django.git - django

Age	Commit message (Collapse)	Author
2026-03-03	[4.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.	Natalia
	This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
2025-01-14	[4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.	Natalia
	Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2023-07-03	[4.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator ↵	Mariusz Felisiak
	and URLValidator. Thanks Seokchan Yoon for reports.
2023-05-03	[4.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of ↵	Mariusz Felisiak
	validation when uploading multiple files using one form field. Thanks Moataz Al-Sharida and nawaik for reports. Co-authored-by: Shai Berger <shai@platonix.com> Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-02-20	[4.2.x] Fixed #34349 -- Fixed FormSet.empty_form crash when deleting extra ↵	Laurens Verhoeven
	forms is disabled. Backport of 6cbc403b8ee7014bd6dae4892d404eedb1d4a50d from main
2023-02-01	[4.2.x] Refs #33476 -- Applied Black's 2023 stable style.	David Smith
	Black 23.1.0 is released which, as the first release of the year, introduces the 2023 stable style. This incorporates most of last year's preview style. https://github.com/psf/black/releases/tag/23.1.0 Backport of 097e3a70c1481ee7b042b2edd91b2be86fb7b5b6 from main
2022-11-18	Fixed #34119 -- Prevented callable default hidden widget value from being ↵	David Sanders
	overridden. Thanks to Benjamin Rigaud for the report.
2022-11-18	Fixed #34148 -- Reverted "Fixed #32901 -- Optimized BaseForm.__getitem__()."	Francesco Panico
	This reverts commit edde2a069929c93e37835dc3f7c9a229040058e2. Thanks Jan Pieter Waagmeester for the report.
2022-11-04	Fixed #27654 -- Propagated alters_data attribute to callables overridden in ↵	LightDiscord
	subclasses. Thanks Shai Berger and Adam Johnson for reviews and the implementation idea.
2022-10-31	Used more augmented assignment statements.	Nick Pope
	Identified using the following command: $ git grep -I '$\<[_a-zA-Z0-9]\+\>$ = \1 [-+/^%&\|<>@]'
2022-10-25	Fixed #19215 -- Fixed rendering ClearableFileInput when editing with invalid ↵	Marcelo Galigniana
	files. Thanks Michael Cardillo for the initial patch.
2022-09-09	Fixed #33995 -- Fixed FormSet.empty_form crash when empty_permitted is ↵	DevilsAutumn
	passed to form_kwargs.
2022-08-25	Fixed #33830 -- Fixed VariableDoesNotExist when rendering ClearableFileInput.	Neeraj Kumar

2022-08-08	Fixed #31721 -- Allowed ModelForm meta to specify form fields.	Kamil Turek

2022-08-02	Fixed #33876, Refs #32229 -- Made management forms render with div.html ↵	Carlton Gibson
	template. Thanks to Claude Paroz for the report.
2022-07-05	Fixed #33822 -- Fixed save() crash on model formsets when not created by ↵	Shawn Dong
	modelformset_factory(). Thanks Claude Paroz for the report. Regression in e87f57fdb8dcdabc452bd15abd015bf6c9b1f7a8.
2022-06-03	Fixed documentation of Widget.id_for_label() empty return value.	Swann

2022-05-17	Refs #32339 -- Deprecated default.html form template.	David Smith
	Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2022-05-12	Fixed #32559 -- Added 'step_size’ to numeric form fields.	Kapil Bansal
	Co-authored-by: Jacob Rief <jacob.rief@uibk.ac.at>
2022-05-10	Fixed #33622 -- Allowed customizing error messages for invalid number of forms.	Marc Seguí Coll
	Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2022-05-10	Fixed #30581 -- Added support for Meta.constraints validation.	Gagaro
	Thanks Simon Charette, Keryn Knight, and Mariusz Felisiak for reviews.
2022-05-05	Fixed #32339 -- Added div.html form template.	David Smith

2022-04-27	Refs #32339 -- Allowed renderer to specify default form and formset templates.	Carlton Gibson
	Co-authored-by: David Smith <smithdc@gmail.com>
2022-04-26	Fixed #33656 -- Fixed MultiWidget crash when compressed value is a tuple.	L

2022-03-30	Refs #32339 -- Added use_fieldset to Widget.	David

2022-03-16	Used sets for field names for exclusion.	Gagaro
	They are used only for containment checks.
2022-02-10	Fixed #29490 -- Added support for object-based Media CSS and JS paths.	Claude Paroz

2022-02-07	Refs #33476 -- Refactored code to strictly match 88 characters line length.	Mariusz Felisiak

2022-02-07	Refs #33476 -- Reformatted code with Black.	django-bot

2022-02-03	Refs #33476 -- Refactored problematic code before reformatting by Black.	Mariusz Felisiak
	In these cases Black produces unexpected results, e.g. def make_random_password( self, length=10, allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789', ): or cursor.execute(""" SELECT ... """, [table name], )
2022-01-27	Fixed #26142 -- Allowed model formsets to prevent new object creation.	vgolubev
	Thanks Jacob Walls, David Smith, and Mariusz Felisiak for reviews. Co-authored-by: parth <parthvin@gmail.com>
2022-01-22	Stopped including type="text/css" attributes for CSS link tags.	Claude Paroz

2022-01-07	Fixed #33419 -- Restored marking forms.Field.help_text as HTML safe.	David
	Regression in 456466d932830b096d39806e291fe23ec5ed38d5. Thanks Matt Westcott for the report.
2021-12-21	Refs #24121 -- Added __repr__() to BaseFormSet.	Baptiste Mispelon

2021-12-21	Fixed typo in django/forms/widgets.py.	vavanade

2021-12-10	Moved ManagementForm's fields to class attributes.	Adam Johnson
	This helps introspection, and it follows the comment in BaseForm.__init__() to avoid changing base_fields. Thanks to Silvio Gutierrez and Baptiste Mispelon for investigating.
2021-12-09	Refs #32338 -- Added Boundfield.legend_tag().	David Smith

2021-11-05	Fixed #33235 -- Removed "for = ..." from MultiWidget's <label>.	David Smith
	This improves accessibility for screen reader users.
2021-09-30	Fixed #33155 -- Made ModelChoiceIteratorValue instances hashable.	Aljaž Košir

2021-09-29	Fixed #33134 -- Fixed recursion depth error when rendering Form with ↵	David Smith
	BoundFields. Regression in 456466d932830b096d39806e291fe23ec5ed38d5.
2021-09-27	Refs #32355 -- Used @functools.lru_cache as a straight decorator.	Mariusz Felisiak

2021-09-24	Fixed #33130 -- Restored form errors to be a dict.	Jaap Roes
	Regression in 456466d932830b096d39806e291fe23ec5ed38d5.
2021-09-20	Fixed #31026 -- Switched form rendering to template engine.	David Smith
	Thanks Carlton Gibson, Keryn Knight, Mariusz Felisiak, and Nick Pope for reviews. Co-authored-by: Johannes Hoppe <info@johanneshoppe.com>
2021-09-03	Fixed #32975 -- Fixed admin system check for inlines with foreign keys to ↵	taulant
	proxy models.
2021-08-27	Refs #32338 -- Made RadioSelect/CheckboxSelectMultiple render in <div> tags.	David Smith
	This improves accessibility for screen reader users.
2021-08-04	Fixed #29205 -- Corrected rendering of required attributes for ↵	Jacob Walls
	MultiValueField subfields.
2021-08-04	Fixed #32855 -- Corrected BoundWidget.id_for_label() with custom auto_id.	Jacob Rief

2021-08-03	Fixed #32984 -- Allowed customizing a deletion field widget in formsets.	Ties Jan Hefting

2021-07-21	Fixed #32949 -- Restored invalid number handling in DecimalField.validate().	yakimka
	DecimalField must itself validate() values, such as NaN, which cannot be passed to validators, such as MaxValueValidator, during the run_validators() phase. Regression in cc3d24d7d577f174937a0744d886c4c7123cfa85.
2021-07-16	Fixed #32924 -- Changed BaseForm.get_initial_for_field() to remove ↵	Chris Jerdonek
	microseconds when needed.