Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 957951755259b412d5113333b32bf85871d29814 from main.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b.
This work improves the django.utils.text.wrap() function to ensure that
empty lines and lines with whitespace only are kept instead of being
dropped.
Thanks Matti Pohjanvirta for the report and fix.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
Regression in 58cd4902a71a3695dd6c21dc957f59c333db364c.
Thanks Baptiste Mispelon for the report.
Backport of 8ad3e80e88201f4c557f6fa79fcfc0f8a0961830 from main.
The lack of explicit cast for JSON literals on psycopg2 is fixed on 5.1+ by
0d8fbe2ade29f1b7bd9e6ba7a0281f5478603a43 but didn't qualify for a backport to
stable/4.2.x.
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Refs Python CVE-2024-11168. Django should not affected, but others who
incorrectly use internal function _urlsplit() with unsanitized input
could be at risk.
https://github.com/python/cpython/pull/103849
Updated CommandTests.test_subparser_invalid_option and CommandDBOptionChoiceTests.test_invalid_choice_db_option to use assertRaisesRegex() for compatibility with modified error messages in Python 3.12, 3.13, and 3.14+..
Backport of fc22fdd34f1e55adde161f5f2dca8db90bbfce80 from main.
On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.
Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.
Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb.
Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
Python 3.12.2 bring back the skipped tests in the number of running
tests. Refs
0a737639dc
Backport of bc8471f0aac8f0c215b9471b594d159783bac19b from main
Thanks Warwick Brown for the report.
Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9.
Backport of 2f14c2cedc9c92373471c1f98a80c81ba299584a from main.
Regression in f387d024fc75569d2a4a338bfda76cc2f328f627.
Just like `OrderByList` the `ExpressionList` expression used to wrap
`Window.partition_by` must implement `get_group_by_cols` to ensure the
necessary grouping when mixing window expressions with aggregate
annotations is performed against the partition members and not the
partition expression itself.
This is necessary because while `partition_by` is implemented as
a source expression of `Window` it's actually a fragment of the WINDOW
expression at the SQL level and thus it should result in a group by its
members and not the sum of them.
Thanks ElRoberto538 for the report.
Backport of e76cc93b0168fa3abbafb9af1ab4535814b751f0 from main
Adjustments made to solve_lookup_type to defer the resolving of
references for summarized aggregates failed to account for similar
requirements for lookup values which can also reference annotations
through Aggregate.filter.
Regression in b181cae2e3697b2e53b5b67ac67e59f3b05a6f0d.
Refs #25307.
Thanks Sergey Nesterenko for the report.
Backport of 7530cf3900ab98104edcde69e8a2a415e82b345a from main
Co-authored-by: David Sanders <shang.xiao.sanders@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of f7389c4b07ceeb036436e065898e411b247bca78 from main
Regression in f3f9d03edf17ccfa17263c7efa0b1350d1ac9278 (4.2) and
8ed25d65ea7546fafd808086fa07e7e5bb5428fc (5.0).
Backport of 34b411762b50883d768d7b67e0a158ec39da8b09 from main.
Regression in 59bea9efd2768102fc9d3aedda469502c218e9b7,
complements e5c844d6f2a4ac6ae674d741b5f1fa2a688cedf4.
Refs #28477, #34551.
Thanks Haldun Komsuoglu for the report.
Backport of 3b4a571275d967512866012955eb0b3ae486d63c from main
Thanks Alex Vandiver for the report.
Regression in 09ffc5c1212d4ced58b708cbbf3dfbfb77b782ca.
Backport of 779cd28acb1f7eb06f629c0ea4ded99b5ebb670a from main.
Thanks Pierre-Nicolas Rigal for the report.
Regression in c67ea79aa981ae82595d89f8018a41fcd842e7c9.
Backport of 9cc0d7f7f85cecc3ad15bbc471fe6a08e4f515b6 from main
