1
0
mirror of https://github.com/django/django.git synced 2025-07-08 19:59:11 +00:00

4983 Commits

Author SHA1 Message Date
Sarah Boyce
c9731dc656 [5.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
2025-05-06 22:24:24 -03:00
Natalia
57c245199a [5.2.x] Made cosmetic edits and added upcoming security release to release notes.
Backport of 0f5dd0dff3049189a3fe71a62670b746543335d5 from main.
2025-04-30 14:56:07 -03:00
Baptiste Mispelon
1367a197dd [5.2.x] Fixed #36357 -- Skipped unique_together in inspectdb output for composite primary keys.
Thanks to Baptiste Mispelon for the report and quick fix, and to Simon
Charette and Jacob Walls for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 66f9eb0ff1e7147406318c5ba609729678e4e6f6 from main.
2025-04-30 11:55:56 -03:00
Simon Charette
ec73fd6746 [5.2.x] Fixed #36358 -- Corrected introspection of composite primary keys on SQLite.
Previously, any first field of a composite primary key with type
`INTEGER` was incorrectly introspected as an `AutoField` due to SQLite
treating `INTEGER PRIMARY KEY` as an alias for the `ROWID`.

This change ensures that integer fields in composite PKs are not
mistaken for auto-incrementing fields.

Thanks Jacob Walls and Sarah Boyce for the reviews.

Backport of 07100db6f46255ec6ef70b860495f977473684d6 from main.
2025-04-30 10:54:17 -03:00
Simon Charette
7f6a5fbe2e [5.2.x] Fixed #36360 -- Fixed QuerySet.update() crash when referring annotations through values().
The issue was only manifesting itself when also filtering againt a related
model as that forces the usage of a subquery because SQLUpdateCompiler doesn't
support the UPDATE FROM syntax yet.

Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.

Refs #28900.

Thanks Gav O'Connor for the detailed report.

Backport of 8ef4e0bd423ac3764004c73c3d1098e7a51a2945 from main.
2025-04-30 11:39:37 +02:00
nessita
90fa9f4cc0 [5.2.x] Fixed #36309 -- Made email alternatives and attachments pickleable.
Regression in aba0e541caaa086f183197eaaca0ac20a730bbe4 and in
d5bebc1c26d4c0ec9eaa057aefc5b38649c0ba3b.

Thanks Florent Messa for the report, and Jake Howard and Claude
Paroz for the review.

Backport of 0596263c3136bc26cffa670e5322bd0aa56c4d34 from main.
2025-04-24 10:12:32 -03:00
nessita
7d80f70988 [5.2.x] Refs #36341 -- Added release notes for 5.1.9 and 4.2.21 for fix in wordwrap template filter.
Revision 1e9db35836d42a3c72f3d1015c2f302eb6fee046 fixed a regression in
55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b, which also needs to be
backported to the stable branches in extended support (5.1.x and 4.2.x).

Backport of c86242d61ff81bddbead115c458c1eb532d43b43 from main.
2025-04-23 17:28:00 -03:00
Matti Pohjanvirta
305aa4d0c5 [5.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter.
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b.

This work improves the django.utils.text.wrap() function to ensure that
empty lines and lines with whitespace only are kept instead of being
dropped.

Thanks Matti Pohjanvirta for the report and fix.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
2025-04-23 16:18:55 -03:00
antoliny0919
97c93549fc [5.2.x] Fixed #36331 -- Reverted "Fixed #36055 -- Prevented overlap of object-tools buttons and page header in the admin."
This reverts commits b1324a680add78de24c763911d0eefa19b9263bc and
02a5cbfe76382da2a0414df17017185be5bd47f9. The former caused a regression
in admin sites that relied on the `object-tools` block being inside the
`content` block.

Thank you to Fabian Braun for the report.

Backport of 1bc805e23b73a580b82a1d416ab0fb59a1073047 from main.
2025-04-22 22:14:54 -03:00
Ahmed Nassar
adf2991d32 [5.2.x] Fixed #36314 -- Fixed MinimumLengthValidator error message translation.
Regression in ec7d69035a408b357f1803ca05a7c991cc358cfa.

Thank you Gabriel Trouvé for the report and Claude Paroz for the review.

Backport of d469db978ea6a705549b9519313d9adc198e4232 from main.
2025-04-17 12:32:24 +02:00
Simon Charette
b97af5e696 [5.2.x] Fixed #36288 -- Addressed improper handling of duplicates in values_list().
Now that selected aliases are stored in sql.Query.selected: dict[str, Any]
the values_list() method must ensures that duplicate field name references are
assigned unique aliases.

Refs #28900.

Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.

Thanks Claude for the report.

Backport of 21f8be76d43aa1ee5ae41c1e0a428cfea1f231c1 from main.
2025-04-11 09:06:53 +02:00
Simon Charette
5d2a0c51d4 [5.2.x] Fixed #36301 -- Fixed select_for_update(of) crash when using values()/values_list().
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which allowed for
annotations to be SELECT'ed before model field references through
values()/values_list() and broke assumptions the select_for_update(of)
table infererence logic had about model fields always being first.

Refs #28900.

Thanks OutOfFocus4 for the report and Sarah for the test.

Backport of 71a19a0e475165dbc14c1fe02f552013ee670e4c from main
2025-04-07 23:49:23 +02:00
Sarah Boyce
77d2037511 [5.2.x] Fixed #36298 -- Truncated the overwritten file content in file_move_safe().
Regression in 58cd4902a71a3695dd6c21dc957f59c333db364c.

Thanks Baptiste Mispelon for the report.

Backport of 8ad3e80e88201f4c557f6fa79fcfc0f8a0961830 from main.
2025-04-07 16:13:19 +02:00
Simon Charette
cd1aa54f5a [5.2.x] Fixed #36299 -- Prevented field selection on QuerySet.alias() after values().
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.

Refs #28900.

Thanks Jeff Iadarola for the report and tests.

Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com>

Backport of 12b771a1ec4bbfe82405176f5601e6441855a303 from main
2025-04-05 21:38:06 +02:00
Simon Charette
d9bf0d07cc [5.2.x] Fixed #36289 -- Fixed bulk_create() crash with nullable geometry fields on PostGIS.
Swapped to an allow list instead of a deny list for field types to
determine if the UNNEST optimization can be enabled to avoid further
surprises with other types that would require further specialization to
adapt.

Regression in a16eedcf9c69d8a11d94cac1811018c5b996d491.

Thanks Joshua Goodwin for the report and Sarah Boyce for the test.

Backport of 764af7a3d6c0b543dcf659a2c327f214da768fe4 from main
2025-04-04 21:33:55 +02:00
Simon Charette
8ebdd37a0b [5.2.x] Fixed #36290 -- Made TupleIn() lookup discard tuples containing None.
Just like the In() lookup discards of None members TupleIn() should
discard tuples containing any None as NULL != NULL in SQL and the
framework expects such queries to be elided under some circumstances.

Refs #31667, #36116.

Thanks Basptise Mispelon for bisecting the regression to 626d77e.

Backport of f7f38f3a0b44d8c6d14344dae66b6ce52cd77b55 from main
2025-04-03 22:20:50 +02:00
Simon Charette
317690403a [5.2.x] Fixed #36292 -- Fixed crash when aggregating over a group mixing transforms and references.
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.

Refs #28900

Thanks Patrick Altman for the report.

Backport of 543e17c4405dfdac4f18759fc78b190406d14239 from main
2025-04-03 18:35:11 +02:00
Sarah Boyce
3de17317fb [5.2.x] Added stub release notes for 5.2.1.
Backport of c7ff347c641f2f97fa9f2f7d182982f789a211b4 from main.
2025-04-02 15:26:00 +02:00
Sarah Boyce
9c6f8feaeb [5.2.x] Finalized release notes for Django 5.2.
Backport of 345ba995c0df114288909040ff2bcecbad50a35d from main.
2025-04-02 14:43:52 +02:00
Sarah Boyce
54b38ab44d [5.2.x] Added CVE-2025-27556 to security archive.
Backport of b83dab7d8da8d1dd888164de5ed79e88cedcb19b from main.
2025-04-02 13:32:31 +02:00
Sarah Boyce
2cb311f7b0 [5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.
Thank you sw0rd1ight for the report.

Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.
2025-04-02 10:23:46 +02:00
Sarah Boyce
3077bc4e78 [5.2.x] Added stub release notes and release date for 5.1.8 and 5.0.14.
Backport of c75fbe843079ca249d7015926490dd21107e63a4 from main.
2025-03-26 09:03:04 +01:00
Johanan Oppong Amoateng
321a5651a3 [5.2.x] Fixed #36266 -- Renamed HIDE_PRODUCTION_WARNING environment variable to DJANGO_RUNSERVER_HIDE_WARNING.
Backport of 5adadf6e8c74ab14d432e9d682ca1914789386de from main.
2025-03-21 10:23:13 +01:00
Adam Johnson
95031c1ab1 [5.2.x] Fixed #36234 -- Restored single_object argument to LogEntry.objects.log_actions().
Thank you Adam Johnson for the report and fix. Thank you Sarah Boyce for
your spot on analysis.

Regression in c09bceef68e5abb79accedd12dade16aa6577a09, which is
partially reverted in this branch.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>

Backport of 27b68bcadf1ab2e9f7fd223aed42db352ccdc62d from main.
2025-03-12 16:36:48 -03:00
Adam Johnson
5fdc951f43 [5.2.x] Refs #25582 -- Doc'd query and fragment arguments for reverse_lazy().
Backport of c70dbcf8358ca7ff34e76b11dae0740284663911 from main.
2025-03-12 16:43:13 +01:00
Hisham Mahmood
957ddfedec [5.2.x] Removed duplicate entries in docs/releases/5.2.txt.
Backport of 955b7c6ba105b328f387a9d63540dbabd4a05828 from main.
2025-03-12 11:06:26 +01:00
Sarah Boyce
2bfec6c84b [5.2.x] Added CVE-2025-26699 to security archive.
Backport of bad1a18ff28a671f2fdfd447bdf8f43602f882c2 from main.
2025-03-06 14:06:06 +01:00
Sarah Boyce
0e2349207c [5.2.x] Added stub release notes for 5.1.8.
Backport of 193e3446e38c5415465608f68620508eace60388 from main.
2025-03-06 13:32:39 +01:00
Sarah Boyce
3cfa472644 [5.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template filter.
Thanks sw0rd1ight for the report.

Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
2025-03-06 09:42:27 +01:00
antoliny0919
5997fdc921 [5.2.x] Fixed #36217 -- Restored pre_save/post_save signal emission via LogEntry.save() for single-object deletion in the admin.
Regression in 40b3975e7d3e1464a733c69171ad7d38f8814280.

Thanks smiling-watermelon for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>

Backport of c09bceef68e5abb79accedd12dade16aa6577a09 from main.
2025-03-04 10:36:37 +01:00
Sarah Boyce
b8ceda4a51 [5.2.x] Added stub release notes and release date for 5.1.7, 5.0.13, and 4.2.20.
Backport of ea1e3703bee28bfbe4f32ceb39ad31763353b143 from main.
2025-02-27 16:06:17 +01:00
Simon Charette
6b8a6e1251 [5.2.x] Fixed #36197 -- Fixed improper many-to-many count() and exists() for non-pk to_field.
Regression in 66e47ac69a7e71cf32eee312d05668d8f1ba24bb.

Thanks mfontana-elem for the report and Sarah for the tests.

Backport of c3a23aa02faa1cf1d32e43d66858e793cd9ecac4 from main.
2025-02-18 11:44:46 +01:00
Gaël Utard
ae391ca368 [5.2.x] Fixed #36191 -- Truncated the overwritten file content in FileSystemStorage.
Backport of 0d1dd6bba0c18b7feb6caa5cbd8df80fbac54afd from main.
2025-02-17 14:03:36 +01:00
Sarah Boyce
92d5b2f389 [5.2.x] Fixed #36182 -- Returned "?" if all parameters are removed in querystring template tag.
Thank you to David Feeley for the report and Natalia Bidart for the review.

Backport of 05002c153c5018e4429a326a6699c7c45e5ea957 from main.
2025-02-13 15:50:53 +01:00
Mariusz Felisiak
d3d9f3a5a4 [5.2.x] Reverted "Refs #35803 -- Added support for __coveredby GIS lookup on MariaDB 11.7+."
This partly reverts commit 0b7edb9fcdd33d47ec5701b4f9b9553e27a88e95.

MariaDB reverted GIS functions.

Backport of 54a902c6e81214462388f79a7c42f1c88c863dfd from main.
2025-02-13 10:40:53 +01:00
Mariusz Felisiak
fc19618171 [5.2.x] Reverted "Fixed #35803 -- Added support for Collect, GeoHash, and IsValid on MariaDB 11.7+."
This reverts commit c77573716a58af32ffcfc4fe87ff9e5c97909bd2.

MariaDB reverted GIS functions.

Backport of eb70aafdba18ac30e53056162c32ee6c21dea0b4 from main.
2025-02-13 10:40:07 +01:00
Natalia
2b11b8e989 [5.2.x] Added stub release notes for 5.1.7.
Backport of e2a8f4dac8ed2b3667a4367756043b1e119f4ce2 from main.
2025-02-05 11:22:24 -03:00
Natalia
f075694a62 [5.2.x] Added release date for 5.1.6, 5.0.12, and 4.2.19.
Backport of 294cc965efe0dfc8457aa5a8e78cb6d53abfcf92 from main.
2025-02-05 10:39:42 -03:00
nessita
affad13d0c [5.2.x] Fixed #36140 -- Allowed BaseUserCreationForm to define non required password fields.
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.

Thanks buffgecko12 for the report and Sarah Boyce for the review.

Backport of d15454a6e84a595ffc8dc1b926282f484f782a8f from main.
2025-02-01 22:50:26 -03:00
nessita
b406907af5 [5.2.x] Tweaked docs to avoid reformatting given new black version.
Backport of fd3cfd80bebad292d639a03e58632e494369eb92 from main.
2025-01-30 10:38:44 -03:00
Clifford Gama
35d402f4e9 [5.2.x] Fixed typos in docs/releases/5.2.txt.
Backport of c41d6c9bb8262dff64fe4ab55e601bc0b269960b from main.
2025-01-16 13:15:24 +01:00
Sarah Boyce
1259509220 Made cosmetic edits to docs/releases/5.2.txt. 2025-01-15 21:11:20 +01:00
Sarah Boyce
9e6e58bad2 Removed empty sections from 5.2 release notes. 2025-01-15 21:11:20 +01:00
Matthias Kestenholz
6a7ee02f59
Fixed #35521 -- Allowed overriding BoundField class on fields, forms and renderers.
Thank you Sarah Boyce, Carlton Gibson, Tim Schilling and Adam Johnson
for reviews.

Co-authored-by: Christophe Henry <contact@c-henry.fr>
Co-authored-by: David Smith <smithdc@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Matthias Kestenholz <mk@feinheit.ch>
2025-01-15 17:04:26 -03:00
Mariusz Felisiak
b3c5830769 Fixed #36098 -- Fixed validate_ipv6_address()/validate_ipv46_address() crash for non-string values.
Regression in ca2be7724e1244a4cb723de40a070f873c6e94bf.
2025-01-15 13:46:06 -03:00
Jacob Walls
f054045973 Refs #36070 -- Referred to pk as an attribute when a composite primary key is defined.
This is to avoid confusion that a field is often associated with having
a single associated database column.
2025-01-15 13:44:23 +01:00
Jacob Walls
d206d4c200 Fixed #36051 -- Declared arity on aggregate functions.
Follow-up to 4a66a69239c493c05b322815b18c605cd4c96e7c.
2025-01-14 16:47:07 +01:00
Natalia
f2a1dcaa53 Added CVE-2024-56374 to security archive. 2025-01-14 11:37:50 -03:00
Natalia
3b46bea909 Added stub release notes for 5.1.6. 2025-01-14 11:33:28 -03:00
Michael Manfre
ca2be7724e Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.
Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
Felisiak for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-01-14 08:42:24 -03:00