560 from main.
|
|
with deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main.
|
|
Backport of 2c2d36376a0ce0edc048c077a60be6e3b953bb09 from main.
|
|
As a side effect from adding explicit license files to conform to PEP 639, the
AUTHORS file got dropped from the wheel. The tarball still contained this file.
In the "Python Packaging User Guide"
(https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license-files)
the AUTHORS file is modeled to be included in license-files.
Follow-up to 96a7a652166bece8acc96d6335ebb8091de2f496.
Backport of 220db1c78a1bdeb3ccb91ba8bf0b7ab829379c35 from main.
|
|
CVE-2026-1287, and CVE-2026-1312 to security archive.
Backport of af361d3be4725b9da1022c078b2db02b9d9b96e7 from main.
|
|
|
|
|
|
aliases contain periods.
This prevents failures at the database layer, given that aliases in the
ON clause are not quoted.
Systematically quoting aliases even in FilteredRelation is tracked in
https://code.djangoproject.com/ticket/36795.
Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.
|
|
aliases with periods.
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.
In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.
Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.
Backport of 69065ca869b0970dff8fdd8fafb390bf8b3bf222 from main.
|
|
aliases via control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
|
|
django.utils.text.Truncator for HTML input.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
Backport of a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 from main.
|
|
lookups via band index.
Thanks Tarek Nakkouch for the report, and Simon Charette for the initial
triage and review.
Backport of 81aa5292967cd09319c45fe2c1a525ce7b6684d8 from main.
|
|
requests.
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
Backport of eb22e1d6d643360e952609ef562c139a100ea4eb from main.
|
|
mod_wsgi auth handler.
Refs CVE-2024-39329, #20760.
Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 3eb814e02a4c336866d4189fa0c24fd1875863ed from main.
|
|
Backport of b30e09a94270fdaa4bf282bf442b758c9a6d0bb0 from main.
|
|
docs/releases/5.2.10.txt.
Backport of 2be860d6cfb04c9b3643f7c31ce90df280c8e747 from main.
|
|
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of c08ed084f9651ab628dad83dd4459d9bba553e22 from main.
|
|
Backport of e937be3c1dc02cd06c14875be23d452b426d0d25 from main.
|
|
|
|
|
|
Backport of f6fd35fc6ddadc93720656b9882e28712f2492fc from main.
|
|
Regression in a16eedcf9c69d8a11d94cac1811018c5b996d491.
The UNNEST strategy is affected by the same problem bulk_update has wrt/
to silent data truncation due to its usage of db_type which always returns
a parametrized subtype.
Backport of d6ae2ed868e43671afc4d433c3d8f4d27f7eb555 from main.
|
|
https://github.com/python/cpython/pull/136809 made `color` default to
True in ArgumentParser.
Backport of d0d85cd165e54582cce98cf685252e771460a9d4 from main.
|
