mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-07 03:09:22 +00:00
Code Issues 32 Releases Wiki Activity
29,522 Commits 29 Branches 451 Tags
Commit Graph

3987 Commits

Author SHA1 Message Date
Mariusz Felisiak
eed53d0011 [3.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field. 
Thanks Moataz Al-Sharida and nawaik for reports.

Co-authored-by: Shai Berger <shai@platonix.com>
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
 2023-05-03 13:58:52 +02:00
Mariusz Felisiak
007e46d815 [3.2.x] Added missing backticks in docs/releases/1.7.txt. 2023-04-26 09:37:36 +02:00
Mariusz Felisiak
a37e4d5d6e [3.2.x] Added stub release notes for 3.2.19. 
Backport of 18a7f2c711529f8e43c36190a5e2479f13899749 from main
 2023-04-26 08:54:18 +02:00
Carlton Gibson
963f24cff2 [3.2.x] Added CVE-2023-24580 to security archive. 
Backport of ecafcaf634fcef93f9da8cb12795273dd1c3a576 from main
 2023-02-14 09:57:00 +01:00
Markus Holtermann
a665ed5179 [3.2.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files. 
Thanks to Jakob Ackermann for the report.
 2023-02-07 10:39:25 +01:00
Carlton Gibson
932b5bd52d [3.2.x] Added stub release notes for 3.2.18. 
Backport of 7e003428f96d616c1f77fed84882a95e63bc3644 from main
 2023-02-07 10:14:53 +01:00
Mariusz Felisiak
c35a5788f4 [3.2.x] Added CVE-2023-23969 to security archive. 
Backport of 36e3eef7d5a4c88671d20a561788679d0d9c334c from main
 2023-02-01 12:11:00 +01:00
Nick Pope
c7e0151fdf [3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for Accept-Language. 
The parsed values of Accept-Language headers are cached in order to
avoid repetitive parsing. This leads to a potential denial-of-service
vector via excessive memory usage if the raw value of Accept-Language
headers is very large.

Accept-Language headers are now limited to a maximum length in order
to avoid this issue.
 2023-02-01 09:48:18 +01:00
Carlton Gibson
d21543182d [3.2.x] Adjusted release notes for 3.2.17. 
Backport of d8e1442ce2c56282785dd806e5c1147975e8c857 from main
 2023-01-25 12:29:59 +01:00
Carlton Gibson
4e31d3ea55 [3.2.x] Added stub release notes for 3.2.17. 
Backport of 1df963ad2476726d63be132c0cee47e07b8250d7 from main
 2023-01-25 12:02:29 +01:00
Carlton Gibson
accdd0576d [3.2.x] Added CVE-2022-36359 to security archive. 
Backport of 93d4c9ea1de24eb391cb2b3561b6703fd46374df from main
 2022-10-04 10:13:25 +02:00
Adam Johnson
5b6b257fa7 [3.2.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions. 
Thanks to Benjamin Balder Bach for the report.
 2022-09-27 10:17:34 +02:00
Carlton Gibson
33affaf0b6 [3.2.x] Added stub notes 3.2.16 release. 
Backport of 57c7220280db19dc9dda0910b90cf1ceac50c66f from main
 2022-09-27 10:14:45 +02:00
Carlton Gibson
777362d74a [3.2.x] Added CVE-2022-36359 to security archive. 
Backport of 57c7220280db19dc9dda0910b90cf1ceac50c66f from main
 2022-08-03 09:11:02 +02:00
Carlton Gibson
b3e4494d75 [3.2.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header. 
Thanks to Motoyasu Saburi for the report.
 2022-08-03 08:48:33 +02:00
Carlton Gibson
a5eba20f40 Adjusted release notes for 3.2.15. 
Backport of cadd864f6878c1c02a014589876ece166befdeb3 from main
 2022-07-27 10:05:04 +02:00
Carlton Gibson
ad104fb50f [3.2.x] Added stub release notes for 3.2.15 release. 
Backport of 0c1675781ec5944132fe5a475ca6064edc71bd81 from main
 2022-07-27 09:34:30 +02:00
Mariusz Felisiak
e1cfbe58b7 [3.2.x] Added CVE-2022-34265 to security archive. 
Backport of d12d7c4c42814736c24731a6a300a79526fc2ef6 from main
 2022-07-04 10:34:52 +02:00
Mariusz Felisiak
a9010fe555 [3.2.x] Fixed CVE-2022-34265 -- Protected Trunc(kind)/Extract(lookup_name) against SQL injection. 
Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
 2022-07-04 08:41:33 +02:00
Mariusz Felisiak
1a9098166e [3.2.x] Fixed docs build with sphinxcontrib-spelling 7.5.0+. 
sphinxcontrib-spelling 7.5.0+ includes captions of figures in the set
of nodes for which the text is checked.

Backport of ac90529cc58507d9a07610809a795ec5fc3cbf8c from main.
 2022-06-27 08:10:48 +02:00
Mariusz Felisiak
37f4de2deb [3.2.x] Added stub release notes for 3.2.14. 
Backport of b2eff16806057095c7dd3daa9402ad615e51627f from main
 2022-06-27 07:23:46 +02:00
Mariusz Felisiak
e01b383e02 [3.2.x] Added CVE-2022-28346 and CVE-2022-28347 to security archive. 
Backport of 78eeff8d33ead67cfc8603477c95e70f8fbe096a from main
 2022-04-11 10:36:52 +02:00
Mariusz Felisiak
9e19accb6e [3.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL. 
Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main.
 2022-04-11 09:12:58 +02:00
Mariusz Felisiak
2044dac5c6 [3.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases. 
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.

Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
 2022-04-11 09:12:06 +02:00
Manel Clos
bdb92dba0b [3.2.x] Fixed #33628 -- Ignored directories with empty names in autoreloader check for template changes. 
Regression in 68357b2ca9e88c40fc00d848799813241be39129.

Backport of 62739b6e2630e37faa68a86a59fad135cc788cd7 from main.
 2022-04-11 08:34:01 +02:00
Mariusz Felisiak
70035fb044 [3.2.x] Added stub release notes for 3.2.13 and 2.2.28. 
Backport of 78277faafd38d8360efc1fd0c9c52d7bb5eec002 from main
 2022-04-04 10:51:06 +02:00
David Smith
754af45773 [3.2.x] Fixed typo in release notes. 
Backport of 770d3e6a4ce8e0a91a9e27156036c1985e74d4a3 from main.
 2022-02-02 07:19:30 +01:00
Mariusz Felisiak
6f309165e5 [3.2.x] Added CVE-2022-22818 and CVE-2022-23833 to security archive. 
Backport of 9e0df0d6dde441dbbad2b548d777e0a01d633286 from main
 2022-02-01 08:53:32 +01:00
Mariusz Felisiak
d16133568e [3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. 
Thanks Alan Ryan for the report and initial patch.

Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main.
 2022-02-01 07:54:17 +01:00
Markus Holtermann
1a1e8278c4 [3.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag. 
Thanks Keryn Knight for the report.

Backport of 394517f07886495efcf79f95c7ee402a9437bd68 from main.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-02-01 07:53:21 +01:00
Mariusz Felisiak
a7e89fe776 [3.2.x] Added stub release notes for 3.2.12 and 2.2.27. 
Backport of eeca9342381c8583be16f18942774e785ab7e527 from main.
 2022-01-25 07:27:35 +01:00
Carlton Gibson
027f4c4ceb [3.2.x] Added CVE-2021-45115, CVE-2021-45116, and CVE-2021-45452 to security archive. 
Backport of 63869ab1f191ab5781cde8b813b838300455f6d6 from main
 2022-01-04 11:31:13 +01:00
Florian Apolloner
8d2f7cff76 [3.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. 
Thanks to Dennis Brinkrolf for the report.
 2022-01-04 10:19:49 +01:00
Florian Apolloner
c7fe895bca [3.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. 
Thanks to Dennis Brinkrolf for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:19:49 +01:00
Florian Apolloner
a8b32fe13b [3.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator. 
Thanks Chris Bailey for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:19:49 +01:00
Carlton Gibson
b0aa0709a5 [3.2.x] Added stub release notes for 3.2.11, and 2.2.26 releases. 
Backport of b13d920b7b56d3e088e35311f5ee54f25d2779af from main.
 2021-12-28 10:09:49 +01:00
Mariusz Felisiak
ecd2793897 [3.2.x] Added CVE-2021-44420 to security archive. 
Backport of 8747052411275d290b2152ffcb8dee11afbb82cd from main
 2021-12-07 08:54:16 +01:00
Florian Apolloner
333c656030 [3.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths. 
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
 2021-12-07 06:32:24 +01:00
Mariusz Felisiak
cb724ef6c0 [3.2.x] Fixed #33333 -- Fixed setUpTestData() crash with models.BinaryField on PostgreSQL. 
This makes models.BinaryField pickleable on PostgreSQL.

Regression in 3cf80d3fcf7446afdde16a2be515c423f720e54d.

Thanks Adam Zimmerman for the report.

Backport of 2c7846d992ca512d36a73f518205015c88ed088c from main.
 2021-12-03 12:01:28 +01:00
Mariusz Felisiak
487a2da02e [3.2.x] Added stub release notes and release date for 3.2.10, 3.1.14 and 2.2.25. 
Backport of ae4077e13ea2e4c460c3f21b9aab93a696590851 from main
 2021-11-30 11:26:39 +01:00
Mariusz Felisiak
dfa1145a22 [3.2.x] Corrected multiply defined labels in docs. 
Backport of 60503cc747eeda7c61bab02b71f8f55a733a6eea from main
 2021-11-04 10:46:55 +01:00
Mariusz Felisiak
34e5e61479 [3.2.x] Added stub release notes for Django 3.2.10. 
Backport of d811fa1d1012e746719aa3af351f56ad21f92610 from main
 2021-11-01 10:42:47 +01:00
Mariusz Felisiak
e299cc2d2c [3.2.x] Added release date for 3.2.9. 
Backport of 7ec603ba259083298c9598a41987b4c4f2a5d134 from main
 2021-11-01 10:19:37 +01:00
Hannes Ljungberg
f5802a21c4 [3.2.x] Fixed #33194 -- Fixed migrations when altering a field with functional indexes on SQLite. 
This adjusts Expressions.rename_table_references() to only update alias
when needed.

Regression in 83fcfc9ec8610540948815e127101f1206562ead.

Co-authored-by: Simon Charette <charettes@users.noreply.github.com>

Backport of 86971c40909430a798e4e55b140004c4b1fb02ff from main.
 2021-10-18 09:37:46 +02:00
Mariusz Felisiak
82fee0446d [3.2.x] Refs #32074 -- Doc'd Python 3.10 compatibility in Django 3.2.x. 
Backport of 604df4e0adc71da264f61fe85020a170c98e6f09 from main.
 2021-10-05 13:33:15 +02:00
Carlton Gibson
329311ecbd [3.2.x] Added stub release notes for Django 3.2.9. 
Backport of c113f7fb0dae0dfd066d05acd1032c9f57a5aaf9 from main
 2021-10-05 09:40:24 +02:00
Carlton Gibson
65367b0500 [3.2.x] Added release date for 3.2.7. 
Backport of c5776bfca9e3f35e0ab5aacbdc1a4dbfe92fdfd1 from main
 2021-10-05 09:09:17 +02:00
Carlton Gibson
6760f4fa25 [3.2.x] Fixed #33083 -- Fixed selecting all items in the admin changelist when actions are both top and bottom. 
Thanks Benjamin Locher for the report.

Regression in 30e59705fc3e3e9e8370b965af794ad6173bf92b.
Backport of b0ed619303d2fb723330ca9efa3acf23d49f1d19 from main
 2021-09-21 19:59:41 +02:00
Ken Whitesell
d4a587a5fa [3.2.x] Fixed #33077 -- Fixed links to related models for admin's readonly fields in custom admin site. 
Backport of 0a9aa02e6f1d1b9ceca155d281a2be624bb1d3a2 from main
 2021-09-18 20:10:06 +02:00
Mariusz Felisiak
707239eabf [3.2.x] Added stub release notes for Django 3.2.8. 
Backport of af10e97531a59e4af09b5ec0c1a3ea476f2b6015 from main
 2021-09-01 09:51:50 +02:00