mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-26 07:06:08 +00:00
Code Issues 32 Releases Wiki Activity
32,339 Commits 30 Branches 460 Tags
577cd7343a95c316070d34ff79f827ae3f5ba5e7
Commit Graph

5262 Commits

Author SHA1 Message Date
Natalia
e8d4a20059 [5.0.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation. 
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
 2025-01-14 09:00:34 -03:00
Natalia
96d8404771 [5.0.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails. 
On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.

Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
 2024-09-03 09:33:01 -03:00
Sarah Boyce
813de2672b [5.0.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters. 
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
 2024-09-03 09:32:43 -03:00
Lorenzo Peña
e18601273a [5.0.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in get_supported_language_variant(). 
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.

Regression in 9e9792228a.

Backport of 0e94f292cd from main.
 2024-07-25 09:42:17 +02:00
Matthew Somerville
68f65630c6 [5.0.x] Updated example links in urlize docs. 
goo.gl links are being removed in 2025:
https://developers.googleblog.com/en/google-url-shortener-links-will-no-longer-be-available/

Backport of fb7be022cb from main.
 2024-07-23 14:05:38 +02:00
Sarah Boyce
8e7a44e4be [5.0.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant(). 
Language codes are now parsed with a maximum length limit of 500 chars.

Thanks to MProgrammer for the report.
 2024-07-09 10:03:38 -03:00
Mariusz Felisiak
43aa0c103b [5.0.x] Removed outdated note about limitations in Clickjacking protection. 
There is no need to list old browser versions or point users to
workarounds.
Backport of f302343380 from main.
 2024-07-04 18:13:25 -03:00
Andrew Miller
4cf7199078 [5.0.x] Fixed #23790 -- Warned about renaming AppConfig.label in docs/ref/applications.txt. 
Backport of aa74c4083e from main.
 2024-07-01 21:53:50 -03:00
Mariusz Felisiak
3925476ca0 [5.0.x] Made cosmetic edits to code snippets reformatted with blacken-docs. 
Backport of 0f694ce2eb from main.
 2024-05-30 09:42:50 -03:00
sobolevn
9b5029f048 [5.0.x] Fixed #35426 -- Updated querysets to be a required argument of GenericPrefetch. 
Backport of 9a27c76021 from main.
 2024-05-04 11:34:12 +02:00
Shamil
59c3f8a539 [5.0.x] Fixed #35427 -- Corrected help text for makemessages --extension in docs/ref/django-admin.txt. 
Backport of 32d163e680 from main.
 2024-05-03 23:06:29 -03:00
Adam Zapletal
f29922b6ef [5.0.x] Fixed #20744 -- Removed hint that arbitrary kwargs are allowed when creating forms.Fields. 
Backport of 828b94b178 from main
 2024-04-26 14:38:41 -03:00
David Sanders
d36ecbd530 [5.0.x] Doc'd that RemoveField also drops related database objects in PostgreSQL. 
Backport of f0d50a9379 from main
 2024-04-16 13:11:41 -03:00
Mohammad Kazemi
10efefcb28 [5.0.x] Extended docs for Q() objects mentioning the ~ (NOT) operator. 
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>

Backport of 47c608202a from main.
 2024-04-15 13:17:35 -03:00
Adam Johnson
f975cf10e0 [5.0.x] Fixed settings path in docs for installing SpatiaLite with Homebrew. 
Co-authored-by: Adam Zapletal <adamzap@gmail.com>

Backport of 8bbf73ca74 from main
 2024-04-10 19:47:39 -03:00
Carlton Gibson
58061fd2b4 [5.0.x] Refs #35354 -- Clarified FORCE_SCRIPT_NAME docs. 
Backport of ca5cd3e3e8 from main
 2024-04-05 16:31:13 -03:00
Adam Zapletal
71368b6f00 [5.0.x] Added RowNumber() link in Rank() docs. 
Backport of fd2514d17d from main
 2024-03-21 05:52:35 +01:00
Adam Zapletal
710ca57681 [5.0.x] Fixed #25595 -- Doc'd that URLValidator rejects file:// URIs without a host. 
Backport of 7326513a8f from main
 2024-03-11 09:24:42 +01:00
canhuynh1998
ef23305a19 [5.0.x] Fixed #35280 -- Improved iriencode filter example in docs. 
Backport of a7baa874d8 from main
 2024-03-10 18:50:11 +01:00
Mariusz Felisiak
85e2b08068 [5.0.x] Fixed broken links and redirects in docs. 
Backport of 177e649396 from main
 2024-03-06 08:51:35 +01:00
Mohammad Alsakhawy
4dae21ad97 [5.0.x] Updated broken links in docs/ref/contrib/gis/tutorial.txt. 
Backport of f06bb7c88a from main
 2024-03-06 06:48:58 +01:00
kbehlers
24de8113a8 [5.0.x] Fixed typo in docs/ref/contrib/admin/index.txt. 
Backport of 3cb1ba50cc from main
 2024-02-29 08:31:46 +01:00
Mariusz Felisiak
bf7fedc446 [5.0.x] Removed #django-geo IRC channel in docs. 
It's been inactive for several years.
Backport of 11695b8fdd from main
 2024-02-28 19:06:32 +01:00
David Sanders
a8de04f8db [5.0.x] Refs #34964 -- Doc'd that Q expression order is preserved. 
Backport of 7714ccfeae from main
 2024-02-28 13:06:30 +01:00
sandjio
e72fdc850a [5.0.x] Fixed #35153 -- Added note about locale name notation to FORMAT_MODULE_PATH docs. 
Co-authored-by: Paul Hermans <paul.hermans@benemtech.com>

Backport of 9bd849c8d5 from main
 2024-02-20 06:11:51 +01:00
Adam Johnson
23c7cbfd24 [5.0.x] Fixed #28011 -- Corrected Field.hidden docs. 
Backport of 7ba6c9edc5 from main
 2024-02-17 19:22:20 +01:00
Alexander Lazarević
28d6db26a2 [5.0.x] Fixed #35141 -- Clarified the expected type of CACHE_MIDDLEWARE_SECONDS setting. 
Backport of a5365339ea from main
 2024-01-29 19:24:10 +01:00
Mariusz Felisiak
0379e7532f [5.0.x] Applied Black's 2024 stable style. 
https://github.com/psf/black/releases/tag/24.1.0

Backport of 305757aec1 from main
 2024-01-26 12:55:56 +01:00
duranbe
b2601a77f9 [5.0.x] Fixed #34971 -- Doc'd additional loggers. 
Co-authored-by: duranbe <benoit.durand.mail@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 0450c9bdf1 from main
 2024-01-24 08:48:17 -03:00
Emmanuel Katchy
c4a6a8d815 [5.0.x] Updated "Dive Into Python" links. 
Backport of 12ffcfc350 from main
 2024-01-20 22:22:49 +01:00
Baptiste Mispelon
a7b35aa7c9 [5.0.x] Used more specific link to email backends in EMAIL_BACKEND docs. 
Backport of 1592f0ac22 from main
 2024-01-16 20:10:39 +01:00
jordanbae
dd2d76803c [5.0.x] Fixed #34949 -- Clarified when UniqueConstraints with include/nulls_distinct are not created. 
Backport of 4fec1d2ce3 from main
 2024-01-15 14:16:12 +01:00
Salvo Polizzi
c69dbc7c10 [5.0.x] Fixed #35069 -- Fixed typo in docs/ref/forms/api.txt. 
Backport of dc26a3d563 from main
 2023-12-30 15:00:33 +01:00
Mariusz Felisiak
f33eddff8a [5.0.x] Corrected code-block directives in docs. 
Backport of 0be6dde817 from main
 2023-12-28 19:53:02 +01:00
David D Lowe
7e3ba869a6 [5.0.x] Improved DEFAULT_FROM_EMAIL/SERVER_EMAIL docs. 
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>

Backport of 61aae838f7 from main
 2023-12-28 09:44:37 +01:00
Amin Shah Gilani
d8bff5adda [5.0.x] Doc'd that users with unusable passwords cannot request a password reset. 
Backport of 47033bfd48 from main
 2023-12-19 14:05:01 -03:00
Viicos
6bf8ca7b16 [5.0.x] Added missing import in docs/ref/models/expressions.txt. 
Backport of e28bd6776d from main
 2023-12-15 11:17:32 +01:00
David Sanders
58274bbd37 [5.0.x] Added clarifications about the DATABASES.TIME_ZONE setting in docs. 
These include:
 - Doc'd which is the default used when DATABASES.TIME_ZONE is None.
 - Doc'd that the database connection's time zone setting is set for
   PostgreSQL and clarified that it may be necessary to set it to the
   same value as TIME_ZONE.

Co-authored-by: David Smith <39445562+smithdc1@users.noreply.github.com>
Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>

Backport of acfc7e3a73 from main
 2023-12-14 14:38:25 -03:00
Yashas
6c992dc003 [5.0.x] Fixed #35016 -- Doc'd that DATABASES["OPTIONS"] are passed to new PostgreSQL connections. 
Backport of eeb2119985 from main
 2023-12-08 09:38:54 +01:00
Adrien
b8a476b745 [5.0.x] Improved wording in auth.models.User field docs. 
Co-authored-by: Lily Foote <code@lilyf.org>

Backport of 79099a7ba4 from main
 2023-12-01 11:28:37 +01:00
KimSia Sim
b4a29210cf [5.0.x] Updated conditions to retrieve primary keys in bulk_create() docs. 
Backport of c9ce764f59 from main.
 2023-11-29 13:00:32 +01:00
Adam Johnson
0216d82066 [5.0.x] Removed link to lawrence.com in contrib.sites docs. 
lawrence.com has since become a redirect to LJWorld.com,
making the link pointless.
Backport of 9e7ac58901 from main
 2023-11-28 20:11:48 +01:00
Mariusz Felisiak
92af3d4d23 [5.0.x] Refs #34380 -- Added FORMS_URLFIELD_ASSUME_HTTPS transitional setting. 
This allows early adoption of the new default "https".

Backport of a4931cd75a from main.
 2023-11-28 20:08:10 +01:00
Adam Johnson
4c74dff759 [5.0.x] Refs #34380 -- Improved docs for forms.URLField.assume_scheme. 
Backport of 0203771b62 from main
 2023-11-25 18:53:34 +01:00
Tim Schilling
06bdf62b56 [5.0.x] Fixed #34990 -- Changed link to OWASP in CSRF docs. 
The OWASP site is the standard resource for web application
security information.
Backport of aceee39d44 from main
 2023-11-23 05:28:15 +01:00
David Smith
7f0275d8cb [5.0.x] Refs #32819 -- Used auto_id instead of id_for_label as unique identifier for the field. 
`id_for_label` is blank for widgets with multiple inputs such as radios
and multiple checkboxes. Therefore , `help_text` for fields using these
widgets cannot currently be associated using `aria-describedby`.
`id_for_label` is being used as a guard to avoid incorrectly adding
`aria-describedby` to those widgets.

This change uses `auto_id` as the unique identified for the fields
`help_text`. A guard is added to avoid incorrectly adding
`aria-describedby` to inputs by checking the widget's `use_fieldset`
attribute. Fields rendered in a `<fieldset>` should have
`aria-describedby` added to the `<fieldset>` and not every `<input>`.

Backport of 292f1ea90f from main
 2023-11-16 13:27:18 +01:00
William Hayes
effd704a1c [5.0.x] Refs #33690 -- Added missing data-theme selector to example in theming support docs. 
Backport of 640283711e from main
 2023-11-15 05:27:51 +01:00
Mariusz Felisiak
fcc55f8c26 [5.0.x] Refs #34944 -- Propagated system checks for GeneratedField.output_field. 
Backport of c705625ebf from main
 2023-11-14 20:22:41 +01:00
Mariusz Felisiak
ddbe5c86e8 [5.0.x] Fixed #34944 -- Made GeneratedField.output_field required. 
Regression in f333e3513e.

Backport of 5875f03ce6 from main
 2023-11-14 20:22:33 +01:00
Adam Johnson
8eba6efbf0 [5.0.x] Fixed #34457 -- Restored output for makemigrations --check. 
Co-authored-by: David Sanders <shang.xiao.sanders@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of f7389c4b07 from main
 2023-11-09 10:44:07 -03:00