1
0
mirror of https://github.com/django/django.git synced 2025-10-23 21:59:11 +00:00
Commit Graph

556 Commits

Author SHA1 Message Date
Natalia
17b51094d7 Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
Thanks Wenchao Li of Alibaba Group for the report.
2023-10-04 09:22:26 -03:00
Mariusz Felisiak
3f41d6d629 Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.

Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-09-04 11:58:37 +02:00
Nick Pope
500e01073a Fixed #31262 -- Added support for mappings on model fields and ChoiceField's choices. 2023-08-30 22:57:40 -03:00
sarahboyce
f6ed2c36dd Fixed #34787 -- Fixed autoreloader crash when run from installed script on Windows. 2023-08-28 12:57:14 +02:00
konsti
48a1929ca0 Removed unnecessary trailing commas in tests. 2023-08-22 12:42:57 +02:00
Mariusz Felisiak
4c85d94bc0 Fixed utils_tests.test_lazyobject.SimpleLazyObjectPickleTestCase.
SimpleLazyObjectPickleTestCase executes database queries so it must
inherit from django.test.TestCase.
2023-08-20 16:09:07 +02:00
Mariusz Felisiak
4afaeb14c2 Refs #30116 -- Simplified tests related with dictionary order.
Dicts preserve order since Python 3.6.
2023-07-12 11:06:59 +02:00
Nick Pope
e042024b28 Allowed custom formatting of lazy() objects.
This allows for formatting of lazy objects which have a custom formatter
defined by overriding the default implementation from `object`.
2023-06-12 06:09:20 +02:00
Nick Pope
fd97b0471b Allowed multiplication of lazy() objects with int return type. 2023-06-12 05:59:40 +02:00
Ran Benita
ae94077e7d Made proxy class in lazy() prepare eagerly.
Previously, the proxy class was prepared lazily:

  lazy_identity = lazy(identity, int)
  lazy_identity(10)  # prepared here
  lazy_identity(10)

This has a slight advantage that if the lazy doesn't end up getting
used, the preparation work is skipped, however that's not very likely.

Besides this laziness, it is also inconsistent in that the methods which
are wrapped directly (__str__ etc.) are prepared already when __proxy__
is defined, and there is a weird half-initialized state.

This change it so that everything is prepared already on the first line
of the example above.
2023-06-12 05:45:44 +02:00
Nick Pope
e0e0204477 Added more tests for django.utils.functional.lazy(). 2023-06-12 05:29:30 +02:00
Ran Benita
a57d5d9bbc Made bytes and str return types no longer mutually exclusive in lazy().
They are no longer special cased.
2023-06-08 09:15:40 +02:00
Ran Benita
f5817c24f4 Refs #34445 -- Fixed string-casting of non-string lazy objects when value may be bytes.
If the result type is bytes, then calling bytes() on it does nothing.

If the result type is not bytes, we should not cast to bytes, just
because the return value may be bytes.
2023-06-08 06:38:11 +02:00
devilsautumn
094b0bea2c Fixed #34609 -- Deprecated calling format_html() without arguments. 2023-06-06 14:14:57 +02:00
Mariusz Felisiak
fc9c90d9c4 Refs #34118 -- Fixed FunctionalTests.test_cached_property_reuse_different_names() on Python 3.12+.
Python 3.12+ no longer wraps exceptions in __set_name__, see
55c99d97e1
2023-05-23 12:56:33 +02:00
Mariusz Felisiak
198a19b692 Refs #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates on different days and interval less than 1 day.
Follow up to 813015d67e.
Regression in 8d67e16493.
2023-04-14 17:41:03 +02:00
nessita
813015d67e Fixed #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates and interval less than 1 day.
Regression in 8d67e16493.

Thanks Lorenzo Peña for the report.
2023-04-13 13:16:33 -03:00
Ran Benita
066aabcb77 Fixed #34445 -- Fixed string-casting of non-string lazy objects.
This removes __text_cast() as it's the same as __cast().
_delegate_bytes and __delegate_text are mutually exclusive so the
`if self._delegate_bytes` branch in __cast() is unreachable.

Co-Authored-By: David Sanders <shang.xiao.sanders@gmail.com>
2023-03-30 11:42:10 +02:00
Marcelo Galigniana
f9f0092346 Completed test coverage for django.utils.datastructures. 2023-02-15 07:45:00 +01:00
David Smith
097e3a70c1 Refs #33476 -- Applied Black's 2023 stable style.
Black 23.1.0 is released which, as the first release of the year,
introduces the 2023 stable style. This incorporates most of last year's
preview style.

https://github.com/psf/black/releases/tag/23.1.0
2023-02-01 11:04:38 +01:00
Nick Pope
1282b5e420 Fixed #32528 -- Replaced django.utils.topological_sort with graphlib.TopologicalSort().
graphlib.TopologicalSort() is available since Python 3.9.
2023-01-19 06:31:40 +01:00
Mariusz Felisiak
3bbe22dafc Fixed #34233 -- Dropped support for Python 3.8 and 3.9. 2023-01-18 09:46:01 +01:00
Mariusz Felisiak
5c10041f46 Refs #30127 -- Removed name argument for django.utils.functional.cached_property().
Per deprecation timeline.
2023-01-17 11:49:15 +01:00
Mariusz Felisiak
2fad163257 Refs #32365 -- Removed is_dst argument for various methods and functions.
Per deprecation timeline.
2023-01-17 11:49:15 +01:00
Mariusz Felisiak
e6f82438d4 Refs #32365 -- Removed support for pytz timezones per deprecation timeline. 2023-01-17 11:49:15 +01:00
Mariusz Felisiak
4aa0689080 Refs #32738 -- Removed django.utils.datetime_safe module per deprecation timeline. 2023-01-17 11:49:15 +01:00
Mariusz Felisiak
ef46f3778a Refs #32712 -- Removed django.utils.baseconv module per deprecation timeline. 2023-01-17 11:49:15 +01:00
sag᠎e
8cf3831822 Fixed #34243 -- Fixed timesince() crash with timezone-aware dates and interval longer than 1 month.
Regression in 8d67e16493.
2023-01-05 16:38:19 +01:00
Nick Pope
65477fd7da Added support for datetime.date to DateFormat.r(). 2023-01-05 12:51:55 +01:00
GianpaoloBranca
8d67e16493 Fixed #33879 -- Improved timesince handling of long intervals. 2023-01-04 11:14:06 +01:00
Alex Vandiver
cbce427c17 Fixed #34194 -- Added django.utils.http.content_disposition_header(). 2022-12-05 13:08:00 +01:00
Nick Pope
9bd174b9a7 Updated documentation and comments for RFC updates.
- Updated references to RFC 1123 to RFC 5322
  - Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
  - Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
2022-11-10 13:52:17 +01:00
Jimmy Angelakos
07ebef566f Refs #34000 -- Optimized handling None values in numberformat.format(). 2022-09-12 13:02:50 +02:00
Jimmy Angelakos
e911e0996f Fixed #34000 -- Fixed numberformat.format() crash on empty strings. 2022-09-12 12:54:12 +02:00
Carlton Gibson
e34dfad0a3 Refs #30213 -- Removed post-startup check for Watchman availability.
This is checked at startup in get_reloader(). The runtime check ties
the implementation to Watchman excessively.
2022-08-11 11:02:03 +02:00
Nick Pope
ddf0002bb7 Refs #32948 -- Renamed Node._new_instance() to Node.create().
Node._new_instance() was added in
6dd2b5468f to work around Q.__init__()
having an incompatible signature with Node.__init__().

It was intended as a hook that could be overridden if subclasses needed
to change the behaviour of instantiation of their specialised form of
Node. In practice this doesn't ever seem to have been used for this
purpose and there are very few calls to Node._new_instance() with other
code, e.g. Node.__deepcopy__() calling Node and overriding __class__ as
required.

Rename this to Node.create() to make it a more "official" piece of
private API that we can use to simplify a lot of other areas internally.

The docstring and nearby comment have been reworded to read more
clearly.
2022-07-27 10:06:24 +02:00
Nick Pope
cc52e02c96 Refs #32948 -- Added more tests for django.utils.tree.Node.
The tests for creating new instances or copying instances of Node and
its subclasses didn't fully capture the behaviour of the implementation,
particularly around whether the `children` list or is contents were the
same as the source.
2022-07-27 07:58:29 +02:00
Nick Pope
769d7cce4a Used AND, OR, XOR constants instead of hard-coded values. 2022-07-27 07:55:09 +02:00
Michael Manfre
03eec9ff6c Updated vendored _urlsplit() to strip newline and tabs.
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
2022-07-01 08:48:38 +02:00
Hrushikesh Vaidya
72e41a0df6 Fixed #33779 -- Allowed customizing encoder class in django.utils.html.json_script(). 2022-06-28 10:54:38 +02:00
Mehrdad
d4d5427571 Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams.
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
2022-06-28 09:42:47 +02:00
Carlton Gibson
34e2148fc7 Refs #33173 -- Removed use of deprecated cgi module.
https://peps.python.org/pep-0594/#cgi
2022-05-11 14:06:31 +02:00
Mariusz Felisiak
439cd73c16 Refs #33173 -- Fixed test_dateparse tests on Python 3.11+.
date/datetime/time.fromisoformat() support any valid ISO 8601 format
in Python 3.11+, see https://github.com/python/cpython/issues/80010.
2022-05-09 10:38:11 +02:00
Carlton Gibson
bb61f0186d Refs #32365 -- Removed internal uses of utils.timezone.utc alias.
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
2022-03-24 06:29:50 +01:00
Florian Apolloner
4f92cf87b0 Prevented initialization of unused database connections. 2022-03-17 07:40:57 +01:00
Adam Johnson
a45f28f0ec Rewrote strip_tags test file to lorem ipsum. 2022-03-08 14:50:06 +01:00
Mariusz Felisiak
d4fd31684a Refs #33173 -- Used locale.getlocale() instead of getdefaultlocale().
locale.getdefaultlocale() was deprecated in Python 3.11, see
https://bugs.python.org/issue46659.
2022-03-08 13:17:05 +01:00
Theo Alexiou
659d2421c7 Fixed #20296 -- Prevented mark_safe() from evaluating lazy objects. 2022-02-21 10:11:26 +01:00
Matthias Kestenholz
b2ed0d78f2 Refs #28358 -- Fixed infinite recursion in LazyObject.__getattribute__().
Regression in 97d7990abd.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Co-authored-by: Theo Alexiou <theofilosalexiou@gmail.com>
2022-02-17 14:52:17 +01:00
Theo Alexiou
97d7990abd Fixed #28358 -- Prevented LazyObject from mimicking nonexistent attributes.
Thanks Sergey Fedoseev for the initial patch.
2022-02-16 10:51:15 +01:00