mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-14 06:39:24 +00:00
Code Issues 32 Releases Wiki Activity
27,062 Commits 29 Branches 451 Tags
Commit Graph

199 Commits

Author SHA1 Message Date
Mariusz Felisiak
8352b98e46 [2.2.x] Added stub release notes for 2.2.28. 
Backport of 78277faafd38d8360efc1fd0c9c52d7bb5eec002 from main
 2022-04-04 10:55:50 +02:00
Mariusz Felisiak
4cafd3aacb [2.2.x] Added stub release notes 2.2.27. 
Backport of eeca9342381c8583be16f18942774e785ab7e527 from main.
 2022-01-25 07:29:28 +01:00
Carlton Gibson
03b733d8a8 [2.2.x] Added stub release notes for 2.2.26 release. 2021-12-28 10:10:15 +01:00
Mariusz Felisiak
fac0fdd95d [2.2.x] Added stub release notes for 2.2.25. 
Backport of ae4077e13ea2e4c460c3f21b9aab93a696590851 from main.
 2021-11-30 11:31:56 +01:00
Carlton Gibson
f163ad5c63 [2.2.x] Added stub release notes and date for Django 2.2.24. 
Backport of b46dbd4e3e255223078ae0028934ea986e19ebc1 from main
 2021-05-26 10:21:53 +02:00
Mariusz Felisiak
b8ecb06436 [2.2.x] Fixed #32718 -- Relaxed file name validation in FileField. 
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3.

Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main.
 2021-05-13 09:00:25 +02:00
Mariusz Felisiak
d9594c4ea5 [2.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+. 
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.

[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603

Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
 2021-05-06 08:53:27 +02:00
Florian Apolloner
04ac1624bd [2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-27 19:10:08 +02:00
Mariusz Felisiak
4036d62bda [2.2.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files. 
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.

Backport of d4d800ca1addc4141e03c5440a849bb64d1582cd from main.
 2021-04-06 08:38:19 +02:00
Nick Pope
fd6b6afd59 [2.2.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.http.limited_parse_qsl(). 2021-02-18 10:27:25 +01:00
Mariusz Felisiak
21e7622dec [2.2.x] Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract(). 
Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.

Thanks Wang Baohua for the report.

Backport of 05413afa8c18cdb978fcdf470e09f7a12b234a23 from master.
 2021-02-01 09:14:54 +01:00
Mariusz Felisiak
b4b8ca4895 [2.2.x] Refs #31040 -- Doc'd Python 3.9 compatibility. 
Backport of e18156b6c35908f2a4026287b5225a6a4da8af1a from master.
 2020-10-13 08:45:37 +02:00
Mariusz Felisiak
30706246e7 [2.2.x] Added stub release notes for 2.2.16. 
Backport of 8a5683b6b2aede38edcff070686ed1fce470dec5 from master
 2020-08-11 11:14:35 +02:00
Mariusz Felisiak
f1a6e6c817 [2.2.x] Fixed #31790 -- Fixed setting SameSite cookies flag in HttpResponse.delete_cookie(). 
Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.

This affects sessions and messages cookies.

Backport of 331324ecce1330dce3dbd1713203cb9a42854ad7 from stable/3.0.x
 2020-07-16 09:35:35 +02:00
Mariusz Felisiak
b2b2723512 [2.2.x] Fixed #31654 -- Fixed cache key validation messages. 
Backport of 926148ef019abcac3a9988c78734d9336d69f24e from master.
 2020-06-05 07:24:04 +02:00
Mariusz Felisiak
cbccae22a4 [2.2.x] Added stub release notes for 2.2.13. 
Backport of 50798d43898c7d46926a4292f86fdf3859a433da from master
 2020-05-14 06:31:01 +02:00
Carlton Gibson
aa0948e238 [2.2.x] Added stub release notes for 2.2.12. 
Backport of a4200e958d1da46465d7d684674a1711bc9f65e0 from master
 2020-03-10 12:03:51 +01:00
Mariusz Felisiak
fe886a3b58 [2.2.x] Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. 
Thanks to Norbert Szetei for the report.
 2020-03-04 09:34:39 +01:00
Mariusz Felisiak
eeed073aa2 [2.2.x] Added stub release notes for 2.2.11. 
Backport of 7e8339748cc199b4a13513891d9ac4f1e4794588 from master
 2020-02-10 08:24:32 +01:00
Simon Charette
c67a368c16 [2.2.x] Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter. 2020-01-26 18:51:25 +01:00
Mariusz Felisiak
86befcc172 [2.2.x] Refs #31073 -- Added release notes for 02eff7ef60466da108b1a33f1e4dc01eec45c99d. 
Backport of ec12c37384798093e359971c8980fe0c68d555bc from master.
 2019-12-11 10:09:26 +01:00
Mariusz Felisiak
4082f078bc [2.2.x] Added stub release notes for 2.1.15. 
Backport of e9def97d1095efed15a109d82fe0498ebd56fa04 from master
 2019-11-19 12:45:04 +01:00
Mariusz Felisiak
90c730d963 [2.2.x] Added stub release notes for 2.2.8 release. 
Backport of 30359496a3f3d9af0b02afc334710f7e24c74f5b from master
 2019-11-12 14:42:34 +01:00
Mariusz Felisiak
18df8484bd [2.2.x] Added stub release notes for 1.11.26 and 2.1.14. 
Backport of 84322a29ce9b0940335f8ab3d60e55192bef1e50 from master
 2019-10-02 07:56:02 +02:00
Carlton Gibson
c3302c7976 [2.2.x] Added stub release notes for 2.2.7. 
Backport of e1c1eaf0c6f4d3d2f60513d20aa9b84b17d096ec from master
 2019-10-01 10:45:07 +02:00
Mariusz Felisiak
e4fb132f43 [2.2.x] Added stub release notes for 1.11.25 and 2.1.13. 
Backport of bd7e0f81f8590eadcb820c976ba03c9b75bbcad6 from master
 2019-09-16 07:43:49 +02:00
Mariusz Felisiak
b71cabe459 [2.2.x] Added stub release notes for 2.2.6. 
Backport of 0d4529d314f5b804c4e856146f6641a73027a2c4 from master
 2019-09-04 08:06:12 +02:00
Mariusz Felisiak
52a7759a49 [2.2.x] Fixed #30672 -- Fixed crash of JSONField/HStoreField key transforms on expressions with params. 
Regression in 4f5b58f5cd3c57fee9972ab074f8dc6895d8f387.

Thanks Florian Apolloner for the report and helping with tests.

Backport of 1f8382d34d54061eddc41df6994e20ee38c60907 from master.
 2019-08-14 15:29:13 +02:00
Mariusz Felisiak
2c66f340bb [2.2.x] Added stub release notes for 2.2.5. 
Backport of 1af469e67fd3928a4b01722d4706c066000014e9 from master
 2019-08-03 11:28:47 +02:00
Carlton Gibson
ea57c8a345 [2.2.x] Added stub release notes for security releases. 
Backport of f13147c8de725eed7038941758469aeb9bd66503 from master
 2019-07-25 10:50:18 +02:00
Mariusz Felisiak
b593c39d7f [2.2.x] Added stub release notes for 2.2.4. 
Backport of 08e69cad9ccb18738b66388b0d0ee4660470710e from master
 2019-07-09 07:45:27 +02:00
Mariusz Felisiak
db9f7b44fc [2.2.x] Added stub release notes for security releases. 
Backport of 30b3ee9d0b33bb440f9c73d1ce9e0e7303887a9f from master
 2019-07-01 07:03:03 +02:00
Mariusz Felisiak
ca3f86288a [2.2.x] Added stub release notes for 2.2.3. 
Backport of 1f81e2df69c0f62f9bd85bca5b3876a2d8229fde from master
 2019-06-05 06:58:53 +02:00
Carlton Gibson
4a1d25b39f [2.2.x] Added stub release notes for security releases. 
Backport of 98c0fe19ee2cba9726708ac9336e1dc0d43cca69 from master
 2019-06-03 10:50:09 +02:00
Mariusz Felisiak
5d1cf9c442 [2.2.x] Added stub release notes for 2.2.2. 
Backport of 30dd43884e8e5dfb3dfd7e31fc78fd569f15916a from master
 2019-05-08 14:45:37 +02:00
Mariusz Felisiak
ba682261eb
[2.2.x] Added stub release notes for 2.2.1. 
Backport of e6588aa4e793b7f56f4cadbfa155b581e0efc59a from master
 2019-04-03 08:33:10 +02:00
Tim Graham
de62ba965f [2.2.x] Added stub 2.1.8 release notes. 
Backport of e245046bb6e8b32360aa48b8a41fb7050f0fc730 from master
 2019-03-30 13:04:40 -04:00
Tim Graham
f548ac7fa5 [2.2.x] Refs #30177 -- Forwardported 2.0.13 release notes. 
Backport of 1b8f552b08eb7642be598ba7512e7eaecefbdc6d from master.
 2019-02-11 15:52:15 -05:00
Carlton Gibson
1672ed5ccf [2.2.x] Refs #30175 -- Added release notes for 2.1.7, 2.0.12, and 1.11.20 releases. 
Backport of b39bd0aa6d5667d6bbcf7d349a1035c676e3f972 from master
 2019-02-11 15:47:54 +01:00
Carlton Gibson
941109ccb3 [2.2.x] Added stub release notes for security releases. 
Backport of 5cc6f02f91e8860c867cc68cf42e66b5bb54c63d from master
 2019-02-07 15:47:52 +01:00
Tim Graham
36fceeec88 Added stub 2.1.6 release notes. 2019-01-08 08:57:22 -05:00
Tom Hacohen
1ecc0a395b Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page. 
Co-Authored-By: Tim Graham <timograham@gmail.com>
 2019-01-03 21:21:55 -05:00
Carlton Gibson
196b420fcb Added stub release notes for 2.1.5 release. 2018-12-04 16:21:38 +01:00
Carlton Gibson
74ddd0e83b Added stub release notes for 2.1.4 release. 2018-11-01 15:48:28 +01:00
Carlton Gibson
dc28c0faf3 Added stub release notes for 2.1.3 release. 2018-10-01 11:48:11 +02:00
Carlton Gibson
2e86710dac Added stub release notes for 2.0.10 release. 2018-10-01 11:46:38 +02:00
Carlton Gibson
7040e638b9 Added stub release notes for 1.11.17 release. 2018-10-01 11:44:36 +02:00
Carlton Gibson
728ee98cd3 Added stub release notes for 2.1.2. 2018-08-31 11:01:29 +02:00
Michael Sanders
271542dad1 Fixed #29499 -- Fixed race condition in QuerySet.update_or_create(). 
A race condition happened when the object didn't already exist and
another process/thread created the object before update_or_create()
did and then attempted to update the object, also before update_or_create()
saved the object. The update by the other process/thread could be lost.
 2018-08-02 17:07:48 -04:00
Tim Graham
25dd595742 Added stub release notes for 2.1.1. 2018-08-01 11:13:37 -04:00