Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
Grouping by LOBs is not allowed on Oracle. This moves a binary field to
a separate model.
Backport of d3a64bea51676fcf8a0ae593cf7b103939e12c87 from main
This makes models.BinaryField pickleable on PostgreSQL.
Regression in 3cf80d3fcf7446afdde16a2be515c423f720e54d.
Thanks Adam Zimmerman for the report.
Backport of 2c7846d992ca512d36a73f518205015c88ed088c from main.
This adjusts Expressions.rename_table_references() to only update alias
when needed.
Regression in 83fcfc9ec8610540948815e127101f1206562ead.
Co-authored-by: Simon Charette <charettes@users.noreply.github.com>
Backport of 86971c40909430a798e4e55b140004c4b1fb02ff from main.
test_server_login() was a regression test for a crash when passing
Unicode strings to SMTP server using CRAM-MD5 method on Python 2.
Python 2 is no longer supported and test_server_login() passes even
without FakeSMTPChannel.smtp_AUTH() because
smtplib.SMTPAuthenticationError is raised when AUTH is not implemented.
Backport of cdad96e6330cd31185f7496aaf8eb316f2773d6d from main
Thanks Benjamin Locher for the report.
Regression in 30e59705fc3e3e9e8370b965af794ad6173bf92b.
Backport of b0ed619303d2fb723330ca9efa3acf23d49f1d19 from main
DecimalField must itself validate() values, such as NaN, which cannot be
passed to validators, such as MaxValueValidator, during the
run_validators() phase.
Regression in cc3d24d7d577f174937a0744d886c4c7123cfa85.
Backport of c542d0a07237033225c1d57337ca9474a00648f2 from main
Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5
by marking the raw SQL column reference feature for deprecation in
Django 4.0 while lifting the column format validation.
In retrospective the validation should have been kept around and the
user should have been pointed at using RawSQL expressions during the
deprecation period.
The main branch is not affected because the raw SQL column reference
support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff
per the 4.0 deprecation life cycle.
Thanks Joel Saunders for the report.
Regression in b5e12d490af3debca8c55ab3c1698189fdedbbdb.
Thanks Iuri de Silvio for the report.
Backport of 7a9745fed498f69c46a3ffa5dfaff872e0e1df89 from main
Regression in d4ac23bee1c84d8e4610350202ac068fc90f38c0.
Thanks Omkar Deshpande for the report.
Backport of fa0433d05f213afe4c67055006320f7aba4c8108 from main
MySQL 8.0.13+ supports defaults for BLOB/TEXT but not in the
ALTER COLUMN statement.
Regression in 6b16c91157512587017e9178d066ed1a683e7795.
Thanks Matt Westcott for the report.
Backport of 5e04e84d67da8163f365e9f5fcd169e2630e2873 from main
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.
[1] https://bugs.python.org/issue36384
Regression in 1e38f1191de21b6e96736f58df57dfb851a28c1f.
Thanks Mohsen Tamiz for the report.
Backport of e703b152c6148ddda1b072a4353e9a41dca87f90 from main
Regression in ec6d2531c59466924b645f314ac33f54470d7ac3.
Thanks JonathanNickelson for the report.
Backport of 12b19a1d76e1a6f80923c8358290d605dacd65d4 from main
Thanks Alexander Ebral for the report.
Regression in 98e05ccde440cc9b768952cc10bc8285f4924e1f.
Backport of 958cdf65ae90d26236d1815bbba804729595ec7a from main
- Validate filename returned by FileField.upload_to() not a filename
passed to the FileField.generate_filename() (upload_to() may
completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.
Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.
Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3.
Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main
Address a long standing bug in a Where.add optimization to discard
equal nodes that was surfaced by implementing equality for Lookup
instances in bbf141bcdc31f1324048af9233583a523ac54c94.
Thanks Shaheed Haque for the report.
Backport of b81c7562fc33f50166d5120138d6398dc42b13c3 from main
The 'db' and 'passwd' connection options have been deprecated, use
'database' and 'password' instead (available since mysqlclient >= 1.3.8).
This also allows the 'database' option in DATABASES['OPTIONS'] on MySQL.
Backport of 1061f5243646b4c9b8a758f8a36c9e2ccdded1cf from main
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.
[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603
Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
The validate_file_name() sanitation introduced in
0b79eb36915d178aef5c6a7bbce71b1e76d376d3 correctly rejects the example
file name as containing path elements on Windows. This breaks the test
introduced in 914c72be2abb1c6dd860cb9279beaa66409ae1b2 to allow path
components for storages that may allow them.
Test is skipped pending a discussed storage refactoring to support this
use-case.
Backport of a708f39ce67af174df90c5b5e50ad1976cec7cb8 from main
Regression in c8b659430556dca0b2fe27cf2ea0f8290dbafecd.
Thanks Kevin Marsh for the report.
Backport of 96f55ccf798c7592a1203f798a4dffaf173a9263 from main
