mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity
32,997 Commits 30 Branches 460 Tags
467aeeb569da17a7573e8dfc4932434c84e70642
Commit Graph

32997 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jacob Walls
467aeeb569 [5.1.x] Bumped version for 5.1.13 release. 5.1.13 2025-10-01 09:01:21 -04:00
Sarah Boyce
74fa85c688 [5.1.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract(). 
Thanks stackered for the report.

Follow up to 05413afa8c.

Backport of 924a0c092e from main.
 2025-10-01 08:53:50 -04:00
Mariusz Felisiak
01d2d770e2 [5.1.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. 
Thanks sw0rd1ight for the report.

Follow up to 93cae5cb2f.

Backport of 41b43c74bd from main.
 2025-10-01 08:53:17 -04:00
Mariusz Felisiak
cbe5042d85 [5.1.x] Added stub release notes and release date for 5.1.13 and 4.2.25. 
Backport of 00174507f8 from main.
 2025-09-24 11:47:22 -04:00
Mariusz Felisiak
27e230ff25 [5.1.x] Added missing backticks in docs/releases/security.txt. 
Backport of 686a8a62ae from main
 2025-09-04 11:11:09 +02:00
Sarah Boyce
26fc64332c [5.1.x] Added CVE-2025-57833 to security archive. 
Backport of f0c05a40d2 from main.
 2025-09-03 15:29:23 +02:00
Sarah Boyce
dc002e5d2d [5.1.x] Post-release version bump. 2025-09-03 13:37:20 +02:00
Sarah Boyce
f71d9c35e4 [5.1.x] Bumped version for 5.1.12 release. 5.1.12 2025-09-03 13:32:35 +02:00
Jake Howard
102965ea93 [5.1.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases. 
Thanks Eyal Gabay (EyalSec) for the report.

Backport of 5171171709 from main.
 2025-09-03 13:31:32 +02:00
Sarah Boyce
44cd014a0a [5.1.x] Added stub release notes and release date for 5.1.12 and 4.2.24. 
Backport of 4c71e33440 from main.
 2025-08-27 16:10:48 +02:00
Natalia
09801786df [5.1.x] Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior. 
Python fixed a quadratic complexity processing for HTMLParser in:
https://github.com/python/cpython/commit/6eb6c5db.

Backport of 2980627502 from main.
 2025-08-13 17:49:04 -03:00
Natalia
19e7b95552 [5.1.x] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors following Python's HTMLParser fixed parsing. 
Further details about Python changes can be found in:
0243f97cba.

Refs #36499. Thank you Clifford Gama for the thorough review!

Backport of e4515dad7a from main.
 2025-08-13 17:49:04 -03:00
Natalia
9d9b3bc717 [5.1.x] Refs #36535 -- Doc'd that docutils < 0.22 is required. 2025-08-04 21:55:27 -03:00
nessita
37f6474380 [5.1.x] Fixed GitHub Action that checks commit prefixes to fetch PR head correctly. 
Backport of 8499fba0e1 from main.
 2025-07-16 15:37:35 -03:00
nessita
31045931aa [5.1.x] Added GitHub Action to enforce stable branch commit message prefix. 
Backport of 10386fac00 from main.
 2025-07-16 08:39:34 -03:00
Sarah Boyce
97c753741a [5.1.x] Added follow-up to CVE-2025-48432 to security archive. 
Backport of 2714bc3f2c from main.
 2025-06-10 15:15:14 +02:00
Sarah Boyce
353a6af6d9 [5.1.x] Post-release version bump. 2025-06-10 11:50:05 +02:00
Sarah Boyce
2285698fc1 [5.1.x] Bumped version for 5.1.11 release. 5.1.11 2025-06-10 11:47:54 +02:00
Jake Howard
31f4bd31fa [5.1.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response logging. 
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 9579517552 from main.
 2025-06-06 09:09:06 -03:00
Natalia
363d256685 [5.1.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use log_response() for consistency. 
Backport of ff835f439c from main.
 2025-06-06 09:07:54 -03:00
Natalia
15e4df1d33 [5.1.x] Refactored logging_tests to reuse assertions for log records. 
Backport of 9d72e7daf7 from main.
 2025-06-06 09:07:48 -03:00
Natalia
976e34a2a5 [5.1.x] Added CVE-2025-48432 to security archive. 
Backport of 51923c576a from main.
 2025-06-04 10:58:49 -03:00
Natalia
400170b69e [5.1.x] Post-release version bump. 2025-06-04 08:49:22 -03:00
Natalia
23a853821b [5.1.x] Bumped version for 5.1.10 release. 5.1.10 2025-06-04 08:46:54 -03:00
Natalia
596542ddb4 [5.1.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in log_response(). 
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.

To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.

Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.

Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>

Backport of a07ebec559 from main.
 2025-06-04 08:46:07 -03:00
Natalia
a70841bc03 [5.1.x] Added stub release notes and release date for 5.1.10 and 4.2.22. 
Backport of 1a74434399 from main.
 2025-05-28 10:19:23 -03:00
Jason Judkins
129750a807 [5.1.x] Fixed #36402, Refs #35980 -- Updated built package name in reusable apps tutorial for PEP 625. 
Backport of 1307b8a1cb from main.
 2025-05-26 12:37:29 -03:00
Natalia
32a9cb2179 [5.1.x] Added helpers in csrf_tests and logging_tests to assert logs from log_response(). 
Backport of ad6f998898 from main.
 2025-05-22 15:42:30 -03:00
Natalia
bb92acacac [5.1.x] Refs #26688 -- Added tests for log_response() internal helper. 
Backport of 8970468159 from main.
 2025-05-22 15:42:28 -03:00
Natalia
85bdeb31e2 [5.1.x] Refs #35980 -- Added release note about changes in release artifacts filenames. 
Backport of 42ab99309d from main.
 2025-05-09 13:31:53 -03:00
Natalia
503128a7d1 [5.1.x] Removed "Expected" from release date for 5.1.9 and 4.2.21. 
Backport of c86156378d from main.
 2025-05-09 13:30:58 -03:00
Natalia
73f70b5cc8 [5.1.x] Cleaned up CVE-2025-32873 security archive description. 
Backport of 37f2a77c72 from main.
 2025-05-07 11:37:34 -03:00
Natalia
05fab4e394 [5.1.x] Added CVE-2025-32873 to security archive. 
Backport of fdabda4e05 from main.
 2025-05-07 11:09:35 -03:00
Natalia
2eb42068c2 [5.1.x] Post-release version bump. 2025-05-06 22:35:14 -03:00
Natalia
db5c8a97bb [5.1.x] Bumped version for 5.1.9 release. 5.1.9 2025-05-06 22:32:13 -03:00
Sarah Boyce
0b42f6a528 [5.1.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags(). 
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 9f3419b519 from main.
 2025-05-06 22:31:16 -03:00
Natalia
1520d18e9c [5.1.x] Added upcoming security release to release notes. 
Backport of 0f5dd0dff3 from main.
 2025-04-30 14:56:53 -03:00
nessita
660067f8e7 [5.1.x] Refs #36341 -- Added release notes for 5.1.9 and 4.2.21 for fix in wordwrap template filter. 
Revision 1e9db35836 fixed a regression in
55d89e25f4, which also needs to be
backported to the stable branches in extended support (5.1.x and 4.2.x).

Backport of c86242d61f from main.
 2025-04-23 17:30:05 -03:00
Matti Pohjanvirta
09a1813cb8 [5.1.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter. 
Regression in 55d89e25f4.

This work improves the django.utils.text.wrap() function to ensure that
empty lines and lines with whitespace only are kept instead of being
dropped.

Thanks Matti Pohjanvirta for the report and fix.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 1e9db35836 from main.
 2025-04-23 17:29:29 -03:00
Mariusz Felisiak
0aa0224107 [5.1.x] Fixed warnings per flake8 7.2.0. 
https://github.com/PyCQA/flake8/releases/tag/7.2.0

Backport of 281910ff8e from main.
 2025-04-23 09:37:33 -03:00
nessita
3215e2a232 [5.1.x] Pinned isort version to "<6.0.0" to avoid undesired reformat. 
Backport of 0671a461c4 from main.
 2025-04-23 08:54:10 -03:00
Baptiste Mispelon
af6d305fc7 [5.1.x] Fixed #36320 -- Ignored "duplicated_toc_entry" for ePub docs build. 
Backport of ac16d2876d from main
 2025-04-12 19:40:16 +02:00
Sarah Boyce
39b144badd [5.1.x] Fixed #36298 -- Truncated the overwritten file content in file_move_safe(). 
Regression in 58cd4902a7.

Thanks Baptiste Mispelon for the report.

Backport of 8ad3e80e88 from main.
 2025-04-07 16:15:25 +02:00
Nick Pope
bbf376bbc8 [5.1.x] Fixed #35980 -- Updated setuptools to normalize package names in built artifacts. 
Backport of 3ae049b26b from main.
 2025-04-03 12:38:49 -03:00
Sarah Boyce
be13608613 [5.1.x] Added CVE-2025-27556 to security archive. 
Backport of b83dab7d8d from main.
 2025-04-02 13:33:19 +02:00
Sarah Boyce
ac90c54a86 [5.1.x] Post-release version bump. 2025-04-02 10:39:38 +02:00
Sarah Boyce
5773bc9cf9 [5.1.x] Bumped version for 5.1.8 release. 5.1.8 2025-04-02 10:29:55 +02:00
Sarah Boyce
edc2716d01 [5.1.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows. 
Thank you sw0rd1ight for the report.

Backport of 39e2297210 from main.
 2025-04-02 10:28:26 +02:00
Babak Mahmoudy
b3b09dc6ce [5.1.x] Fixed #36213 -- Doc'd MySQL's handling of self-select updates in QuerySet.update(). 
Co-authored-by: Andro Ranogajec <ranogaet@gmail.com>

Backport of be1b776ad8 from main.
 2025-04-02 08:48:02 +02:00
Clifford Gama
3fdc8c31da [5.1.x] Clarified pre_delete and post_delete's origin attributes. 
Backport of 9d5d0e8135 from main.
 2025-03-31 16:13:06 +02:00