1
0
mirror of https://github.com/django/django.git synced 2025-07-10 20:59:12 +00:00

12457 Commits

Author SHA1 Message Date
Mariusz Felisiak
4965bfdde2 [4.1.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2023-11-01 06:26:16 +01:00
Natalia
c7b7024742 [4.1.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
Thanks Wenchao Li of Alibaba Group for the report.
2023-10-04 09:40:33 -03:00
Mariusz Felisiak
ba00bc5ec6 [4.1.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.

Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-09-04 12:14:21 +02:00
Mariusz Felisiak
52533346d2 [4.1.x] Fixed warnings per flake8 6.1.0.
Backport of 22b0b73c7732ba67db4e69fd9fa75aad84c8e5c4 from main.
2023-08-28 06:46:39 +02:00
Mariusz Felisiak
beb3f3d559 [4.1.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
Thanks Seokchan Yoon for reports.
2023-07-03 08:27:05 +02:00
Mariusz Felisiak
0e5948b8df [4.1.x] Fixed MultipleFileFieldTest.test_file_multiple_validation() test if Pillow isn't installed.
Follow up to fb4c55d9ec4bb812a7fb91fa20510d91645e411b.
Backport of fcfbf08abe3e6dc54894df6988024f055abc6c40 from main
2023-05-04 08:09:50 +02:00
Mariusz Felisiak
e7c3a2ccc3 [4.1.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.
Thanks Moataz Al-Sharida and nawaik for reports.

Co-authored-by: Shai Berger <shai@platonix.com>
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-05-03 13:54:21 +02:00
Mariusz Felisiak
f55bcff9dc [4.1.x] Refs #34118 -- Fixed CustomChoicesTests.test_uuid_unsupported on Python 3.11.4+.
5342f5e713

Follow up to 38e63c9e61152682f3ff982c85a73793ab6d3267.

Backport of 2eb1f37260f0e0b71ef3a77eb5522d2bb68d6489 from main
2023-04-07 11:09:36 +02:00
David Wobrock
ba1654cb54 [4.1.x] Fixed #34384 -- Fixed session validation when rotation secret keys.
Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7.

Thanks Eric Zarowny for the report.

Backport of 2396933ca99c6bfb53bda9e53968760316646e01 from main
2023-03-08 11:33:47 +01:00
Markus Holtermann
628b33a854 [4.1.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.
Thanks to Jakob Ackermann for the report.
2023-02-14 08:24:06 +01:00
Mariusz Felisiak
590a92e456 [4.1.x] Fixed #34319 -- Fixed Model.validate_constraints() crash on ValidationError with no code.
Thanks Mateusz Kurowski for the report.

Regression in 667105877e6723c6985399803a364848891513cc.
Backport of 2fd755b361d3da2cd0440fc9839feb2bb69b027b from main
2023-02-08 16:40:38 +01:00
David Smith
a637d0bd22 [4.1.x] Refs #33476 -- Applied Black's 2023 stable style.
Black 23.1.0 is released which, as the first release of the year,
introduces the 2023 stable style. This incorporates most of last year's
preview style.

https://github.com/psf/black/releases/tag/23.1.0

Backport of 097e3a70c1481ee7b042b2edd91b2be86fb7b5b6 from main.
2023-02-01 11:44:13 +01:00
Nick Pope
9d7bd5a56b [4.1.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for Accept-Language.
The parsed values of Accept-Language headers are cached in order to
avoid repetitive parsing. This leads to a potential denial-of-service
vector via excessive memory usage if the raw value of Accept-Language
headers is very large.

Accept-Language headers are now limited to a maximum length in order
to avoid this issue.
2023-02-01 09:46:23 +01:00
Mariusz Felisiak
26b7a25632 [4.1.x] Fixed #34291 -- Fixed Meta.constraints validation crash on UniqueConstraint with ordered expressions.
Thanks Dan F for the report.

Bug in 667105877e6723c6985399803a364848891513cc.

Backport of 2b1242abb3989f5d74e787b09132d01bcbee5b55 from main.
2023-01-26 09:34:15 +01:00
Mariusz Felisiak
7ebcda3331 [4.1.x] Fixed thread termination in servers.tests.LiveServerPort on Python 3.10.9+, 3.11.1+, and 3.12+.
Class cleanups registered in TestCase subclasses are no longer called
as TestCase.doClassCleanups() only cleans up the particular class, see

c2102136be
Backport of d02a9f0cee84e3d23f676bdf2ab6aadbf4a5bfe8 from main
2023-01-12 06:06:24 +01:00
James Gillard
af3cfc8630 [4.1.x] Fixed #34205 -- Fixed Meta.constraints validation crash with ArrayField and __len lookup.
Regression in 88fc9e2826044110b7b22577a227f122fe9c1fb5 that began
manifesting in Django 4.1.

Backport of c5ed884eabf3b2b67581c55bf6c87e721f69157f from main.
2022-12-10 19:39:00 +01:00
DevilsAutumn
170322451a [4.1.x] Fixed #34171 -- Fixed QuerySet.bulk_create() on fields with db_column in unique_fields/update_fields.
Bug in 0f6946495a8ec955b471ca1baaf408ceb53d4796.

Thanks Joshua Brooks for the report.

Backport of 4035bab56f2862a25cd7bfba41a84e58672cb1cc from main
2022-11-22 20:04:38 +01:00
Mariusz Felisiak
3b0a8ea299 [4.1.x] Fixed #34177 -- Fixed QuerySet.bulk_create() crash on "pk" in unique_fields.
Bug in 0f6946495a8ec955b471ca1baaf408ceb53d4796.
Backport of 7d5329852f19c6ae78c6f6f3d3e41835377bf295 from main
2022-11-22 14:26:48 +01:00
Jon Janzen
9fb57fcc70 [4.1.x] Fixed #34139 -- Fixed acreate(), aget_or_create(), and aupdate_or_create() methods for related managers.
Bug in 58b27e0dbb3d31ca1438790870b2b51ecdb10500.

Backport of 7b94847e384b1a8c05a7d4c8778958c0290bdf9a from main
2022-11-08 08:13:56 +01:00
Bhuvnesh
8740d2f452 [4.1.x] Refs #33646 -- Moved tests of QuerySet async interface into async tests.
Backport of e580b891cb5ae31eb0571c88428afb9bf69e47f2 from main
2022-11-08 08:13:33 +01:00
Daniel Ivanov
eca526eab0 [4.1.x] Fixed #34088 -- Fixed Sitemap.get_latest_lastmod() crash with empty items.
Bug in 480191244d12fefbf95854b2b117c71ffe44749a.

Thanks Michal Čihař for the report.

Backport of 5eab4d1924613a5506e517f157054b4852ae7dc2 from main
2022-11-07 07:57:11 +01:00
Mariusz Felisiak
84a2b2e7a7 [4.1.x] Fixed #34138 -- Avoided table rebuild when adding inline m2m fields on SQLite.
Regression in 2f73e5406d54cb8945e187eff302a3a3373350be.

Thanks David Wobrock for the report.
Backport of 7b0e9ea53ca99de2f485ec582f3a79be34b531d4 from main
2022-11-04 09:31:30 +01:00
Marcelo Galigniana
e21a7cfc16 [4.1.x] Fixed flaky test_ForeignKey_using_to_field test.
Backport of 1d6948096f6fe7aa887d651e01e9af8e4ef349a2 from main
2022-10-24 12:35:20 +02:00
HieuPham9720
2389c57f5d [4.1.x] Skipped scrypt tests when OpenSSL 1.1+ is not installed.
Backport of 3e928de8add92a5f38a562abd7560b023d24b6af from main
2022-10-20 18:51:58 -07:00
Carlton Gibson
84814412a0 [4.1.x] Fixed #34085 -- Made management commands don't use black for non-Python files.
Bug in d113b5a837f726d1c638d76c4e88445e6cd59fd5.

Co-authored-by: programmylife <acmshar@gmail.com>
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>

Backport of 5c2c7277d4554db34c585477b269bb1acfcbbe56 from main.
2022-10-20 14:38:40 -07:00
Adam Johnson
9d656ea51d [4.1.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions.
Thanks to Benjamin Balder Bach for the report.
2022-10-04 09:12:42 +02:00
Mariusz Felisiak
7843c43c49 [4.1.x] Refs #32987 -- Relaxed system check for template tag modules with the same name by turning into a warning.
Thanks Claude Paroz for the report.

Regression in 004b4620f6f4ad87261e149898940f2dcd5757ef.
Backport of f71b0cf769d9ac582ee3d1a8c33d73dad3a770da from main
2022-10-03 10:52:47 +02:00
Mariusz Felisiak
96c541ecef [4.1.x] Refs #34058 -- Fixed changing/deleting sequences when altering pre-Django 4.1 auto fields on PostgreSQL.
Thanks Anders Kaseorg for the report.

Follow up to 19e6efa50b603af325e7f62058364f278596758f.
Regression in 2eea361eff58dd98c409c5227064b901f41bd0d6.

Backport of bc3b8f152452ba0e41f28baa93c0bf8f39cddb09 from main
2022-10-01 07:59:28 +02:00
Mariusz Felisiak
7a1675806a [4.1.x] Fixed #33984 -- Reverted "Fixed #32980 -- Made models cache related managers."
This reverts 4f8c7fd9d91b35e2c2922de4bb50c8c8066cbbc6 and adds
two regression tests:
- test_related_manager_refresh(), and
- test_create_copy_with_m2m().

Thanks joeli for the report.
Backport of 5e0aa362d91d000984995ce374c2d7547d8d107f from main
2022-09-30 18:19:36 +02:00
Antoine Lorence
ecf6506f44 [4.1.x] Fixed #34062 -- Updated View.http_method_not_allowed() to support async.
As with the options() methods, wrap the response in a coroutine if
the view is async.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>

Backport of 9b0c9821ed4dd9920cc7c5e7b657720d91a89bdc from main
2022-09-29 16:29:34 +02:00
Mariusz Felisiak
97353bc64b [4.1.x] Fixed #34058 -- Changed sequence types when altering pre-Django 4.1 auto fields on PostgreSQL.
Thanks Anders Kaseorg for the report.

Thanks Florian Apolloner for pair programming.

Regression in 2eea361eff58dd98c409c5227064b901f41bd0d6.
Backport of 19e6efa50b603af325e7f62058364f278596758f from main
2022-09-29 13:20:55 +02:00
Adam Johnson
b826b38847 [4.1.x] Refs #34010 -- Made --debug-mode work for parallel tests using spawn.
Bug in 3b3f38b3b09b0f2373e51406ecb8c9c45d36aebc.

Thanks Kevin Renskers for the report.

Backport of 0f5b11eca0ba199501941fa244b276aaa10353c8 from main
2022-09-28 20:40:23 +02:00
David Sanders
33d9247c8b [4.1.x] Fixed #34025 -- Fixed selecting ModelAdmin.autocomplete_fields after adding/changing related instances via popups.
Regression in c72f6f36c13a21f6db3d4f85d2d3cec87bad45e6.

Thanks Alexandre da Silva for the report.

Backport of 9976f3d4b80cfb2e6f4c998438622b78eb1ac53e from main
2022-09-28 12:54:48 +02:00
Alexander Kerkum
2d20386b41 [4.1.x] Fixed #34016 -- Fixed QuerySet.values()/values_list() crash on ArrayAgg() and JSONBAgg().
Regression in e06dc4571ea9fd5723c8029959b95808be9f8812.

Backport of f88fc72da4eb76f2d464edb4874ef6046f8a8658 from main
2022-09-18 07:39:47 +02:00
David Sanders
be5e3b46f7 [4.1.x] Fixed #33996 -- Fixed CheckConstraint validation on NULL values.
Bug in 667105877e6723c6985399803a364848891513cc.

Thanks James Beith for the report.

Backport of e14d08cd894e9d91cb5d9f44ba7532c1a223f458 from main
2022-09-13 14:06:46 +02:00
Simon Charette
e0f14d8389 [4.1.x] Fixed #33992 -- Fixed queryset crash when aggregating over a group containing Exists.
A more in-depth solution is likely to make sure that we always GROUP BY
selected annotations or revisit how we use Query.exists() in the Exists
expression but that requires extra work that isn't suitable for a
backport.

Regression in e5a92d400acb4ca6a8e1375d1ab8121f2c7220be.

Thanks Fernando Flores Villaça for the report.

Backport of 32536b1324e98768dd892980408a8c6b26c23fd9 from main
2022-09-08 08:13:15 +02:00
James Beith
7ba9a44831 [4.1.x] Fixed #33982 -- Fixed migrations crash when adding model with ExclusionConstraint.
Regression in 0e656c02fe945389246f0c08f51c6db4a0849bd2.

Backport of 19e838daa8872ee29fbea0bc471c2a6443f26835 from main
2022-09-07 09:17:23 +02:00
Mariusz Felisiak
a1083805ac [4.1.x] Fixed #33955, Fixed #33971 -- Reverted "Fixed #32565 -- Moved internal URLResolver view-strings mapping to admindocs."
This reverts commit 7f3cfaa12b28d15c0ca78bb692bfd6e59d17bff1.

Thanks Tom Carrick and Greg Kaleka for reports.
Backport of 974942a75039ba43e618f6a5ff95e08b5d5176fd from main
2022-09-01 21:10:43 +02:00
Mariusz Felisiak
524ea6b77b [4.1.x] Refs #33953 -- Fixed test_rename_model_with_db_table_rename_m2m() crash on SQLite < 3.20.
Backport of a9e7beb959bc726eab1c192d2625d6ff6cfa70f4 from main
2022-08-29 10:08:26 +02:00
David Wobrock
fca055315e [4.1.x] Fixed #33952 -- Reallowed creating reverse foreign key managers on unsaved instances.
Thanks Claude Paroz for the report.

Regression in 7ba6ebe9149ae38257d70100e8bfbfd0da189862.

Backport of 806e9e2d0dcf8f58e376fb7e2a8b9771e2a9ce16 from main
2022-08-27 15:36:13 +02:00
Iuri de Silvio
7d5ccbbe1a [4.1.x] Fixed #33953 -- Reverted "Fixed #33201 -- Made RenameModel operation a noop for models with db_table."
Regression in afeafd6036616bac8263d762c1610f22241c0187.
This reverts afeafd6036616bac8263d762c1610f22241c0187.

Thanks Timothy Thomas for the report.

Backport of 166a3b32632c141541d1c3f0eff18e1d8b389404 from main
2022-08-26 07:14:54 +02:00
Simon Charette
c9ebd5b7aa [4.1.x] Fixed #33938 -- Fixed migration crash for m2m with a through model in another app.
Regression in aa4acc164d1247c0de515c959f7b09648b57dc42.

Thanks bryangeplant for the report.

Backport of 71902e0d9f93670c4f93ff9d66095b0e571be74b from main
2022-08-25 10:32:48 +02:00
Benoît Vinot
85942cf669 [4.1.x] Fixed #33932 -- Fixed altering AutoFields to OneToOneField on PostgreSQL.
Regression in 2eea361eff58dd98c409c5227064b901f41bd0d6.

Backport of e3cb8bcb7d2a2d392e726ee1f7e32a8d9038e14c from main
2022-08-17 17:43:48 +02:00
Mariusz Felisiak
3848475eeb [4.1.x] Fixed #33919 -- Fixed adding AutoFields on PostgreSQL.
Thanks Jack Calvin Brown for the report.

Regression in 2eea361eff58dd98c409c5227064b901f41bd0d6.
Backport of 5c803bc0702511c8bc05e9db600367a465514f82 from main
2022-08-12 17:31:15 +02:00
David Sanders
e215948f0d [4.1.x] Fixed #33905 -- Fixed CheckConstraint() validation on range fields.
Bug in 667105877e6723c6985399803a364848891513cc.

Backport of e0ae1363ec2aa71945be26f869cafd4181ccbc95 from main
2022-08-09 21:45:58 +02:00
Mariusz Felisiak
6b0193146d [4.1.x] Fixed #33902 -- Fixed Meta.constraints validation crash with F() expressions.
Thanks Adam Zahradník for the report.

Bug in 667105877e6723c6985399803a364848891513cc.
Backport of 63884829acd207404f2a5c3cc1d6b4cd0a822b70 from main
2022-08-09 06:09:56 +02:00
Fiza Ashraf
f546e7c18b [4.1.x] Fixed #33899 -- Fixed migration crash when removing indexed field on SQLite 3.35.5+.
Regression in 702819227fd0cdd9b581cd99e11d1561d51cbeb.

Thanks cessor for the report.

Backport of c0beff21239e70cbdcc9597e5be09e505bb8f76c from main
2022-08-08 07:26:46 +02:00
Mariusz Felisiak
d9ace347b4 [4.1.x] Fixed #33898 -- Fixed Window() expression crash with ArrayAgg().
Thanks Kia for the report.

Regression in e06dc4571ea9fd5723c8029959b95808be9f8812.
Backport of fd93db97c7228b16a4f92f97ef05b0d72418d952 from main
2022-08-06 18:00:38 +02:00
Fab
82e9e19ebe [4.1.x] Fixed #33893 -- Reverted "Fixed #28889 -- Prevented double submission of admin forms."
Regression in fe7dbef5867c577995f0fc849d8dfdb8f2e6bbfa.

Backport of 0756c61f2ada56e4ae625589099c0141a77737eb from main
2022-08-05 17:21:38 +02:00
Carlton Gibson
7b0ed458d9 [4.1.x] Refs #33173, Refs #33755 -- Fixed ResourceWarning from unclosed files in ASGI tests.
Backport of f476c8847a0bf1a4e20becfb3dc66f4da0dbf579 from main
2022-08-04 10:14:58 +02:00