Thanks stackered for the report.
Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23.
Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
Thanks sw0rd1ight for the report.
Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
Thanks Jacob Walls and Simon Charette for tests.
Signed-off-by: SaJH <wogur981208@gmail.com>
Backport of bb7a7701b1a0e8fffe14dcebf5d5bac7f176c02a from main
This allows the proper resolving of lookups when performing constraint
validation involving Q and Case objects.
Thanks Andrew Roberts for the report and Sarah for the tests and review.
Backport of 079d31e698fa08dd92e2bc4f3fe9b4817a214419 from main.
This allows the proper resolving of F("field__transform") when
performing constraint validation.
Thanks Tom Hall for the report and Sarah for the test.
Prerequisite for #36518.
Backport of fc303551077c3e023fe4f9d01fc1b3026c816fa4 from main.
When native support for tuple lookups is missing in a DB backend, it can
be emulated with an EXISTS clause. This is controlled by the backend
feature flag "supports_tuple_lookups".
The mishandling of subquery right-hand side in `TupleIn` (added to
support `CompositePrimaryKey` in Refs #373) was likely missed because
the only core backend we test with the feature flag disabled
(Oracle < 23.4) supports it natively.
Thanks to Nandana Raol for the report, and to Sarah Boyce, Jacob Walls,
and Natalia Bidart for reviews.
Backport of 192bc7a7be92e20cc250907fb4083df689715679 from main.
Value(None, JSONField()) when used in When.condition incorrectly resolved with
for_save=True, resulting in the value being serialized as SQL NULL instead of
JSON null.
Regression in c1fa3fdd040718356e5a3b9a0fe699d73f47a940.
Thanks to Thomas McKay for the report, and to David Sanders and Simon Charettes
for the review.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 104cbfd44b9eff010daf0ef0e1ce434385855b13 from main.
When matching which entry in the `Accept` header should be used for
a given media type, the specificity matters. However once those are
resolved, only the quality matters when selecting preference.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
Thank you to Anders Kaseorg for the report.
Backport of 12c1557060fc94fe5e1fbddc4578a4e29d38f77c from main.
The "q" key was removed while addressing ticket #36411. Despite
`MediaType.params` is undocumented and considered internal, it was used
in third-party projects (Zulip reported breakage), so this work restored
the `q` key in `params`.
Thanks Anders Kaseorg for the report.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
Backport of cf5f36bf903a2854f5e395149cee707115b83744 from main.
The for_save flag wasn't properly propagated when resolving expressions, which
prevented get_db_prep_save() from being called in some cases. This affected
fields like JSONField where None would be saved as JSON null instead of SQL NULL.
Regression in 00c690efbc0b10f67924687f24a7b30397bf47d9.
Thanks to David Sanders and Simon Charette for reviews.
Co-authored-by: Adam Johnson <me@adamj.eu>
Backport of c1fa3fdd040718356e5a3b9a0fe699d73f47a940 from main.
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 957951755259b412d5113333b32bf85871d29814 from main.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
Regression in 626d77e52a3f247358514bcf51c761283968099c.
Refs #36116.
Thanks Cornelis Poppema for the excellent report.
Backport of 08187c94ed02c45ad40a32244dedeaa7ac71ca87 from main.
HttpRequest.get_preferred_type() did not account for parameters in
Accept header media types (e.g., "text/vcard; version=3.0"). This caused
incorrect content negotiation when multiple types differed only by
parameters, reducing specificity as per RFC 7231 section 5.3.2
(https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2).
This fix updates get_preferred_type() to treat media types with
parameters as distinct, allowing more precise and standards-compliant
matching.
Thanks to magicfelix for the report, and to David Sanders and Sarah
Boyce for the reviews.
Backport of c075508b4de8edf9db553b409f8a8ed2f26ecead from main.
In the admin's filter_horizontal widget, optional action buttons like
"Choose all", "Remove all", etc. were changed from `<a>` to `<button>`
elements in #34619, but without specifying `type="button"`. As a result,
when pressing Enter while focused on a form input, these buttons could
be triggered and intercept form submission.
Explicitly set `type="button"` on these control buttons to prevent them
from acting as submit buttons.
Thanks Antoliny Lee for the quick triage and review.
Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a.
Backport of 90429625a85f1f77dfea200c91bd2dabab57974f from main.
Regression in a76035e925ff4e6d8676c65cb135c74b993b1039.
Thank you to Simon Charette for the review.
co-authored-by: Simon Charette <charette.s@gmail.com>
Backport of b8e5a8a9a2a767f584cbe89a878a42363706f939 from main.
Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099.
Thank you to shamoon for the report and Natalia Bidart for the review.
Backport of 1704c49a9b149b66b6a0e67abc8c95293bc35649 from main.
Regression in 9cb8baa0c4fa2c10789c5c8b65f4465932d4d172.
Thank you to Antoine Humeau for the report and Simon Charette for the review.
Backport of 802baf5da5b8d8b44990a8214a43b951e7ab8b39 from main.
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
Thanks to Baptiste Mispelon for the report and quick fix, and to Simon
Charette and Jacob Walls for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 66f9eb0ff1e7147406318c5ba609729678e4e6f6 from main.
Previously, any first field of a composite primary key with type
`INTEGER` was incorrectly introspected as an `AutoField` due to SQLite
treating `INTEGER PRIMARY KEY` as an alias for the `ROWID`.
This change ensures that integer fields in composite PKs are not
mistaken for auto-incrementing fields.
Thanks Jacob Walls and Sarah Boyce for the reviews.
Backport of 07100db6f46255ec6ef70b860495f977473684d6 from main.
