When matching which entry in the `Accept` header should be used for
a given media type, the specificity matters. However once those are
resolved, only the quality matters when selecting preference.
Regression in c075508b4d.
Thank you to Anders Kaseorg for the report.
Backport of 12c1557060 from main.
The "q" key was removed while addressing ticket #36411. Despite
`MediaType.params` is undocumented and considered internal, it was used
in third-party projects (Zulip reported breakage), so this work restored
the `q` key in `params`.
Thanks Anders Kaseorg for the report.
Regression in c075508b4d.
Backport of cf5f36bf90 from main.
The for_save flag wasn't properly propagated when resolving expressions, which
prevented get_db_prep_save() from being called in some cases. This affected
fields like JSONField where None would be saved as JSON null instead of SQL NULL.
Regression in 00c690efbc.
Thanks to David Sanders and Simon Charette for reviews.
Co-authored-by: Adam Johnson <me@adamj.eu>
Backport of c1fa3fdd04 from main.
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9579517552 from main.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec559 from main.
HttpRequest.get_preferred_type() did not account for parameters in
Accept header media types (e.g., "text/vcard; version=3.0"). This caused
incorrect content negotiation when multiple types differed only by
parameters, reducing specificity as per RFC 7231 section 5.3.2
(https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2).
This fix updates get_preferred_type() to treat media types with
parameters as distinct, allowing more precise and standards-compliant
matching.
Thanks to magicfelix for the report, and to David Sanders and Sarah
Boyce for the reviews.
Backport of c075508b4d from main.
In the admin's filter_horizontal widget, optional action buttons like
"Choose all", "Remove all", etc. were changed from `<a>` to `<button>`
elements in #34619, but without specifying `type="button"`. As a result,
when pressing Enter while focused on a form input, these buttons could
be triggered and intercept form submission.
Explicitly set `type="button"` on these control buttons to prevent them
from acting as submit buttons.
Thanks Antoliny Lee for the quick triage and review.
Regression in 857b1048d5.
Backport of 90429625a8 from main.
These changes include:
* Clarification of the new feature proposal and evaluation process.
* Reodering "points to consider" into reporting bugs section, since
these are mostly trac-specific.
* Narrowing the guide on user interface bugs and features to just bugs.
* Updating documentation for Someday/Maybe triage stage.
Co-authored-by: Tim Schilling <schilling711@gmail.com>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 188799e67c from main.
Thanks to Baptiste Mispelon for the report and quick fix, and to Simon
Charette and Jacob Walls for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 66f9eb0ff1 from main.
Previously, any first field of a composite primary key with type
`INTEGER` was incorrectly introspected as an `AutoField` due to SQLite
treating `INTEGER PRIMARY KEY` as an alias for the `ROWID`.
This change ensures that integer fields in composite PKs are not
mistaken for auto-incrementing fields.
Thanks Jacob Walls and Sarah Boyce for the reviews.
Backport of 07100db6f4 from main.
The issue was only manifesting itself when also filtering againt a related
model as that forces the usage of a subquery because SQLUpdateCompiler doesn't
support the UPDATE FROM syntax yet.
Regression in 65ad4ade74.
Refs #28900.
Thanks Gav O'Connor for the detailed report.
Backport of 8ef4e0bd42 from main.
Regression in aba0e541ca and in
d5bebc1c26.
Thanks Florent Messa for the report, and Jake Howard and Claude
Paroz for the review.
Backport of 0596263c31 from main.
Revision 1e9db35836 fixed a regression in
55d89e25f4, which also needs to be
backported to the stable branches in extended support (5.1.x and 4.2.x).
Backport of c86242d61f from main.
Regression in 55d89e25f4.
This work improves the django.utils.text.wrap() function to ensure that
empty lines and lines with whitespace only are kept instead of being
dropped.
Thanks Matti Pohjanvirta for the report and fix.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 1e9db35836 from main.
This reverts commits b1324a680a and
02a5cbfe76. The former caused a regression
in admin sites that relied on the `object-tools` block being inside the
`content` block.
Thank you to Fabian Braun for the report.
Backport of 1bc805e23b from main.
