| Age | Commit message (Collapse) | Author |
|---|
|
on file system object creation.
This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.
This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Refs CVE-2020-24583 and #31921.
Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.
Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
|
|
https://github.com/psf/black/releases/tag/26.1.0
Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
|
|
with deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main.
|
|
requests.
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
Backport of eb22e1d6d643360e952609ef562c139a100ea4eb from main.
|
|
https://github.com/python/cpython/pull/136809 made `color` default to
True in ArgumentParser.
Backport of d0d85cd165e54582cce98cf685252e771460a9d4 from main.
|
|
in XML serializer.
Previously, `getInnerText()` recursively used `list.extend()` on strings,
which added each character from child nodes as a separate list element.
On deeply nested XML content, this caused the overall deserialization
work to grow quadratically with input size, potentially allowing
disproportionate CPU consumption for crafted XML.
The fix separates collection of inner texts from joining them, so that
each subtree is joined only once, reducing the complexity to linear in
the size of the input. These changes also include a mitigation for a
xml.dom.minidom performance issue.
Thanks Seokchan Yoon (https://ch4n3.kr/) for report.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main.
|
|
Backport of ce36c35e76f82f76cdfa5777456e794d481e5afc from main.
|
|
NOT FOUND.
Migrated `WSGIRequestHandler.log_message()` to use a more robust
`log_message()` helper, which was based of `log_response()` via factoring out
the common bits.
Refs CVE-2025-48432.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9bb83925d6c231e964f8b54efbc982fb1333da27 from main.
|
|
|
|
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()."
This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
|
|
favor of hmac.compare_digest().
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
ASGIRequest.
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
makemessages.
|
|
- Changed EmailMessage.message() to construct a "modern email API"
email.message.EmailMessage and added policy keyword arg.
- Added support for modern MIMEPart objects in EmailMessage.attach()
(and EmailMessage constructor, EmailMessage.attachments list).
- Updated SMTP EmailBackend to use modern email.policy.SMTP.
Deprecated:
- Attaching MIMEBase objects (replace with MIMEPart)
- BadHeaderError (modern email uses ValueError)
- SafeMIMEText, SafeMIMEMultipart (unnecessary for modern email)
- django.core.mail.forbid_multi_line_headers()
(undocumented, but exposed via `__all__` and in wide use)
- django.core.mail.message.sanitize_address()
(undocumented, but in wide use)
Removed without deprecation (all undocumented):
- EmailMessage.mixed_subtype
- EmailMultiAlternatives.alternative_subtype
- Support for setting (undocumented) EmailMessage.encoding property
to a legacy email.charset.Charset object
Related changes:
- Dropped tests for incorrect RFC 2047 encoding of non-ASCII email
address localparts. This is specifically prohibited by RFC 2047, and
not supported by any known MTA or email client. (Python still
mis-applies encoded-word to non-ASCII localparts, but it is a bug that
may be fixed in the future.)
- Added tests that try to discourage using Python's legacy email APIs
in future updates to django.core.mail.
|
|
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
|
|
Manually reformatted some long docstrings and comments that would be
damaged by the to-be-applied autofixer script, in cases where editorial
judgment seemed necessary for style or wording changes.
|
|
|
|
|
|
In public mail APIs, changed less frequently used parameters from
keyword-or-positional to keyword-only, emitting a warning during the
required deprecation period.
|
|
management command.
|
|
deprecated asyncio.iscoroutinefunction().
Follow up to bd3b1dfa2422e02ced3a894adb7544e42540c97d.
Introduced in 2ae3044d9d4dfb8371055513e440e0384f211963.
Fixes DeprecationWarning:
'asyncio.iscoroutinefunction' is deprecated and slated for removal
in Python 3.16; use inspect.iscoroutinefunction() instead.
|
|
This initial work adds a pair of settings to configure specific CSP
directives for enforcing or reporting policy violations, a new
`django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the
appropriate headers to responses, and a context processor to support CSP
nonces in templates for safely inlining assets.
Relevant documentation has been added for the 6.0 release notes,
security overview, a new how-to page, and a dedicated reference section.
Thanks to the multiple reviewers for their precise and valuable feedback.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Fixed an inconsistency between EmailMessage.attach() and .attachments
when attaching bytes content with a text/* mimetype. The attach()
function decodes UTF-8 bytes if possible and otherwise changes the
mimetype to application/octet-stream to preserve the content's unknown
encoding (refs #27007). Providing equivalent content directly in
EmailMessage.attachments did not apply the same logic, leading
to an "AttributeError: 'bytes' object has no attribute 'encode'"
in SafeMIMEText.set_payload().
Updated EmailMessage._create_mime_attachment() to match attach()'s
handling for text/* mimetypes with bytes content. Updated test cases
to accurately cover behavior on both paths.
|
|
WSGIHandler.
This also aligned the Set-Cookie logic in the WSGIHandler and ASGIHandler.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
The documentation[0] encourages users to write functions without a
default for `app_configs`, and checks are always passed the argument.
[0] https://docs.djangoproject.com/en/5.2/topics/checks/
|
|
for consistency.
|
|
Thanks Carlton Gibson for reviews.
|
|
primary keys.
Thanks to Baptiste Mispelon for the report and quick fix, and to Simon
Charette and Jacob Walls for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
startapp.
|
|
Regression in aba0e541caaa086f183197eaaca0ac20a730bbe4 and in
d5bebc1c26d4c0ec9eaa057aefc5b38649c0ba3b.
Thanks Florent Messa for the report, and Jake Howard and Claude
Paroz for the review.
|
|
Regression in 58cd4902a71a3695dd6c21dc957f59c333db364c.
Thanks Baptiste Mispelon for the report.
|
|
url_has_allowed_host_and_scheme() on Windows.
Thank you sw0rd1ight for the report.
|
|
|
|
pagination.
|
|
DJANGO_RUNSERVER_HIDE_WARNING.
|
|
Previously, the ADMINS and MANAGERS settings were lists of (name, address)
tuples (where the name had been unused). Deprecated use of tuples.
Updated settings value sanity checks, and changed from ValueError to
ImproperlyConfigured.
|
|
|
|
|
|
|
|
|
|
Raising DatabaseError directly made it harder than it should to
differentiate between IntegrityError when a forced update resulted in no
affected rows.
Introducing a specialized exception allows for callers to more easily
silence, log, or turn them update failures into user facing exceptions
(e.g. 404s).
Thanks Mariusz for the review.
|
|
Thank you Raffaella for the report. Thank you Tim Schilling and Natalia Bidart
for the reviews.
|
|
|
|
https://github.com/psf/black/releases/tag/25.1.0
|
|
datetime.UTC was added in Python 3.11.
|
|
|
|
Given there are no longer any internal usages of serialize=True and it
poses a risk to non-test databases integrity it seems appropriate to
deprecate it.
|
|
reporting.
|
|
object.
Co-authored-by: Salvo Polizzi <salvopolizzi03@gmail.com>
|
|
command.
|
