django/utils at 75c4403f07b8ad25893f7832dbe8fc6814b53b2d - django - Gitea: Git with a cup of tea

mirrors/django

mirror of https://github.com/django/django.git synced 2025-10-09 06:49:12 +00:00

History

Natalia 7456aa23da [5.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in log_response().

Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.

To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.

Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.

Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>

Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.

2025-06-04 08:34:51 -03:00

..

[5.2.x] Fixed warnings per flake8 7.2.0.

2025-03-30 17:56:41 +02:00

__init__.py

Imported Django from private SVN repository (created from r. 8825)

2005-07-13 01:25:57 +00:00

_os.py

Corrected exception type in safe_join()'s docstring.

2023-04-20 05:44:01 +02:00

archive.py

Applied Black's 2024 stable style.

2024-01-26 12:45:07 +01:00

asyncio.py

Fixed #34233 -- Dropped support for Python 3.8 and 3.9.

2023-01-18 09:46:01 +01:00

autoreload.py

[5.2.x] Fixed warnings per flake8 7.2.0.

2025-03-30 17:56:41 +02:00

cache.py

Applied Black's 2024 stable style.

2024-01-26 12:45:07 +01:00

choices.py

Fixed #35766 -- Handled slices in BaseChoiceIterator.

2024-09-18 16:45:53 +02:00

connection.py

Made closing in connection handlers more DRY.

2022-05-12 15:13:51 +02:00

crypto.py

Applied Black's 2024 stable style.

2024-01-26 12:45:07 +01:00

datastructures.py

Refs #34233 -- Used str.removeprefix()/removesuffix().

2023-01-18 19:11:18 +01:00

dateformat.py

Applied Black's 2024 stable style.

2024-01-26 12:45:07 +01:00

dateparse.py

Removed unneeded escapes in regexes.

2023-08-02 19:53:16 +02:00

dates.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

deconstruct.py

Applied Black's 2024 stable style.

2024-01-26 12:45:07 +01:00

decorators.py

Fixed #35083 -- Updated method_decorator to handle async methods.

2024-08-30 08:54:49 -03:00

deprecation.py

Refs #25466 -- Removed unused DeprecationInstanceCheck.

2024-07-11 09:40:07 +02:00

duration.py

Used more augmented assignment statements.

2022-10-31 12:30:13 +01:00

encoding.py

Refs #34986 -- Avoided pickling error in DjangoUnicodeDecodeError.

2023-11-27 10:37:29 +01:00

feedgenerator.py

Fixed #12978 -- Added support for RSS feed stylesheets.

2024-06-18 17:25:43 +02:00

formats.py

Refs #32873 -- Removed settings.USE_L10N per deprecation timeline.

2023-01-17 11:49:15 +01:00

functional.py

Allowed custom formatting of lazy() objects.

2023-06-12 06:09:20 +02:00

hashable.py

Fixed #34983 -- Deprecated django.utils.itercompat.is_iterable().

2023-11-24 12:06:29 +01:00

html.py

[5.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().

2025-05-06 22:24:24 -03:00

http.py

[5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.

2025-04-02 10:23:46 +02:00

inspect.py

Fixed #35179 -- Made admindocs detect positional/keyword-only arguments.

2024-02-14 13:17:40 +01:00

ipv6.py

Fixed #36098 -- Fixed validate_ipv6_address()/validate_ipv46_address() crash for non-string values.

2025-01-15 13:46:06 -03:00

itercompat.py

Fixed #34983 -- Deprecated django.utils.itercompat.is_iterable().

2023-11-24 12:06:29 +01:00

log.py

[5.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in log_response().

2025-06-04 08:34:51 -03:00

lorem_ipsum.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

module_loading.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

numberformat.py

Refs #33476 -- Applied Black's 2023 stable style.

2023-02-01 11:04:38 +01:00

regex_helper.py

Applied Black's 2024 stable style.

2024-01-26 12:45:07 +01:00

safestring.py

Fixed #35648 -- Raised NotImplementedError in SafeString.__add__ for non-string RHS.

2024-08-12 14:25:05 -03:00

termcolors.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00

text.py

[5.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter.

2025-04-23 16:18:55 -03:00

timesince.py

Refs #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates on different days and interval less than 1 day.

2023-04-14 17:41:03 +02:00

timezone.py

Fixed #34233 -- Dropped support for Python 3.8 and 3.9.

2023-01-18 09:46:01 +01:00

tree.py

Refs #32948 , Refs #32946 -- Used Q.create() internally for dynamic Q() objects.

2022-07-27 10:06:24 +02:00

version.py

Refs #35844 -- Corrected expected error messages in commands tests on Python 3.14+.

2024-10-25 13:30:11 +02:00

xmlutils.py

Refs #33476 -- Reformatted code with Black.

2022-02-07 20:37:05 +01:00