Commit Graph

1712 Commits

Author SHA1 Message Date
Mariusz Felisiak 05413afa8c Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract().
Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.

Thanks Wang Baohua for the report.
2021-02-01 09:07:36 +01:00
Paul Ganssle 10d1261984 Refs #32365 -- Allowed use of non-pytz timezone implementations. 2021-01-19 11:59:37 +01:00
Mariusz Felisiak b4c5f878bd Advanced deprecation warnings for Django 4.0. 2021-01-14 17:50:04 +01:00
Mariusz Felisiak be6e468130 Refs #31359 -- Made get_random_string()'s length argument required.
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak 4bb30fe5d5 Refs #26601 -- Made get_response argument required and don't accept None in middleware classes.
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak 9e456f3166 Refs #30747 -- Removed django.utils.http.is_safe_url() per deprecation timeline. 2021-01-14 17:50:04 +01:00
Mariusz Felisiak 157ab32f34 Refs #27753 -- Removed django.utils.text.unescape_entities() per deprecation timeline. 2021-01-14 17:50:04 +01:00
Mariusz Felisiak d134b0b93e Refs #15902 -- Stopped set_language() storing user's language in the session.
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak 52a238ddf2 Refs #30165 -- Removed ugettext(), ugettext_lazy(), ugettext_noop(), ungettext(), and ungettext_lazy() per deprecation timeline. 2021-01-14 17:50:04 +01:00
Mariusz Felisiak 810f037b29 Refs #27753 -- Removed django.utils.encoding.force_text() and smart_text() per deprecation timeline. 2021-01-14 17:50:04 +01:00
Mariusz Felisiak 88ed1c8d08 Refs #27753 -- Removed django.utils.http urllib aliases per deprecation timeline. 2021-01-14 17:50:04 +01:00
Florian Apolloner 64cc9dcdad Refs #31358 -- Added constant for get_random_string()'s default alphabet. 2021-01-13 20:40:40 +01:00
William Schwartz ec6d2531c5 Fixed #32314 -- Fixed detection when started non-django modules with "python -m" in autoreloader.
django.utils.autoreload.get_child_arguments() detected when Python was
started with the `-m` option only for `django` module. This commit
changes the logic to check __spec__, see
https://docs.python.org/3/reference/import.html#main-spec

Now packages can implement their own __main__ with the runserver
command.
2021-01-05 21:03:29 +01:00
starryrbs 2a76f43134 Fixed #32269 -- Fixed parse_duration() for negative days in ISO 8601 format. 2020-12-21 10:28:07 +01:00
Hasan Ramezani 577f2338f1 Fixed #32208 -- Allowed adding lazy() objects.
Co-authored-by: Claude Paroz <claude@2xlibre.net>
2020-12-21 09:24:41 +01:00
Adam Johnson ef39a8829b Added docstring to django.utils.inspect.func_accepts_kwargs(). 2020-12-14 18:08:37 +01:00
Florian Apolloner 98e05ccde4 Fixed #32233 -- Cleaned-up duplicate connection functionality. 2020-12-08 08:55:44 +01:00
Mariusz Felisiak aade2b461a
Fixed #32223 -- Removed strict=True in Path.resolve() in autoreloader.
This reverts commit e286711879 which
caused permission errors when users didn't have permissions to all
intermediate directories in a Django installation path.

Thanks Jakub Szafrański for the report.
2020-11-25 20:39:54 +01:00
Carlton Gibson ead37dfb58
Fixed #32202 -- Fixed autoreloader argument generation for Windows with Python 3.7-. 2020-11-19 12:07:15 +01:00
Nick Pope 0cbccaebeb
Simplified TimeFormat.g(). 2020-11-12 15:19:17 +01:00
Sam 895f6e4992 Fixed #32149 -- Added support for years < 1000 to DateFormat.y(). 2020-11-12 12:43:06 +01:00
Tom Forbes 658bcc16f1 Fixed #25791 -- Implement autoreload behaviour for cached template loader. 2020-11-05 15:30:52 +01:00
Daniel Hahler ab943f031c Protected Watchman autoreloader against busy loops.
With an error in the loop above (e.g. using query without args), this
would trigger a busy loop. While this was caused due to changes to the
loop itself, it seems to be just good practice to protect against this.
2020-11-02 07:18:39 +01:00
Nick Pope 966b5b49b6 Updated MultiValueDict.update() to mirror dict.update() behavior.
Changes in behavior include:

- Accepting iteration over empty sequences, updating nothing.
- Accepting iterable of 2-tuples providing key-value pairs.
- Failing with the same or comparable exceptions for invalid input.

Notably this replaces the previous attempt to catch TypeError which was
unreachable as the call to .items() resulted in AttributeError on
non-dict objects.
2020-10-30 10:44:44 +01:00
Nick Pope 1a8ad8a5c6 Removed unused custom exception support for ImmutableList.
If the warning provided was an instance of Exception, then it would be
used as-is. In practice this is untested, unused and ImmutableList is
an undocumented internal datastructure.
2020-10-30 10:44:44 +01:00
Martin Thoma 302caa40e4 Made small readability improvements. 2020-10-28 20:20:20 +01:00
Florian Apolloner 143d8e1ab3 Removed unneeded calls to iri_to_uri() in cache key generation.
request.build_absolute_uri() already applies iri_to_uri()
2020-10-06 12:29:06 +02:00
Simon Charette 4c675523bd Refs #29838, Refs #28507 -- Made make_hashable() ignore key order. 2020-10-05 20:42:46 +02:00
Tom Carrick bcc2befd0e Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-09-14 08:41:59 +02:00
Francisco Couzo 5ea1621c72
Fixed #31985 -- Corrected salted_hmac()'s docstring about supported algorithms.
salted_hmac() validates supported algorithms by checking hashlib
methods.
2020-09-07 10:59:36 +02:00
Nick Pope fd209f62f1 Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8. 2020-09-03 14:24:42 +02:00
Michael Galler 547a07fa7e Fixed #31905 -- Made MiddlewareMixin call process_request()/process_response() with thread sensitive.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2020-08-26 07:13:49 +02:00
David Smith e74b3d724e Bumped minimum isort version to 5.1.0.
Fixed inner imports per isort 5.
isort 5.0.0 to 5.1.0 was unstable.
2020-07-30 10:58:59 +02:00
Tim Park 8fa9a6d29e Fixed #31623 -- Allowed specifying number of adjacent time units in timesince()/timeuntil(). 2020-07-16 09:44:28 +02:00
Tim Park d1409f51ff Fixed #31732 -- Cached callables signatures in django.utils.inspect methods. 2020-07-06 10:42:43 +02:00
Claude Paroz 258c88a913 Refs #5691 -- Made cache keys independent of USE_L10N.
This mostly reverts af1893c4ff.
2020-06-22 10:55:12 +02:00
Tom Forbes 8a902b7ee6
Fixed #31716 -- Fixed detection of console scripts in autoreloader on Windows. 2020-06-18 13:04:10 +02:00
Claude Paroz 9e57b1efb5 Fixed #30134 -- Ensured unlocalized numbers are string representation in templates. 2020-06-04 10:34:54 +02:00
Carlton Gibson dd1ca50b09 Fixed #31570 -- Corrected translation loading for apps providing territorial language variants with different plural equations.
Regression in e3e48b0012.

Thanks to Shai Berger for report, reproduce and suggested fix.
2020-06-01 08:38:54 +02:00
David Smith 0382ecfe02 Fixed #28694 -- Made django.utils.text.slugify() strip dashes and underscores. 2020-05-29 06:47:51 +02:00
David Smith 3111b434e7 Corrected slugify()'s docstring. 2020-05-29 06:42:03 +02:00
François Freitag 7cd88b3fec
Updated logging calls to use arguments instead of string interpolation. 2020-05-13 09:12:18 +02:00
Mariusz Felisiak d106d07f73 Advanced deprecation warnings for Django 3.2. 2020-05-13 09:07:51 +02:00
Mariusz Felisiak 0668164b4a
Fixed E128, E741 flake8 warnings. 2020-05-12 08:52:23 +02:00
Jon Dufresne d6aff369ad Refs #30116 -- Simplified regex match group access with Match.__getitem__().
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
2020-05-11 12:01:28 +02:00
Tom Forbes c00bc27945 Refs #30372 -- Stopped watching built-in Django translation files by auto-reloader. 2020-05-04 09:13:47 +02:00
François Freitag abea86f9e4 Removed unnecessary tuple wrapping of single format string argument. 2020-04-27 08:30:16 +02:00
Jon Dufresne 505fec6bad Capitalized Unicode in docs, strings, and comments. 2020-04-20 12:10:33 +02:00
Hasan Ramezani 7b31ba541f Fixed #29329 -- Made datetime logging from runserver more consistent.
Setting default_msec_format=None will make it the same, unfortunately
it's not supported by Python, see https://bugs.python.org/issue40300.
2020-04-16 12:55:53 +02:00
Deep Sukhwani 4b146e0c83 Fixed #30864 -- Doc'd classproperty decorator. 2020-03-31 10:46:48 +02:00
Andrew Godwin fc0fa72ff4 Fixed #31224 -- Added support for asynchronous views and middleware.
This implements support for asynchronous views, asynchronous tests,
asynchronous middleware, and an asynchronous test client.
2020-03-18 19:59:12 +01:00
Mariusz Felisiak 3c35825009 Fixed typo in django/utils/crypto.py. 2020-03-11 14:38:27 +01:00
Claude Paroz e663f695fb Fixed #31359 -- Deprecated get_random_string() calls without an explicit length. 2020-03-11 13:16:44 +01:00
Claude Paroz e3e48b0012
Fixed #30439 -- Added support for different plural forms for a language.
Thanks to Michal Čihař for review.
2020-03-10 15:56:32 +01:00
Jon Dufresne 769cee5252 Fixed #31327 -- Deprecated providing_args argument for Signal. 2020-03-05 09:38:52 +01:00
Hasan Ramezani bc1c034076 Fixed #28280 -- Prevented numberformat.format() from formatting large/tiny floats in scientific notation. 2020-02-26 16:02:53 +01:00
Claude Paroz 4d973f5939 Refs #26601 -- Deprecated passing None as get_response arg to middleware classes.
This is the new contract since middleware refactoring in Django 1.10.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
Claude Paroz 50cf183d21 Refs #27468 -- Added algorithm parameter to django.utils.crypto.salted_hmac(). 2020-01-27 12:42:21 +01:00
Pavel Lysak 13e4abf83e Fixed #30752 -- Allowed using ExceptionReporter subclasses in error reports. 2020-01-16 15:25:49 +01:00
Mariusz Felisiak c5e373d48c Fixed obsolete comment in django.utils.crypto.salted_hmac().
Obsolete since 13864703bc.
2020-01-15 12:53:21 +01:00
Sjbrgsn b2bd08bb7a Fixed #30892 -- Fixed slugify() and admin's URLify.js for "İ".
Thanks Luis Nell for the implementation idea and very detailed report.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-12-30 20:47:22 +01:00
leollon fef2636f28 Fixed typo in django/utils/termcolors.py docstring. 2019-12-27 07:49:15 +01:00
Mike Hansen d291c72bf2 Fixed #30585 -- Added {% translate %} and {% blocktranslate %} template tags. 2019-12-18 13:15:38 +01:00
Baptiste Mispelon f138e75910 Fixed outdated import in django/utils/safestring.py.
The backported version of functools.wraps was removed in
13864703bc.
2019-12-06 09:31:33 +01:00
Andrew Godwin c90ab30fa1 Fixed #31056 -- Allowed disabling async-unsafe check with an environment variable. 2019-12-03 17:29:31 +01:00
Farhaan Bukhsh 1f817daa20 Fixed #30803 -- Allowed comma separators for milliseconds in django.utils.dateparse functions.
Co-Authored-By: Ben Wilber <benwilber@gmail.com>
2019-11-27 09:43:12 +01:00
Farhaan Bukhsh 42b23d1e79 Refs #30803 -- Allowed comma separators for decimal fractions in parse_duration(). 2019-11-27 09:43:12 +01:00
Baptiste Mispelon 824981b2dc Removed unused unencoded_ampersands_re regex.
Unused since 8b81dee60c.
2019-11-25 09:01:31 +01:00
Baptiste Mispelon 8929afb8ec Fixed #9762 -- Made DateFormat.r() locale-independent.
Thanks to Antonio Melé for the original report all those years ago
and to all the contributors who helped along the way.
2019-11-22 12:41:53 +01:00
Baptiste Mispelon 76ec032712 Refs #26281 -- Added a helpful error message for an invalid "r" specifier to dateformat.format(). 2019-11-22 12:32:30 +01:00
Baptiste Mispelon cbe4d6203f Fixed #30989 -- Removed unimplemented B time format.
It's never been documented and has always raised a NotImplementedError.
2019-11-18 12:50:41 +01:00
Baptiste Mispelon 5e2839f320 Simplified DateFormat.W() and z(). 2019-11-18 11:30:23 +01:00
Baptiste Mispelon 1185c6172b Fixed #30990 -- Fixed example output in 'z' date format docs. 2019-11-18 11:30:20 +01:00
Hasan Ramezani 6315a272c5 Refs #28428 -- Made filepath_to_uri() support pathlib.Path. 2019-10-30 13:13:15 +01:00
Hasan Ramezani e3d0b4d550 Fixed #30899 -- Lazily compiled import time regular expressions. 2019-10-29 09:22:26 +01:00
Hasan Ramezani 39a34d4bf9 Refs #30899 -- Made _lazy_re_compile() support bytes. 2019-10-29 09:14:24 +01:00
Hasan Ramezani c4cba148d8 Refs #30899 -- Moved _lazy_re_compile() to the django.utils.regex_helper. 2019-10-29 09:14:24 +01:00
Hasan Ramezani 52cb419072 Fixed #30918 -- Made timesince()/timeuntil() respect custom time strings for future and the same datetimes. 2019-10-28 12:28:18 +01:00
André Ericson 3120490912 Fixed #30876 -- Moved classproperty() decorator to the django.utils.functional. 2019-10-21 09:57:39 +02:00
Flavio Curella ed112fadc1 Fixed #23755 -- Added support for multiple field names in the no-cache Cache-Control directive to patch_cache_control().
https://tools.ietf.org/html/rfc7234#section-5.2.2.2
2019-10-10 19:30:51 +02:00
Viktor Lomakin ee6b17187f Fixed #30812 -- Made ConditionalGetMiddleware set ETag only for responses with non-empty content. 2019-10-10 09:51:05 +02:00
Ad Timmering 7b5f8acb9e Fixed #28690 -- Fixed handling of two-digit years in parse_http_date().
Due to RFC7231 ayear that appears to be more than 50 years in the
future are interpreted as representing the past.
2019-09-30 14:42:56 +02:00
Mariusz Felisiak 9a2a12d415 Advanced deprecation warnings for Django 3.1. 2019-09-10 12:01:00 +02:00
Mariusz Felisiak cb2be9d5d5 Refs #29546 -- Removed django.utils.timezone.FixedOffset per deprecation timeline. 2019-09-10 12:01:00 +02:00
Nasir Hussain 25706d7285 Fixed #29714 -- Allowed using ExceptionReporter subclass with AdminEmailHandler. 2019-09-04 08:40:46 +02:00
Carlton Gibson 4f61810751 Fixed #30747 -- Renamed is_safe_url() to url_has_allowed_host_and_scheme(). 2019-09-02 15:32:23 +02:00
Jon Dufresne a44d80f88e Adjusted subprocess.run() calls to use arg list, rather than string.
The Python docs recommend passing a sequence to subprocess.run() when
possible. Doing so allows for automatic escaping and quoting of
arguments.

https://docs.python.org/3/library/subprocess.html#frequently-used-arguments

> args is required for all calls and should be a string, or a sequence
> of program arguments. Providing a sequence of arguments is generally
> preferred, as it allows the module to take care of any required
> escaping and quoting of arguments (e.g. to permit spaces in file
> names).

Also removed `shell=True` where unnecessary.
2019-08-28 10:19:30 +02:00
Jon Dufresne 1e6b9e29e6 Refs #27795 -- Removed an unnecessary force_bytes() call in uri_to_iri().
The value returned from urllib.parse.quote() is always a string, so can
safely call .encode().
2019-08-28 09:20:46 +02:00
Claude Paroz 9386586f31 Replaced subprocess commands by run() wherever possible. 2019-08-23 10:53:36 +02:00
Adnan Umer 6805c0f99f Fixed #30701 -- Updated patch_vary_headers() to handle an asterisk according to RFC 7231. 2019-08-16 15:25:42 +02:00
Claude Paroz 88c0b907e7 Refs #30461 -- Added django.utils._os.to_path(). 2019-08-13 17:17:39 +02:00
swatantra 73ac9e3f04 Fixed #30677 -- Improved error message for urlencode() and Client when None is passed as data. 2019-08-11 20:15:23 +02:00
Jon Dufresne e8d0d2a5ef Removed unneeded ValueError catching in django.utils.text._replace_entity().
The html.entities.name2codepoint dict contains only valid Unicode
codepoints. Either the key exists and chr() will succeed or the key does
not exist.
2019-08-01 14:30:20 +02:00
Florian Apolloner 76ed1c49f8 Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri().
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Florian Apolloner 4b78420d25 Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities.
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Florian Apolloner 7f65974f82 Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML.
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Nick Pope f618e033ac Fixed #30160 -- Added support for LZMA and XZ templates to startapp/startproject management commands. 2019-07-31 10:02:13 +02:00
Nick Pope 69a30f620e Refs #30160 -- Simplified archive extension map and added other aliases. 2019-07-31 09:46:17 +02:00
Nick Pope 0509148c24 Refs #30160 -- Made destination path a required argument of extract(). 2019-07-30 11:27:56 +02:00
Tom Forbes fc75694257 Fixed #30647 -- Fixed crash of autoreloader when extra directory cannot be resolved. 2019-07-24 14:08:37 +02:00