mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-02-28 19:44:35 +00:00
Code Issues 32 Releases Wiki Activity
31,727 Commits 29 Branches 434 Tags
Commit Graph

13380 Commits

Author SHA1 Message Date
Simon Charette
f4af67b9b4 [4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields. 
Thanks Eyal (eyalgabay) for the report.
 2024-07-31 16:12:35 +02:00
Mariusz Felisiak
efea1ef7e2 [4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget. 
Thanks Seokchan Yoon for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 2024-07-31 16:12:23 +02:00
Sarah Boyce
d0a82e26a7 [4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters. 
Thanks to MProgrammer for the report.
 2024-07-31 16:12:11 +02:00
Sarah Boyce
fc76660f58 [4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat. 
Thanks Elias Myllymäki for the report.

Co-authored-by: Shai Berger <shai@platonix.com>
 2024-07-31 16:11:59 +02:00
Sarah Boyce
7b1a76f899 [4.2.x] Added stub release notes and release date for 4.2.15. 
Backport of 3f880890699d4412cf23b59dba425111f62afb3a from main.
 2024-07-31 11:29:30 +02:00
Lorenzo Peña
96a3497400 [4.2.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in get_supported_language_variant(). 
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.

Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb.

Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
 2024-07-25 09:44:51 +02:00
Natalia
8e59e33400 [4.2.x] Added CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, and CVE-2024-39614 to security archive. 
Backport of e095c7612d49dbe371e9c7edd76ba99b6bc4f9f6 from main.
 2024-07-09 12:00:22 -03:00
Sarah Boyce
17358fb35f [4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant(). 
Language codes are now parsed with a maximum length limit of 500 chars.

Thanks to MProgrammer for the report.
 2024-07-09 10:40:50 -03:00
Natalia
2b00edc015 [4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method. 
Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah
Boyce for the reviews.
 2024-07-09 10:40:48 -03:00
Michael Manfre
156d3186c9 [4.2.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords. 
Refs #20760.

Thanks Michael Manfre for the fix and to Adam Johnson for the review.
 2024-07-09 10:40:46 -03:00
Adam Johnson
79f3687642 [4.2.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc template filters. 
Thank you to Elias Myllymäki for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 2024-07-09 10:40:37 -03:00
Natalia
446cdab134 [4.2.x] Added stub release notes for 4.2.14. 2024-07-03 14:18:28 -03:00
Sarah Boyce
b46b94e66c [4.2.x] Added release notes for 4.2.13. 
Backport of 90175e110e7cfcf07f4ccdaadc45d7ed6302ce00 from main.
 2024-05-07 17:35:16 +02:00
Sarah Boyce
3f9c8fc1f9 [4.2.x] Added release date for 4.2.12. 
Backport of 34a503162fe222033a1cd3249bccad014fcd1d20 from main.
 2024-05-06 14:44:17 +02:00
Sarah Boyce
256f719cb3 [4.2.x] Reverted "Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS class unconditionally in Admin." 
This reverts commit 0fc832676cd585fa420d583937b5b2318bc2c629.
 2024-04-19 13:29:30 +02:00
Adam Johnson
0fc832676c [4.2.x] Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS class unconditionally in Admin. 
Backport of bdd76c4c3817d8e3ed5b0450d5e18e4eae096f16 from main.
 2024-04-19 11:28:02 +02:00
Natalia
1d85b416aa [4.2.x] Refs #35361 -- Clarified release notes for 4.2.12. 
Backport of cd823778e66307b82469858cfd8d1aa75613b49a from main.
 2024-04-12 15:07:36 +02:00
Natalia
27c32cc991 [4.2.x] Fixed #35361 -- Added release notes for 4.2.12 for backport of b231bcd19e57267ce1fc21d42d46f0b65fdcfcf8. 
Backport of 42435fc55cbf7c04c1389ee46cc50e2565b40e37 from main.
 2024-04-10 18:29:33 +02:00
Mariusz Felisiak
a76c52b19a [4.2.x] Added CVE-2024-27351 to security archive. 
Backport of da39ae4b5f056a332b5c48402a2ae11767e7d577 from main
 2024-03-04 10:12:58 +01:00
Shai Berger
3c9a2771cc [4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words(). 
Thanks Seokchan Yoon for the report.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2024-03-04 08:36:56 +01:00
Mariusz Felisiak
7973951139 [4.2.x] Added release date for 4.2.11 and 3.2.25. 
Backport of 977d25416954a72ad100b01762078bf1ceb89a63 from main
 2024-02-26 08:29:04 +01:00
Mariusz Felisiak
cb173bb088 [4.2.x] Fixed #35172 -- Fixed intcomma for string floats. 
Thanks Warwick Brown for the report.

Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9.

Backport of 2f14c2cedc9c92373471c1f98a80c81ba299584a from main.
 2024-02-08 11:00:36 +01:00
Natalia
227ef29cff [4.2.x] Added CVE-2024-24680 to security archive. 
Backport of c650c1412d1933e339cc93f9b6745c3eedb1c25b from main
 2024-02-06 12:16:50 -03:00
Adam Johnson
572ea07e84 [4.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template filter. 
Thanks Seokchan Yoon for the report.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Shai Berger <shai@platonix.com>
 2024-02-06 09:56:20 -03:00
nessita
9fe7411235
[4.2.x] Pinned black == 23.12.1 for blacken-docs checks. 2024-01-30 05:47:27 +01:00
Natalia
74582b8d11 [4.2.x] Added stub release notes for 4.2.10 and 3.2.24. 
Backport of 06d0a1bd56a9899c351ca047a05813e8dd6a4e17 from main
 2024-01-29 12:09:52 -03:00
Mariusz Felisiak
0a4c5e56b4 [4.2.x] Added release date for 4.2.9. 
Backport of f82a2c3b3d553f36661cfdce5261bffb669d68a9 from main.
 2024-01-02 09:59:12 +01:00
Tom Carrick
ca43990813 [4.2.x] Fixed #35012 -- Restored wrapping admin fieldsets with multiple fields per line. 
Thanks James Gillard for the report.

Regression in 729266c6f29c7a0677b24926a86a767ef3078b26.

Backport of 4aae864463b149393a36e0b18345cf6ed392634d from main
 2023-12-13 12:34:53 +01:00
Mariusz Felisiak
d9ba0ea6cb [4.2.x] Added stub release notes for 4.2.9. 
Backport of 464af0975cac6abc46b3e5c3305194c958fc465b from main
 2023-12-05 06:12:20 +01:00
Mariusz Felisiak
52e28e5fbf [4.2.x] Added release date for 4.2.8. 
Backport of 8fcb9f1f106cf60d953d88aeaa412cc625c60029 from main
 2023-12-04 09:25:56 +01:00
Mariusz Felisiak
6e2d9f0aa8 [4.2.x] Fixed #35006 -- Fixed migrations crash when altering Meta.db_table_comment on SQLite. 
Thanks Юрий for the report.

Regression in 78f163a4fb3937aca2e71786fbdd51a0ef39629e.
Backport of 37fc832a54ad37e75a898a2c8f9ab0820617c4af from main
 2023-11-30 10:11:28 +01:00
Adam Johnson
5b698cbcf1 [4.2.x] Removed link to lawrence.com in contrib.sites docs. 
lawrence.com has since become a redirect to LJWorld.com,
making the link pointless.
Backport of 9e7ac5890147a8271eb5eb19bb88ab93dadc6c6d from main
 2023-11-28 20:12:09 +01:00
Tom Carrick
bd0ea8c2ba [4.2.x] Fixed #34982 -- Fixed admin's read-only password widget and help texts alignment for tablet screen size. 
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>

Backport of 729266c6f29c7a0677b24926a86a767ef3078b26 from main
 2023-11-27 15:20:59 -03:00
Mariusz Felisiak
cdb14cc18b [4.2.x] Fixed #34978, Refs #31331 -- Added backward incompatibility note about raw aggregations on MySQL. 
Thanks Matthew Somerville for the report.

Backport of a652f0759651dd7103ed04336ef85dc410f680c1 from main
 2023-11-27 12:44:18 -03:00
Nathaniel Conroy
450d518d2f [4.2.x] Fixed #34992 -- Fixed DatabaseFeatures.allows_group_by_selected_pks on MariaDB with ONLY_FULL_GROUP_BY sql mode. 
Regression in 041551d716b69ee7c81199eee86a2d10a72e15ab.

Backport of 0257426fe1fe9d146fd5813f09d909917ff59360 from main.
 2023-11-27 10:35:56 +01:00
Tom Carrick
bac9e94ace [4.2.x] Fixed #34994 -- Fixed checkbox layout in admin's change page for narrow screen widths. 
Regression in d687febce5868545f99974d2499a91f81a32fef5.

Backport of a89c715c3bcf7ab1a90747cf8658ebce6304b6e4 from main
 2023-11-23 16:57:21 -03:00
Tom Carrick
3d943c4f55 [4.2.x] Fixed #34991 -- Fixed pagination links and input layout in admin's change list page when using list_editable. 
Regression in b4817d20b9e55df30be0b1b2ca8c8bb6d61aab07.

Thanks Tom Carrick for the report and fix.

Backport of 4eb9c3d90aff55182151b6be0122f7d0b28832fd from main
 2023-11-23 10:22:34 -03:00
Simon Charette
cf95de9d24 [4.2.x] Fixed #34987 -- Fixed queryset crash when mixing aggregate and window annotations. 
Regression in f387d024fc75569d2a4a338bfda76cc2f328f627.

Just like `OrderByList` the `ExpressionList` expression used to wrap
`Window.partition_by` must implement `get_group_by_cols` to ensure the
necessary grouping when mixing window expressions with aggregate
annotations is performed against the partition members and not the
partition expression itself.

This is necessary because while `partition_by` is implemented as
a source expression of `Window` it's actually a fragment of the WINDOW
expression at the SQL level and thus it should result in a group by its
members and not the sum of them.

Thanks ElRoberto538 for the report.
Backport of e76cc93b0168fa3abbafb9af1ab4535814b751f0 from main
 2023-11-23 06:10:24 +01:00
Tim Schilling
6d7313bc87 [4.2.x] Fixed #34990 -- Changed link to OWASP in CSRF docs. 
The OWASP site is the standard resource for web application
security information.
Backport of aceee39d44994df20d13104e55ae61845d7a1e95 from main
 2023-11-23 05:28:43 +01:00
Mariusz Felisiak
9afeb6b9b6 [4.2.x] Refs #34118 -- Doc'd Python 3.12 compatibility in Django 4.2.x. 
Backport of ecfea054ee2b8ddfa027459ff8b6aecba05facf7 from main.
 2023-11-19 16:38:33 +01:00
Simon Charette
acf4cee951 [4.2.x] Fixed #34975 -- Fixed crash of conditional aggregate() over aggregations. 
Adjustments made to solve_lookup_type to defer the resolving of
references for summarized aggregates failed to account for similar
requirements for lookup values which can also reference annotations
through Aggregate.filter.

Regression in b181cae2e3697b2e53b5b67ac67e59f3b05a6f0d.

Refs #25307.

Thanks Sergey Nesterenko for the report.

Backport of 7530cf3900ab98104edcde69e8a2a415e82b345a from main
 2023-11-18 16:53:24 +01:00
Markus Amalthea Magnuson
47f9b8dca1 [4.2.x] Fixed #34970 -- Clarified Password Validation docs regarding the password_changed callback. 
Backport of 61c305f298da1b4079a80721c861d0663dc8717e from main
 2023-11-15 21:51:32 -03:00
Giannis Terzopoulos
f1e004012f [4.2.x] Removed obsolete sentence in custom model field docs. 
Backport of 36ed45d27cb97fe3a41eca219ba75ff69f16b93c from main
 2023-11-15 13:53:03 +01:00
William Hayes
e9acdff462 [4.2.x] Refs #33690 -- Added missing data-theme selector to example in theming support docs. 
Backport of 640283711e6c8d25ad0e3c97453cd178a3e4d6a6 from main
 2023-11-15 05:28:17 +01:00
Adam Johnson
90c3d71dfe [4.2.x] Fixed #34457 -- Restored output for makemigrations --check. 
Co-authored-by: David Sanders <shang.xiao.sanders@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of f7389c4b07ceeb036436e065898e411b247bca78 from main
 2023-11-09 11:05:54 -03:00
Patrick Rauscher
3d2370607d [4.2.x] Fixed #34813 -- Doc'd usage of integrity HTML attribute with ManifestStaticFilesStorage. 
Backport of 116e225266c511dfc0bfc96c8497e9c8aaa4d004 from main
 2023-11-02 08:27:06 -03:00
Mariusz Felisiak
ce44eaf6d0 [4.2.x] Added stub release notes for 4.2.8. 
Backport of 36173cf29d6ad0b0f0cd24326834dddfff2db7f3 from main
 2023-11-01 08:25:36 +01:00
Mariusz Felisiak
e4c9703ec6 [4.2.x] Added CVE-2023-46695 to security archive. 
Backport of 7caf2621833a45cdfe7e6e305e4885ecc8d79744 from main
 2023-11-01 08:17:50 +01:00
Mariusz Felisiak
048a9ebb6e [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. 
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
 2023-11-01 06:19:20 +01:00
Natalia
3fae5d92da [4.2.x] Refs #30601 -- Fixed typos in docs/topics/db/transactions.txt. 
Backport of 9b18af4f6f12b9d25157e0b5afc3dca198f6dd06 from main
 2023-10-30 13:50:20 -03:00