mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-18 08:39:15 +00:00
Code Issues 32 Releases Wiki Activity
27,779 Commits 29 Branches 451 Tags
Commit Graph

3512 Commits

Author SHA1 Message Date
Mariusz Felisiak
2a04e24d2d [3.0.x] Added CVE-2021-28658 to security archive. 
Backport of 1eac8468cbde790fecb51dd055a439f4947d01e9 from main
 2021-04-06 09:47:14 +02:00
Mariusz Felisiak
e7fba62248 [3.0.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files. 
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.

Backport of d4d800ca1addc4141e03c5440a849bb64d1582cd from main.
 2021-04-06 08:33:16 +02:00
Carlton Gibson
232d5f61e6 [3.0.x] Added CVE-2021-23336 to security archive. 
Backport of ab58f072502e86dfe21b2bd5cccdc5e94dce8d26 from master
 2021-02-19 11:06:46 +01:00
Nick Pope
326a926bee [3.0.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.http.limited_parse_qsl(). 2021-02-18 10:21:04 +01:00
Nick Pope
ad36388406 [3.0.x] Added documentation extlink for bugs.python.org. 
Backport of d02d60eb0f032c9395199fb73c6cd29ee9bb2646 from master
 2021-02-17 14:27:36 +01:00
Mariusz Felisiak
0194f0be31 [3.0.x] Added CVE-2021-3281 to security archive. 
Backport of f749148d62ece28d208ab66b109f858215ba090a from master
 2021-02-01 10:46:46 +01:00
Mariusz Felisiak
52e409ed17 [3.0.x] Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract(). 
Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.

Thanks Wang Baohua for the report.

Backport of 05413afa8c18cdb978fcdf470e09f7a12b234a23 from master.
 2021-02-01 09:14:22 +01:00
Carlton Gibson
c3b8a62f63 [3.0.x] Set release date for 3.0.11 and 2.2.17. 
Backport of 7fc07b9b2ba0c5c62a8840325d21b414a099fda0 from master
 2020-11-02 08:37:54 +01:00
Christian Klus
b0a6798de5 [3.0.x] Fixed #32152 -- Fixed grouping by subquery aliases. 
Regression in 42c08ee46539ef44f8658ebb1cbefb408e0d03fe.

Thanks Simon Charette for the review.

Backport of 4ac2d4fa42e1659f328c35b6b8d4761b3419c11a from master
 2020-10-29 11:33:52 +01:00
Mariusz Felisiak
301bca9394 [3.0.x] Refs #31040 -- Doc'd Python 3.9 compatibility. 
Backport of e18156b6c35908f2a4026287b5225a6a4da8af1a from master.
 2020-10-13 08:40:39 +02:00
Carlton Gibson
1734484f12 [3.0.x] Added CVE-2020-24583 & CVE-2020-24584 to security archive. 
Backport of d5b526bf78a9e5d9760e0c0f7647622bf47782fe from master
 2020-09-01 11:38:46 +02:00
Carlton Gibson
79e6eb3853 [3.0.x] Added release date for 3.0.10, and 2.2.16. 
Backport of 976e2b7420c0f7e3060a13792b97511a9aad31d7 from master
 2020-09-01 09:58:40 +02:00
Mariusz Felisiak
cdb367c92a [3.0.x] Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+. 
Backport of f56b57976133129b0b351a38bba4ac882badabf0 from master.
 2020-08-25 10:45:33 +02:00
Mariusz Felisiak
08892bffd2 [3.0.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+. 
Thanks WhiteSage for the report.

Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
 2020-08-25 10:43:50 +02:00
Kaustubh
db8b935730 [3.0.x] Fixed #31925 -- Fixed typo in docs/releases/3.0.txt. 
Backport of 3e753d3de33469493b1f0947a2e0152c4000ed40 from master
 2020-08-21 09:49:13 +02:00
Mariusz Felisiak
ab5491c7cc [3.0.x] Refs #31863 -- Added release notes for 94ea79be137f3cb30949bf82198e96e094f2650d. 
Backport of 21768a99f47ee73a2f93405151550ef7c3d9c8a2 from master
 2020-08-13 16:31:27 +02:00
Daniel Hillier
784ed4ada1 [3.0.x] Fixed #31866 -- Fixed locking proxy models in QuerySet.select_for_update(of=()). 
Backport of 60626162f76f26d32a38d18151700cb041201fb3 from master
 2020-08-11 12:31:50 +02:00
Mariusz Felisiak
9f74a24803 [3.0.x] Added stub release notes for 2.2.16 and 3.0.10. 
Backport of 8a5683b6b2aede38edcff070686ed1fce470dec5 from master
 2020-08-11 11:13:20 +02:00
Mariusz Felisiak
b1ae5d015b [3.0.x] Added release date for 2.2.15 and 3.0.9. 
Backport of b68b8cb89abb35ff2152175ea540619ec384b1f4 from master
 2020-08-03 08:56:37 +02:00
Florian Apolloner
ccc088f8ce [3.0.x] Fixed #31784 -- Fixed crash when sending emails on Python 3.6.11+, 3.7.8+, and 3.8.4+. 
Fixed sending emails crash on email addresses with display names longer
then 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+.

Wrapped display names were passed to email.headerregistry.Address()
what caused raising an exception because address parts cannot contain
CR or LF.

See https://bugs.python.org/issue39073

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>

Backport of 96a3ea39ef0790dbc413dde0a3e19f6a769356a2 from master
 2020-07-20 07:15:14 +02:00
Mariusz Felisiak
331324ecce
[3.0.x] Fixed #31790 -- Fixed setting SameSite cookies flag in HttpResponse.delete_cookie(). 
Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.

This affects sessions and messages cookies.

Backport of 240cbb63bf9965c63d7a3cc9032f91410f414d46 from master.
 2020-07-16 09:30:15 +02:00
David Smith
8f750bc295 [3.0.x] Fixed #30945 -- Doc'd plural equations changes in 2.2. release notes. 
Backport of 392036be29b759204cbc4033072672acacabf3f7 from master
 2020-07-03 09:39:23 +02:00
Mariusz Felisiak
5a15e3e378 [3.0.x] Added stub release notes for 3.0.9. 
Backport of c2a835703f706583542e9dae82749ac3b92819f8 from master
 2020-07-01 07:13:25 +02:00
Mariusz Felisiak
7d133e81e8 [3.0.x] Added release date for 2.2.14 and 3.0.8. 
Backport of 0f3aecf581b50215820455eb2f6a19a1b3b3ef8b from master
 2020-07-01 06:18:55 +02:00
Mariusz Felisiak
21e8f9f7c9 [3.0.x] Fixed #31751 -- Fixed database introspection with cx_Oracle 8. 
Backport of 615e32162ff646db3456b90fb4eaaecc33dd3e4e from master
 2020-06-30 09:56:14 +02:00
Simon Charette
453a5bf302 [3.0.x] Fixed #31735 -- Fixed migrations crash on namespaced inline FK addition on PostgreSQL. 
The namespace of the constraint must be included when making the
constraint immediate.

Regression in 22ce5d0031bd795ade081394043833e82046016c.

Thanks Rodrigo Estevao for the report.

Backport of 2e8941b6f90e65ffad3f07083b8de59e8ed29767 from master
 2020-06-24 09:00:22 +02:00
Hasan Ramezani
b61af177ee [3.0.x] Fixed #31696 -- Updated OWASP links in docs. 
Backport of a16080810bee8b3baf9ae7ac7b8433cb7b293e00 from master
 2020-06-15 09:45:45 +02:00
Mariusz Felisiak
9ec6eca136 [3.0.x] Refs #31682 -- Doc'd minimal sqlparse version in Django 2.2. 
Support for sqlparse < 0.2.2 was broken in
40b0a58f5ff949fba1072627e4ad11ef98aa7f36 because is_whitespace property
was added in sqlparse 0.2.2.
Backport of 4339f2aff272bceabd67e452c65bcfe0700b3f09 from master
 2020-06-10 06:54:51 +02:00
Nicolas Baccelli
2b2500021b [3.0.x] Fixed #31664 -- Reallowed using non-expressions having filterable attribute as rhs in queryset filters. 
Regression in 4edad1ddf6203326e0be4bdb105beecb0fe454c4.

Backport of b38d44229ff185ad156bcb443d6db0db7ae3eb98 from master
 2020-06-08 09:20:08 +02:00
Mariusz Felisiak
be7a295141 [3.0.x] Fixed #31660 -- Fixed queryset crash when grouping by m2o relation. 
Regression in 3a941230c85b2702a5e1cd97e17251ce21057efa.

Thanks Tomasz Szymański for the report.
Backport of 78ad4b4b0201003792bfdbf1a7781cbc9ee03539 from master
 2020-06-08 07:23:33 +02:00
Mariusz Felisiak
e8723af44b [3.0.x] Fixed #31654 -- Fixed cache key validation messages. 
Backport of 926148ef019abcac3a9988c78734d9336d69f24e from master
 2020-06-05 07:22:52 +02:00
Carlton Gibson
fafbcc57db [3.0.x] Added CVE-2020-13254 and CVE-2020-13596 to security archive. 
Backport of 54975780ee2e4017844ecad94835fdce43d97377 from master
 2020-06-03 12:06:17 +02:00
Carlton Gibson
c1dc423f10 [3.0.x] Added stub release notes for 3.0.8. 
Backport of 7ec2658e1e24149f0f3244c08c361348f6ebc0e4 from master
 2020-06-03 10:55:25 +02:00
Dan Palmer
84b2da5552 [3.0.x] Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends. 2020-06-03 09:33:20 +02:00
Jon Dufresne
1f2dd37f6f [3.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget. 2020-06-03 09:32:35 +02:00
Carlton Gibson
256d297101 [3.0.x] Added release date for 2.2.13 and 3.0.7. 
Backport of 81dc710571b773557170cce9764fff83b6dfd8ae from master
 2020-06-03 09:14:57 +02:00
Carlton Gibson
d22f67848c
[3.0.x] Refs #31485 -- Backported jQuery upgrade to 3.5.1. 2020-06-02 14:36:31 +02:00
Carlton Gibson
2638627db4 [3.0.x] Fixed #31570 -- Corrected translation loading for apps providing territorial language variants with different plural equations. 
Regression in e3e48b00127c09eafe6439d980a82fc5c591b673.

Thanks to Shai Berger for report, reproduce and suggested fix.

Backport of dd1ca50b096bf0351819aabc862e91a9797ddaca from master
 2020-06-01 09:27:53 +02:00
Carlton Gibson
11fc1cac9e [3.0.x] Updated expected release dates for 3.0.7 and 2.2.13. 
Backport of 9d55ae00d3dad9e93714add69ab7e48e7b0bcafa from master
 2020-05-27 10:21:15 +02:00
Mariusz Felisiak
52453b438a [3.0.x] Refs #31607 -- Added release notes for a125da6a7c79b1d4c55677d0bed6f9b1d7d77353. 
Backport of 8328811f048fed0dd22573224def8c65410c9f2e from master
 2020-05-20 09:19:37 +02:00
Mariusz Felisiak
92acf1022f [3.0.x] Fixed #31584 -- Fixed crash when chaining values()/values_list() after Exists() annotation and aggregation on Oracle. 
Oracle requires the EXISTS expression to be wrapped in a CASE WHEN in
the GROUP BY clause.

Regression in efa1908f662c19038a944129c81462485c4a9fe8.
Backport of 3a941230c85b2702a5e1cd97e17251ce21057efa from master
 2020-05-14 15:11:18 +02:00
Simon Charette
49bbf6570d [3.0.x] Fixed #31568 -- Fixed alias reference when aggregating over multiple subqueries. 
691def10a0197d83d2d108bd9043b0916d0f09b4 made all Subquery() instances
equal to each other which broke aggregation subquery pushdown which
relied on object equality to determine which alias it should select.

Subquery.__eq__() will be fixed in an another commit but
Query.rewrite_cols() should haved used object identity from the start.

Refs #30727, #30188.

Thanks Makina Corpus for the report.

Backport of adfbf653dc1c1d0e0dacc4ed46602d22ba28b004 from master
 2020-05-14 10:26:16 +02:00
Simon Charette
afceb2241b [3.0.x] Fixed #31566 -- Fixed aliases crash when chaining values()/values_list() after annotate() with aggregations and subqueries. 
Subquery annotation references must be resolved if they are excluded
from the GROUP BY clause by a following .values() call.

Regression in fb3f034f1c63160c0ff13c609acd01c18be12f80.

Thanks Makina Corpus for the report.

Backport of 42c08ee46539ef44f8658ebb1cbefb408e0d03fe from master
 2020-05-14 08:40:40 +02:00
Mariusz Felisiak
6e8a11e88c [3.0.x] Added stub release notes for 2.2.13. 
Backport of 50798d43898c7d46926a4292f86fdf3859a433da from master
 2020-05-14 06:30:30 +02:00
Adam Johnson
cdf320dfb2 [3.0.x] Fixed a/an typos in "SQL" usage. 
Backport of 1c2c6f1b51a540bddc7ae95f4d1213688411ca44 from master
 2020-05-06 06:36:16 +02:00
Mariusz Felisiak
fdd5eb4309 [3.0.x] Fixed #31538 -- Fixed Meta.ordering validation lookups that are not transforms. 
Regression in 440505cb2cadbe1a5b9fba246bcde6c04f51d07e.

Thanks Simon Meers for the report.
Backport of b73e66e75802f10cc34d4880714554cea54dbf49 from master
 2020-05-05 09:09:17 +02:00
Mariusz Felisiak
5c6be5816d [3.0.x] Fixed typo in docs/releases/3.0.6.txt. 
Backport of 7668f9bce921f66e8e572938154221cd687aaa4a from master
 2020-05-04 07:43:48 +02:00
Mariusz Felisiak
668f745bb7 [3.0.x] Added stub release notes for 3.0.7. 
Backport of 8e8ff38cb8766590fa3a4f412dbb4b11f65b5c69 from master
 2020-05-04 07:43:44 +02:00
Mariusz Felisiak
c95ce8c34d [3.0.x] Added release date for 3.0.6. 
Backport of c5358794e3d893a74073d1ee0a3d173d8f1e04b6 from master
 2020-05-04 07:04:42 +02:00
Mariusz Felisiak
16dbeb2d51 [3.0.x] Updated expected date for 3.0.6 release. 
Backport of 2788de95e375cccd03a3dfd161fc92b7d6df6024 from master
 2020-04-28 10:13:23 +02:00