1
0
mirror of https://github.com/django/django.git synced 2025-07-10 20:59:12 +00:00

4341 Commits

Author SHA1 Message Date
Natalia
c7b7024742 [4.1.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
Thanks Wenchao Li of Alibaba Group for the report.
2023-10-04 09:40:33 -03:00
Natalia
910df41352 [4.1.x] Added stub release notes for 4.1.12 and 3.2.22. 2023-09-27 14:31:51 -03:00
Mariusz Felisiak
4c14db3415 [4.1.x] Added CVE-2023-41164 to security archive.
Backport of 8a98768868a104ea3ce10d8182590bdd095d9ccb from main
2023-09-04 13:18:20 +02:00
Mariusz Felisiak
ba00bc5ec6 [4.1.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.

Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-09-04 12:14:21 +02:00
Mariusz Felisiak
05d78acb9c [4.1.x] Added stub release notes for 4.1.11 and 3.2.21.
Backport of 24f1a38b37c0af3a5ce0dd7b5392fe4e75d7e1dc from main.
2023-08-28 06:16:11 +02:00
Mariusz Felisiak
44f6bb5652 [4.1.x] Added CVE-2023-36053 to security archive.
Backport of 1d6fbf16f24200a556beb6dd197439944deb6837 from main
2023-07-03 10:31:12 +02:00
Mariusz Felisiak
beb3f3d559 [4.1.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
Thanks Seokchan Yoon for reports.
2023-07-03 08:27:05 +02:00
Mariusz Felisiak
3b48fe413f [4.1.x] Added stub release notes for 4.1.10 and 3.2.20.
Backport of 2360ba22742c3ee8729697bfe2d508110465af56 from main
2023-06-26 14:37:24 +02:00
Mariusz Felisiak
66e1e9b006 [4.1.x] Added CVE-2023-31047 to security archive.
Backport of 49830025c992fbc8d8f213e7c16dba1391c6adf2 from main
2023-05-03 15:22:12 +02:00
Mariusz Felisiak
e7c3a2ccc3 [4.1.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.

Co-authored-by: Shai Berger <shai@platonix.com>
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-05-03 13:54:21 +02:00
Mariusz Felisiak
491dccec1a [4.1.x] Added missing backticks in docs/releases/1.7.txt. 2023-04-26 09:30:14 +02:00
Mariusz Felisiak
6d334a0ca5 [4.1.x] Added stub release notes for 4.1.9 and 3.2.19.
Backport of 18a7f2c711529f8e43c36190a5e2479f13899749 from main
2023-04-26 08:51:18 +02:00
Mariusz Felisiak
67a79dcf5b [4.1.x] Added release date for 4.1.8.
Backport of fdf0a367bdd72c70f91fb3aed77dabbe9dcef69f from main
2023-04-05 06:19:38 +02:00
David Wobrock
ba1654cb54 [4.1.x] Fixed #34384 -- Fixed session validation when rotation secret keys.
Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7.

Thanks Eric Zarowny for the report.

Backport of 2396933ca99c6bfb53bda9e53968760316646e01 from main
2023-03-08 11:33:47 +01:00
Mariusz Felisiak
ff3e3eb2bd [4.1.x] Added stub release notes for 4.1.8.
Backport of 9a07999aef7958c9b5441e368cd90646d0edc5c9 from main
2023-03-06 17:38:07 +01:00
Carlton Gibson
991461a3b3 [4.1.x] Added CVE-2023-24580 to security archive.
Backport of ecafcaf634fcef93f9da8cb12795273dd1c3a576 from main
2023-02-14 09:53:25 +01:00
Markus Holtermann
628b33a854 [4.1.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.
Thanks to Jakob Ackermann for the report.
2023-02-14 08:24:06 +01:00
Sota Tabu
425c75f56f [4.1.x] Fixed #34318 -- Added release note for 4bfe8c0eec835b8eaffcda7dc1e3b203751a790a.
Backport of 3e9d413231edc29768cc7ca0427e63b19233f562 from main
2023-02-13 14:13:36 +01:00
Mariusz Felisiak
590a92e456 [4.1.x] Fixed #34319 -- Fixed Model.validate_constraints() crash on ValidationError with no code.
Thanks Mateusz Kurowski for the report.

Regression in 667105877e6723c6985399803a364848891513cc.
Backport of 2fd755b361d3da2cd0440fc9839feb2bb69b027b from main
2023-02-08 16:40:38 +01:00
Carlton Gibson
ae53649b38 [4.1.x] Added stub release notes for 4.0.10 and 3.2.18.
Set date for 4.1.7 release.

Backport of 7e003428f96d616c1f77fed84882a95e63bc3644 from main
2023-02-07 10:12:12 +01:00
Mariusz Felisiak
83c88af9f8 [4.1.x] Added stub release notes for 4.1.7.
Backport of f3c89744cc801cc7d134bca9958c4a74aa76380f from main
2023-02-01 13:22:50 +01:00
Mariusz Felisiak
9ac634ff26 [4.1.x] Added CVE-2023-23969 to security archive.
Backport of 36e3eef7d5a4c88671d20a561788679d0d9c334c from main
2023-02-01 12:10:18 +01:00
Nick Pope
9d7bd5a56b [4.1.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for Accept-Language.
The parsed values of Accept-Language headers are cached in order to
avoid repetitive parsing. This leads to a potential denial-of-service
vector via excessive memory usage if the raw value of Accept-Language
headers is very large.

Accept-Language headers are now limited to a maximum length in order
to avoid this issue.
2023-02-01 09:46:23 +01:00
Mariusz Felisiak
26b7a25632 [4.1.x] Fixed #34291 -- Fixed Meta.constraints validation crash on UniqueConstraint with ordered expressions.
Thanks Dan F for the report.

Bug in 667105877e6723c6985399803a364848891513cc.

Backport of 2b1242abb3989f5d74e787b09132d01bcbee5b55 from main.
2023-01-26 09:34:15 +01:00
Carlton Gibson
bc48c7dfd6 [4.1.x] Adjusted release notes for 4.1.6, 4.0.9, and 3.2.17.
Backport of d8e1442ce2c56282785dd806e5c1147975e8c857 from main
2023-01-25 12:27:07 +01:00
Carlton Gibson
bb59ef749f [4.1.x] Set date and added stub release notes for 4.1.6, 4.0.9, and 3.2.17.
Backport of 1df963ad2476726d63be132c0cee47e07b8250d7 from main
2023-01-25 11:58:50 +01:00
Steven
d805010d68 [4.1.x] Fixed "nulls characters" typo in docs.
Backport of 4b7016866a80ec8582f55fc7eedfa692039e9648 from main
2023-01-16 08:24:21 +01:00
Mariusz Felisiak
f6d138eeff [4.1.x] Added stub release notes for 4.1.6.
Backport of 75500feecddcb27b6ab65c9057e7317024cef761 from main
2023-01-02 08:51:44 +01:00
Mariusz Felisiak
7bcf84d363 [4.1.x] Added release date for 4.1.5.
Backport of 174d8157b5700f6451ac0bdc3eef7e73121bc4a4 from main
2023-01-02 08:11:41 +01:00
Mariusz Felisiak
46b28bbe15
[4.1.x] Updated translations from Transifex.
Updated Bulgarian, Esperanto, Hungarian, Japanese, Macedonian, Persian,
Portuguese (Brazil), Russian, Spanish, and Turkmen translations.
2022-12-20 19:33:28 +01:00
James Gillard
af3cfc8630 [4.1.x] Fixed #34205 -- Fixed Meta.constraints validation crash with ArrayField and __len lookup.
Regression in 88fc9e2826044110b7b22577a227f122fe9c1fb5 that began
manifesting in Django 4.1.

Backport of c5ed884eabf3b2b67581c55bf6c87e721f69157f from main.
2022-12-10 19:39:00 +01:00
Carlton Gibson
c2dadbcbf0 [4.1.x] Added stub release notes for 4.1.5.
Backport of 845a5db38fd3d2695af8cece78951729936a0196 from main
2022-12-06 10:21:44 +01:00
Carlton Gibson
65d31d9e41 [4.1.x] Added release date for 4.1.4.
Backport of f4a053a2940c2e5324550cd796724a5837362cba from main
2022-12-06 09:57:26 +01:00
Mariusz Felisiak
423fa4c072 [4.1.x] Updated various links to HTTPS and new locations.
Backport of 514884e9a555c51afba3d26d9370a908af4752a6 from main
2022-12-06 06:00:34 +01:00
Mariusz Felisiak
58156f4ed7 [4.1.x] Refs #33397, Refs #34160 -- Added release note for resolving output_field changes.
Backport of e8dcef155c1848ef49e54f787a7d20faf3bf9296 from main
2022-11-30 08:22:29 +01:00
DevilsAutumn
170322451a [4.1.x] Fixed #34171 -- Fixed QuerySet.bulk_create() on fields with db_column in unique_fields/update_fields.
Bug in 0f6946495a8ec955b471ca1baaf408ceb53d4796.

Thanks Joshua Brooks for the report.

Backport of 4035bab56f2862a25cd7bfba41a84e58672cb1cc from main
2022-11-22 20:04:38 +01:00
Mariusz Felisiak
3b0a8ea299 [4.1.x] Fixed #34177 -- Fixed QuerySet.bulk_create() crash on "pk" in unique_fields.
Bug in 0f6946495a8ec955b471ca1baaf408ceb53d4796.
Backport of 7d5329852f19c6ae78c6f6f3d3e41835377bf295 from main
2022-11-22 14:26:48 +01:00
Jon Janzen
9fb57fcc70 [4.1.x] Fixed #34139 -- Fixed acreate(), aget_or_create(), and aupdate_or_create() methods for related managers.
Bug in 58b27e0dbb3d31ca1438790870b2b51ecdb10500.

Backport of 7b94847e384b1a8c05a7d4c8778958c0290bdf9a from main
2022-11-08 08:13:56 +01:00
Daniel Ivanov
eca526eab0 [4.1.x] Fixed #34088 -- Fixed Sitemap.get_latest_lastmod() crash with empty items.
Bug in 480191244d12fefbf95854b2b117c71ffe44749a.

Thanks Michal Čihař for the report.

Backport of 5eab4d1924613a5506e517f157054b4852ae7dc2 from main
2022-11-07 07:57:11 +01:00
Mariusz Felisiak
84a2b2e7a7 [4.1.x] Fixed #34138 -- Avoided table rebuild when adding inline m2m fields on SQLite.
Regression in 2f73e5406d54cb8945e187eff302a3a3373350be.

Thanks David Wobrock for the report.
Backport of 7b0e9ea53ca99de2f485ec582f3a79be34b531d4 from main
2022-11-04 09:31:30 +01:00
Mariusz Felisiak
e8ea852f07 [4.1.x] Added stub release notes for 4.1.4.
Backport of c765b62e3258de4dce9935ab7aed430346dfbc10 from main
2022-11-01 07:31:24 +01:00
Mariusz Felisiak
cf69b9f7ef [4.1.x] Added release date for 4.1.3.
Backport of 635e5643b3921e278dbddf8f13ecb66f17cd6aee from main
2022-11-01 06:59:26 +01:00
Mariusz Felisiak
ddf3ee6f9e [4.1.x] Refs #33173 -- Doc'd Python 3.11 compatibility in Django 4.1.x.
Backport of eb6cc01d0f62c73441a3610193ba210176d0935f from main.
2022-10-26 20:13:41 +02:00
Carlton Gibson
84814412a0 [4.1.x] Fixed #34085 -- Made management commands don't use black for non-Python files.
Bug in d113b5a837f726d1c638d76c4e88445e6cd59fd5.

Co-authored-by: programmylife <acmshar@gmail.com>
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>

Backport of 5c2c7277d4554db34c585477b269bb1acfcbbe56 from main.
2022-10-20 14:38:40 -07:00
Carlton Gibson
e9a24a15f2 [4.1.x] Added CVE-2022-36359 to security archive.
Backport of 93d4c9ea1de24eb391cb2b3561b6703fd46374df from main
2022-10-04 10:12:35 +02:00
Carlton Gibson
324d4fcbe1 [4.1.x] Added stub release notes for 4.1.3 release.
Backport of 7a089273236cf79a6c8a3db7a622fb89872ebe37 from main
2022-10-04 09:49:47 +02:00
Adam Johnson
9d656ea51d [4.1.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions.
Thanks to Benjamin Balder Bach for the report.
2022-10-04 09:12:42 +02:00
Mariusz Felisiak
7843c43c49 [4.1.x] Refs #32987 -- Relaxed system check for template tag modules with the same name by turning into a warning.
Thanks Claude Paroz for the report.

Regression in 004b4620f6f4ad87261e149898940f2dcd5757ef.
Backport of f71b0cf769d9ac582ee3d1a8c33d73dad3a770da from main
2022-10-03 10:52:47 +02:00
Mariusz Felisiak
7a1675806a [4.1.x] Fixed #33984 -- Reverted "Fixed #32980 -- Made models cache related managers."
This reverts 4f8c7fd9d91b35e2c2922de4bb50c8c8066cbbc6 and adds
two regression tests:
- test_related_manager_refresh(), and
- test_create_copy_with_m2m().

Thanks joeli for the report.
Backport of 5e0aa362d91d000984995ce374c2d7547d8d107f from main
2022-09-30 18:19:36 +02:00
Antoine Lorence
ecf6506f44 [4.1.x] Fixed #34062 -- Updated View.http_method_not_allowed() to support async.
As with the options() methods, wrap the response in a coroutine if
the view is async.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>

Backport of 9b0c9821ed4dd9920cc7c5e7b657720d91a89bdc from main
2022-09-29 16:29:34 +02:00