mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-17 16:19:12 +00:00
Code Issues 32 Releases Wiki Activity
28,713 Commits 29 Branches 451 Tags
Commit Graph

216 Commits

Author SHA1 Message Date
Mariusz Felisiak
cfb780dafe [3.1.x] Added stub release notes 3.1.14 and 2.2.25. 
Backport of ae4077e13ea2e4c460c3f21b9aab93a696590851 from main.
 2021-11-30 11:28:20 +01:00
Mariusz Felisiak
8dc1cc0b30 [3.1.x] Added stub release notes for 3.1.13. 
Backport of 8e97698d7b537cd298438a8d7b55916d275ff851 from main.
 2021-07-01 06:59:22 +02:00
Carlton Gibson
c7fdc790cf [3.1.x] Added stub release notes and date for Django 3.1.12 and 2.2.24. 
Backport of b46dbd4e3e255223078ae0028934ea986e19ebc1 from main
 2021-05-26 10:19:28 +02:00
Mariusz Felisiak
b7d4a6fa65 [3.1.x] Fixed #32718 -- Relaxed file name validation in FileField. 
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3.

Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main.
 2021-05-13 08:56:06 +02:00
Mariusz Felisiak
afb23f5929 [3.1.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+. 
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.

[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603

Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
 2021-05-06 08:50:52 +02:00
Florian Apolloner
25d84d6412 [3.1.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-27 19:12:15 +02:00
Mariusz Felisiak
cca0d98118 [3.1.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files. 
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.

Backport of d4d800ca1addc4141e03c5440a849bb64d1582cd from main.
 2021-04-06 08:25:24 +02:00
Mariusz Felisiak
bdad3eb7ec [3.1.x] Added stub release notes for 3.1.8. 
Backport of e0f82d7992ad7085dcf4ed096a6ad2e3ad89eaae from master
 2021-02-25 20:30:29 +01:00
Nick Pope
8f6d431b08 [3.1.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.http.limited_parse_qsl(). 2021-02-18 10:15:30 +01:00
Mariusz Felisiak
65d4c59da9 [3.1.x] Added stub release notes for 3.1.7. 
Backport of 8d3c3a57174a072479978d60f5ecdb9fd3c2fd23 from master
 2021-02-01 10:55:28 +01:00
Mariusz Felisiak
02e6592835 [3.1.x] Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract(). 
Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.

Thanks Wang Baohua for the report.

Backport of 05413afa8c18cdb978fcdf470e09f7a12b234a23 from master.
 2021-02-01 09:13:58 +01:00
Carlton Gibson
622e37ca6d [3.1.x] Added stub release notes for 3.1.6. 
Backport of 966ed414b2adfc9ecc26a9d529dec99d94262cd9 from master
 2021-01-04 08:59:11 +01:00
Mariusz Felisiak
d3e3d63bb1 [3.1.x] Added stub release notes for 3.1.5. 
Backport of adb40d217ec57ade46b1394cfbf3c513dc669445 from master
 2020-12-01 07:19:22 +01:00
Carlton Gibson
c13702a9f3 [3.1.x] Added stub release notes for 3.1.4. 
Backport of c8785b473f99a0dbc76f8a61b88904e2f44998ae from master
 2020-11-02 09:21:21 +01:00
Mariusz Felisiak
84685e5132 [3.1.x] Refs #31040 -- Doc'd Python 3.9 compatibility. 
Backport of e18156b6c35908f2a4026287b5225a6a4da8af1a from master.
 2020-10-13 08:36:43 +02:00
Mariusz Felisiak
079e766217 [3.1.x] Added stub release notes for 3.1.3. 
Backport of 85fa24e3eb8d0f942ef05c48ea8b0a84659e7ce4 from master
 2020-10-01 07:57:13 +02:00
Carlton Gibson
2629882095 [3.1.x] Added stub release notes for 3.1.2. 
Backport of 7a60670b78894cae0f5f21d39f10fa38b1283497 from master
 2020-09-01 10:45:36 +02:00
Mariusz Felisiak
daf4f70eae [3.1.x] Added stub release notes for 2.2.16 and 3.0.10. 
Backport of 8a5683b6b2aede38edcff070686ed1fce470dec5 from master
 2020-08-11 11:12:51 +02:00
Mariusz Felisiak
42e31d4922 [3.1.x] Added stub release notes for 3.1.1. 
Backport of 6c1923029748de4a0f443260751a93c1e0ea10fa from master
 2020-08-04 10:42:58 +02:00
Mariusz Felisiak
3ca8cc0df1 [3.1.x] Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in HttpResponse.delete_cookie(). 
Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.

This affects sessions and messages cookies.
Backport of 240cbb63bf9965c63d7a3cc9032f91410f414d46 from master
 2020-07-16 08:17:45 +02:00
Mariusz Felisiak
4e3b0f56ba [3.1.x] Added stub release notes for 3.0.9. 
Backport of c2a835703f706583542e9dae82749ac3b92819f8 from master
 2020-07-01 07:12:40 +02:00
Mariusz Felisiak
031a082d41 [3.1.x] Fixed #31654 -- Fixed cache key validation messages. 
Backport of 926148ef019abcac3a9988c78734d9336d69f24e from master
 2020-06-05 07:22:24 +02:00
Carlton Gibson
d193aa8da6 [3.1.x] Added stub release notes for 3.0.8. 
Backport of 7ec2658e1e24149f0f3244c08c361348f6ebc0e4 from master
 2020-06-03 10:55:07 +02:00
Mariusz Felisiak
6227173542 [3.1.x] Added stub release notes for 2.2.13. 
Backport of 50798d43898c7d46926a4292f86fdf3859a433da from master
 2020-05-14 06:30:02 +02:00
Mariusz Felisiak
8e8ff38cb8 Added stub release notes for 3.0.7. 2020-05-04 07:38:35 +02:00
Carlton Gibson
a7e4ff370c Added stub release notes for 3.0.6. 2020-04-01 10:09:43 +02:00
Carlton Gibson
a4200e958d Added stub release notes for 2.2.12. 2020-03-10 12:01:01 +01:00
Mariusz Felisiak
1b3a900a69 Added stub release notes for 3.0.5. 2020-03-04 10:56:07 +01:00
Mariusz Felisiak
6695d29b1c Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. 
Thanks to Norbert Szetei for the report.
 2020-03-04 09:04:50 +01:00
Mariusz Felisiak
7e8339748c Added stub release notes for 2.2.11. 2020-02-10 08:18:58 +01:00
Carlton Gibson
273918c25b Added stub release notes for 3.0.4. 2020-02-03 10:23:54 +01:00
Simon Charette
eb31d84532 Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter. 2020-02-03 08:49:13 +01:00
Mariusz Felisiak
69331bb851 Added stub release notes for 3.0.3. 2020-01-02 08:36:08 +01:00
Mariusz Felisiak
50a69efb2e Added stub release notes for 3.0.2. 2019-12-18 10:51:57 +01:00
Mariusz Felisiak
ec12c37384
Refs #31073 -- Added release notes for 02eff7ef60466da108b1a33f1e4dc01eec45c99d. 2019-12-11 10:07:41 +01:00
Mariusz Felisiak
908c67e719 Added stub release notes for 3.0.1. 2019-12-02 21:43:59 +01:00
Mariusz Felisiak
e9def97d10 Added stub release notes for 2.1.15. 2019-11-19 12:33:39 +01:00
Mariusz Felisiak
30359496a3 Added stub release notes for 2.2.8 release. 2019-11-12 14:37:59 +01:00
Mariusz Felisiak
84322a29ce Added stub release notes for 1.11.26 and 2.1.14. 2019-10-02 07:49:47 +02:00
Carlton Gibson
e1c1eaf0c6 Added stub release notes for 2.2.7. 2019-10-01 10:43:30 +02:00
Mariusz Felisiak
bd7e0f81f8 Added stub release notes for 1.11.25 and 2.1.13. 2019-09-16 07:37:47 +02:00
Mariusz Felisiak
32796826bb Added stub release notes for 3.1. 2019-09-10 12:00:56 +02:00
Mariusz Felisiak
0d4529d314 Added stub release notes for 2.2.6. 2019-09-04 08:02:32 +02:00
Mariusz Felisiak
1f8382d34d
Fixed #30672 -- Fixed crash of JSONField/HStoreField key transforms on expressions with params. 
Regression in 4f5b58f5cd3c57fee9972ab074f8dc6895d8f387.

Thanks Florian Apolloner for the report and helping with tests.
 2019-08-14 15:25:35 +02:00
Mariusz Felisiak
1af469e67f Added stub release notes for 2.2.5. 2019-08-02 20:32:21 +02:00
Carlton Gibson
f13147c8de Added stub release notes for security releases. 2019-07-25 10:49:30 +02:00
Mariusz Felisiak
08e69cad9c Added stub release notes for 2.2.4. 2019-07-09 07:39:35 +02:00
Mariusz Felisiak
30b3ee9d0b Added stub release notes for security releases. 2019-07-01 06:57:27 +02:00
Mariusz Felisiak
1f81e2df69 Added stub release notes for 2.2.3. 2019-06-05 06:57:44 +02:00
Carlton Gibson
98c0fe19ee Added stub release notes for security releases. 2019-06-03 10:48:52 +02:00