mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-08 19:59:11 +00:00
Code Issues 32 Releases Wiki Activity
29,495 Commits 29 Branches 451 Tags
Commit Graph

3973 Commits

Author SHA1 Message Date
Carlton Gibson
b3e4494d75 [3.2.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header. 
Thanks to Motoyasu Saburi for the report.
 2022-08-03 08:48:33 +02:00
Carlton Gibson
a5eba20f40 Adjusted release notes for 3.2.15. 
Backport of cadd864f6878c1c02a014589876ece166befdeb3 from main
 2022-07-27 10:05:04 +02:00
Carlton Gibson
ad104fb50f [3.2.x] Added stub release notes for 3.2.15 release. 
Backport of 0c1675781ec5944132fe5a475ca6064edc71bd81 from main
 2022-07-27 09:34:30 +02:00
Mariusz Felisiak
e1cfbe58b7 [3.2.x] Added CVE-2022-34265 to security archive. 
Backport of d12d7c4c42814736c24731a6a300a79526fc2ef6 from main
 2022-07-04 10:34:52 +02:00
Mariusz Felisiak
a9010fe555 [3.2.x] Fixed CVE-2022-34265 -- Protected Trunc(kind)/Extract(lookup_name) against SQL injection. 
Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
 2022-07-04 08:41:33 +02:00
Mariusz Felisiak
1a9098166e [3.2.x] Fixed docs build with sphinxcontrib-spelling 7.5.0+. 
sphinxcontrib-spelling 7.5.0+ includes captions of figures in the set
of nodes for which the text is checked.

Backport of ac90529cc58507d9a07610809a795ec5fc3cbf8c from main.
 2022-06-27 08:10:48 +02:00
Mariusz Felisiak
37f4de2deb [3.2.x] Added stub release notes for 3.2.14. 
Backport of b2eff16806057095c7dd3daa9402ad615e51627f from main
 2022-06-27 07:23:46 +02:00
Mariusz Felisiak
e01b383e02 [3.2.x] Added CVE-2022-28346 and CVE-2022-28347 to security archive. 
Backport of 78eeff8d33ead67cfc8603477c95e70f8fbe096a from main
 2022-04-11 10:36:52 +02:00
Mariusz Felisiak
9e19accb6e [3.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL. 
Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main.
 2022-04-11 09:12:58 +02:00
Mariusz Felisiak
2044dac5c6 [3.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases. 
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.

Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
 2022-04-11 09:12:06 +02:00
Manel Clos
bdb92dba0b [3.2.x] Fixed #33628 -- Ignored directories with empty names in autoreloader check for template changes. 
Regression in 68357b2ca9e88c40fc00d848799813241be39129.

Backport of 62739b6e2630e37faa68a86a59fad135cc788cd7 from main.
 2022-04-11 08:34:01 +02:00
Mariusz Felisiak
70035fb044 [3.2.x] Added stub release notes for 3.2.13 and 2.2.28. 
Backport of 78277faafd38d8360efc1fd0c9c52d7bb5eec002 from main
 2022-04-04 10:51:06 +02:00
David Smith
754af45773 [3.2.x] Fixed typo in release notes. 
Backport of 770d3e6a4ce8e0a91a9e27156036c1985e74d4a3 from main.
 2022-02-02 07:19:30 +01:00
Mariusz Felisiak
6f309165e5 [3.2.x] Added CVE-2022-22818 and CVE-2022-23833 to security archive. 
Backport of 9e0df0d6dde441dbbad2b548d777e0a01d633286 from main
 2022-02-01 08:53:32 +01:00
Mariusz Felisiak
d16133568e [3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. 
Thanks Alan Ryan for the report and initial patch.

Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main.
 2022-02-01 07:54:17 +01:00
Markus Holtermann
1a1e8278c4 [3.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag. 
Thanks Keryn Knight for the report.

Backport of 394517f07886495efcf79f95c7ee402a9437bd68 from main.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-02-01 07:53:21 +01:00
Mariusz Felisiak
a7e89fe776 [3.2.x] Added stub release notes for 3.2.12 and 2.2.27. 
Backport of eeca9342381c8583be16f18942774e785ab7e527 from main.
 2022-01-25 07:27:35 +01:00
Carlton Gibson
027f4c4ceb [3.2.x] Added CVE-2021-45115, CVE-2021-45116, and CVE-2021-45452 to security archive. 
Backport of 63869ab1f191ab5781cde8b813b838300455f6d6 from main
 2022-01-04 11:31:13 +01:00
Florian Apolloner
8d2f7cff76 [3.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. 
Thanks to Dennis Brinkrolf for the report.
 2022-01-04 10:19:49 +01:00
Florian Apolloner
c7fe895bca [3.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. 
Thanks to Dennis Brinkrolf for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:19:49 +01:00
Florian Apolloner
a8b32fe13b [3.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator. 
Thanks Chris Bailey for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:19:49 +01:00
Carlton Gibson
b0aa0709a5 [3.2.x] Added stub release notes for 3.2.11, and 2.2.26 releases. 
Backport of b13d920b7b56d3e088e35311f5ee54f25d2779af from main.
 2021-12-28 10:09:49 +01:00
Mariusz Felisiak
ecd2793897 [3.2.x] Added CVE-2021-44420 to security archive. 
Backport of 8747052411275d290b2152ffcb8dee11afbb82cd from main
 2021-12-07 08:54:16 +01:00
Florian Apolloner
333c656030 [3.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths. 
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
 2021-12-07 06:32:24 +01:00
Mariusz Felisiak
cb724ef6c0 [3.2.x] Fixed #33333 -- Fixed setUpTestData() crash with models.BinaryField on PostgreSQL. 
This makes models.BinaryField pickleable on PostgreSQL.

Regression in 3cf80d3fcf7446afdde16a2be515c423f720e54d.

Thanks Adam Zimmerman for the report.

Backport of 2c7846d992ca512d36a73f518205015c88ed088c from main.
 2021-12-03 12:01:28 +01:00
Mariusz Felisiak
487a2da02e [3.2.x] Added stub release notes and release date for 3.2.10, 3.1.14 and 2.2.25. 
Backport of ae4077e13ea2e4c460c3f21b9aab93a696590851 from main
 2021-11-30 11:26:39 +01:00
Mariusz Felisiak
dfa1145a22 [3.2.x] Corrected multiply defined labels in docs. 
Backport of 60503cc747eeda7c61bab02b71f8f55a733a6eea from main
 2021-11-04 10:46:55 +01:00
Mariusz Felisiak
34e5e61479 [3.2.x] Added stub release notes for Django 3.2.10. 
Backport of d811fa1d1012e746719aa3af351f56ad21f92610 from main
 2021-11-01 10:42:47 +01:00
Mariusz Felisiak
e299cc2d2c [3.2.x] Added release date for 3.2.9. 
Backport of 7ec603ba259083298c9598a41987b4c4f2a5d134 from main
 2021-11-01 10:19:37 +01:00
Hannes Ljungberg
f5802a21c4 [3.2.x] Fixed #33194 -- Fixed migrations when altering a field with functional indexes on SQLite. 
This adjusts Expressions.rename_table_references() to only update alias
when needed.

Regression in 83fcfc9ec8610540948815e127101f1206562ead.

Co-authored-by: Simon Charette <charettes@users.noreply.github.com>

Backport of 86971c40909430a798e4e55b140004c4b1fb02ff from main.
 2021-10-18 09:37:46 +02:00
Mariusz Felisiak
82fee0446d [3.2.x] Refs #32074 -- Doc'd Python 3.10 compatibility in Django 3.2.x. 
Backport of 604df4e0adc71da264f61fe85020a170c98e6f09 from main.
 2021-10-05 13:33:15 +02:00
Carlton Gibson
329311ecbd [3.2.x] Added stub release notes for Django 3.2.9. 
Backport of c113f7fb0dae0dfd066d05acd1032c9f57a5aaf9 from main
 2021-10-05 09:40:24 +02:00
Carlton Gibson
65367b0500 [3.2.x] Added release date for 3.2.7. 
Backport of c5776bfca9e3f35e0ab5aacbdc1a4dbfe92fdfd1 from main
 2021-10-05 09:09:17 +02:00
Carlton Gibson
6760f4fa25 [3.2.x] Fixed #33083 -- Fixed selecting all items in the admin changelist when actions are both top and bottom. 
Thanks Benjamin Locher for the report.

Regression in 30e59705fc3e3e9e8370b965af794ad6173bf92b.
Backport of b0ed619303d2fb723330ca9efa3acf23d49f1d19 from main
 2021-09-21 19:59:41 +02:00
Ken Whitesell
d4a587a5fa [3.2.x] Fixed #33077 -- Fixed links to related models for admin's readonly fields in custom admin site. 
Backport of 0a9aa02e6f1d1b9ceca155d281a2be624bb1d3a2 from main
 2021-09-18 20:10:06 +02:00
Mariusz Felisiak
707239eabf [3.2.x] Added stub release notes for Django 3.2.8. 
Backport of af10e97531a59e4af09b5ec0c1a3ea476f2b6015 from main
 2021-09-01 09:51:50 +02:00
Mariusz Felisiak
4b80a40272 [3.2.x] Added release date for 3.2.7. 
Backport of f3a0dc5b2a0e5ef6fa2ae896ede6a7d56e20653b from main
 2021-09-01 07:42:25 +02:00
Carlton Gibson
fe3a854e1d [3.2.x] Fixed #32992 -- Restored offset extraction for fixed offset timezones. 
Regression in 10d126198434810529e0220b0c6896ed64ca0e88.

Backport of cbba49971bbbbe3e8c6685e4ce6ab87b1187ae87 from main
 2021-08-30 10:46:19 +02:00
Carlton Gibson
87e7399760 [3.2.x] Added stub release notes for Django 3.2.7. 
Backport of 947bdec60cd7f63dc1573578137747893d673700 from main
 2021-08-02 08:43:09 +02:00
Carlton Gibson
70840232f9 [3.2.x] Confirmed release date for Django 3.2.6. 
Backport of 74a86e9b5eaf4f0d2bb5bf6b7948000c75cdd4a6 from main
 2021-08-02 06:56:33 +02:00
Tom Wojcik
b2f7b53fac [3.2.x] Fixed #32947 -- Fixed hash() crash on reverse M2M relation when through_fields is a list. 
Regression in c32d8f33d8e988a376e44997b8f3606d821f305e.

Backport of 20226fcd461670334646f78a0c4d133e439b12b2 from main
 2021-07-26 06:41:31 +02:00
Carlton Gibson
f4cf86f870 [3.2.x] Refs #32949 -- Adjusted release note wording. 
Backport of 012f38f9594b35743e9ab231757b7b62db638323 from main
 2021-07-21 12:32:23 +02:00
yakimka
1346381760 [3.2.x] Fixed #32949 -- Restored invalid number handling in DecimalField.validate(). 
DecimalField must itself validate() values, such as NaN, which cannot be
passed to validators, such as MaxValueValidator, during the
run_validators() phase.

Regression in cc3d24d7d577f174937a0744d886c4c7123cfa85.

Backport of c542d0a07237033225c1d57337ca9474a00648f2 from main
 2021-07-21 11:23:43 +02:00
Jacob Walls
9a65e62c93 [3.2.x] Fixed typo in docs/releases/3.1.13.txt. 
Backport of 00c724f2f255bd3c28a73cc51db8a052644ff949 from main
 2021-07-16 20:30:48 +02:00
Mariusz Felisiak
9fadb97583 [3.2.x] Added CVE-2021-35042 to security archive. 
Backport of 8feb2a49fa37528823cc900bbd9609319738193e from main
 2021-07-01 10:01:23 +02:00
Mariusz Felisiak
92efd69107 [3.2.x] Added stub release notes for Django 3.2.6. 
Backport of bcea1a3193d44d8c587173c00abb2eaf61fb9cf7 from main
 2021-07-01 09:44:18 +02:00
Simon Charette
a34a5f724c [3.2.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by(). 
Regression introduced in 513948735b799239f3ef8c89397592445e1a0cd5
by marking the raw SQL column reference feature for deprecation in
Django 4.0 while lifting the column format validation.

In retrospective the validation should have been kept around and the
user should have been pointed at using RawSQL expressions during the
deprecation period.

The main branch is not affected because the raw SQL column reference
support has been removed in 06eec3197009b88e3a633128bbcbd76eea0b46ff
per the 4.0 deprecation life cycle.

Thanks Joel Saunders for the report.
 2021-07-01 08:29:23 +02:00
Mariusz Felisiak
da2269dc6f [3.2.x] Added stub release notes for 3.1.13 and release date for 3.2.5. 
Backport of 8e97698d7b537cd298438a8d7b55916d275ff851 from main
 2021-07-01 06:57:41 +02:00
Claude Paroz
04b744050f
[3.2.x] Updated translations from Transifex. 2021-06-28 07:06:24 +02:00
Hasan Ramezani
8b2b627f34 [3.2.x] Fixed #32863 -- Skipped system check for specifying type of auto-created primary keys on models with invalid app_label. 
Regression in b5e12d490af3debca8c55ab3c1698189fdedbbdb.

Thanks Iuri de Silvio for the report.

Backport of 7a9745fed498f69c46a3ffa5dfaff872e0e1df89 from main
 2021-06-22 21:19:47 +02:00