Claude Paroz
552f03869e
Added safety to URL decoding in is_safe_url() on Python 2
...
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218
and ada7a4aef
.
2016-03-04 23:33:35 +01:00
Claude Paroz
ada7a4aefb
Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
...
This fixes a regression introduced by c5544d2892
.
Thanks John Eskew for the reporti and Tim Graham for the review.
2016-03-04 21:14:14 +01:00
Mark Striemer
c5544d2892
Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
...
This is a security fix.
2016-03-01 11:25:28 -05:00
Nick Malakhov
ee69789f45
Fixed #26269 -- Prohibited spaces in is_valid_ipv6_address().
2016-02-25 18:52:50 -05:00
Alexey Kotlyarov
b59f963ad2
Fixed #26212 -- Made forms.FileField and translation.lazy_number() picklable.
2016-02-15 11:44:29 -05:00
Jon Dufresne
dec334cb66
Fixed #26193 -- Made urlize() trim multiple trailing punctuation.
2016-02-15 09:10:15 -05:00
Marcin Markiewicz
f7a9872b91
Fixed #26173 -- Prevented localize_input() from formatting booleans as numbers.
2016-02-09 13:07:33 -05:00
Ben Kraft
13023ba867
Fixed #26122 -- Fixed copying a LazyObject
...
Shallow copying of `django.utils.functional.LazyObject` or its subclasses has
been broken in a couple of different ways in the past, most recently due to
35355a4
.
2016-01-26 06:56:21 -05:00
userimack
60586dd737
Fixed #26125 -- Fixed E731 flake warnings.
2016-01-25 14:23:43 -05:00
Claude Paroz
104eddbdf6
Fixed #26093 -- Allowed escape sequences extraction by gettext on Python 3
...
Thanks Sylvain Fankhauser for the report and Tim Graham for the review.
2016-01-23 14:00:55 +01:00
Tim Graham
5b94b17fef
Fixed #25999 -- Removed promotion of RemovedInNextVersionWarning to loud by default.
2016-01-14 09:05:43 -05:00
Tim Graham
d45cfefbad
Refs #25769 -- Updated docs to reflect get_version() uses PEP 0440.
2016-01-13 07:06:34 -05:00
Flavio Curella
0bc5cd6280
Fixed #25684 -- Made runserver use logging for request/response output.
...
Thanks andreif for the contributing to the patch.
2016-01-11 07:35:17 -05:00
Claude Paroz
632a9f21bc
Fixed #26046 -- Fixed a crash with translations and Django-unknown language code
...
Thanks Jens Lundstrom for the report and Tim Graham for the review.
2016-01-06 20:30:56 +01:00
Benjamin Bach
8ad18103a1
Replaced dict.setdefault() usage to avoid unnecessary object instantiations.
2016-01-05 13:06:23 -05:00
Denis Cornehl
186b6c61bf
Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.
...
Thanks Denis Cornehl for help with the patch.
2016-01-05 09:37:11 -05:00
Claude Paroz
cd3c042b04
Fixed #25915 -- Allowed language not in Django's default LANGUAGES
...
This fixes a regression introduced by a5f6cbce07
.
Thanks Gavin Wahl for the report and Tim Graham for the review.
2015-12-18 17:50:16 +01:00
Claude Paroz
ed20dd2e85
Fixed #25875 -- Prevented UnicodeDecodeError for Q object repr
...
Thanks Ben Kraft for the report, and Simon Charette for the review.
2015-12-13 15:07:17 +01:00
Iacopo Spalletti
d693074d43
Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy().
...
Thanks to bmispelon and uruz for the initial patch.
2015-12-12 14:46:48 -05:00
Raphaël Hertzog
9f4e031bd3
Fixed #25761 -- Added __cause__.__traceback__ to reraised exceptions.
...
When Django reraises an exception, it sets the __cause__ attribute even
in Python 2, mimicking Python's 3 behavior for "raise Foo from Bar".
However, Python 3 also ensures that all exceptions have a __traceback__
attribute and thus the "traceback2" Python 2 module (backport of Python
3's "traceback" module) relies on the fact that whenever you have a
__cause__ attribute, the recorded exception also has a __traceback__
attribute.
This is breaking testtools which is using traceback2 (see
https://github.com/testing-cabal/testtools/issues/162 ).
This commit fixes this inconsistency by ensuring that Django sets
the __traceback__ attribute on any exception stored in a __cause__
attribute of a reraised exception.
2015-12-03 16:31:50 -05:00
Gagaro
34d88944f4
Fixed #25812 -- Restored the ability to use custom formats with the date template filter.
2015-11-28 08:38:45 -05:00
Florian Apolloner
316bc3fc94
Fixed a settings leak possibility in the date template filter.
...
This is a security fix.
2015-11-24 11:20:29 -05:00
Tim Graham
4921d4e59f
Fixed #25769 -- Updated get_version() release candidate naming for PEP 0440.
2015-11-19 10:00:09 -05:00
Tim Graham
c7adfe941b
Removed redundant termcolors.
...
Replaced MIGRATE_SUCCESS and MIGRATE_FAILURE with
SUCCESS and ERROR.
2015-11-18 10:26:39 -05:00
Attila Tovt
0a2d3b7387
Fixed #25682 -- Removed bare except clauses.
2015-11-17 14:39:15 -05:00
Jaap Roes
9a2aca6030
Fixed #25743 -- Optimized utils.localize() and localize_input()
...
Bail early if the input is a string since that's the most common case.
2015-11-12 13:24:53 -05:00
Marti Raudsepp
d3e3703a15
Fixed #25720 -- Made gettext() return bytestring on Python 2 if input is bytestring.
...
This is consistent with the behavior of Django 1.7.x and earlier.
2015-11-11 08:56:10 -05:00
Tim Graham
4c593eaa5f
Updated six to 1.10.0.
2015-11-10 22:05:48 -05:00
Dwight Gunning
1f29164ced
Fixed #6727 -- Made patch_cache_control() patch an empty Cache-Control header.
2015-11-09 14:26:29 -05:00
Aymeric Augustin
1014ba026e
Fixed debug view crash during autumn DST change.
...
This only happens if USE_TZ = False and pytz is installed (perhaps not
the most logical combination, but who am I to jugde?)
Refs #23714 which essentially fixed the same problem when USE_TZ = True.
Thanks Florian and Carl for insisting until I wrote a complete patch.
2015-11-07 23:17:33 +01:00
Neal Todd
c3a974c81e
Amended comment to remove reference to the no longer used NullHandler
2015-11-07 16:35:46 +01:00
Ville Skyttä
3ee18400ae
Fixed #25668 -- Misc spelling errors
2015-11-03 11:58:13 +02:00
Tim Graham
0b5d32faca
Fixed #25611 -- Standardized descriptor signatures.
2015-10-26 11:31:16 -04:00
Claude Paroz
8b5acda821
Fixed #25571 -- Fixed boolean evaluation of ungettext_lazy
2015-10-22 15:17:45 +02:00
Tim Graham
04ecc26223
Removed SimpleLazyObject workaround for a Python 3 bug.
...
The workaround added in fe8484efda
seems unnecessary as the Python bug is fixed in Python 3.4.
2015-10-05 09:46:59 -04:00
Tim Graham
ea8e7fd989
Removed obsolete (since Python 2.3) __safe_for_unpickling__ attribute.
2015-10-05 08:07:27 -04:00
Ben Kraft
35355a4ffe
Fixed #25389 -- Fixed pickling a SimpleLazyObject wrapping a model.
...
Pickling a `SimpleLazyObject` wrapping a model did not work correctly; in
particular it did not add the `_django_version` attribute added in 42736ac8
.
Now it will handle this and other custom `__reduce__` methods correctly.
2015-10-03 13:00:37 -04:00
Tim Graham
8d1a001ef6
Fixed #25466 -- Added backwards compatibility aliases for LoaderOrigin and StringOrigin.
...
Thanks Simon Charette for the DeprecationInstanceCheck class.
2015-09-29 18:31:11 -04:00
Tim Graham
48e7787db5
Removed RemovedInDjango110Warning.
2015-09-23 19:31:11 -04:00
Tim Graham
e5c12f6701
Refs #23613 -- Removed django.utils.checksums per deprecation timeline.
2015-09-23 19:31:10 -04:00
Tim Graham
222d063301
Refs #23269 -- Removed the removetags template tag and related functions per deprecation timeline.
2015-09-23 19:31:09 -04:00
Tim Graham
6b37719616
Refs #24526 -- Made the django logger handle INFO messages.
...
Without an explicit 'level', only messages at WARNING or higher
are handled. This makes the config consistent with the docs
which say, "The django catch-all logger sends all messages at
the INFO level or higher to the console."
2015-09-23 11:33:49 -04:00
Matt Deacalion Stevens
f06ce6053c
Fixed #25439 -- Added `SUCCESS` style to termcolor palettes
2015-09-23 09:01:02 +02:00
Unai Zalakain
a4b80e2421
Refs #13110 -- Fixed mistakes in the new multiple enclosure feed tests
2015-09-19 15:54:33 +02:00
fabrizio ettore messina
186eb21dc1
Fixed #25269 -- Allowed method_decorator() to accept a list/tuple of decorators.
2015-09-18 19:04:29 -04:00
Unai Zalakain
aac2a2d2ae
Fixed #13110 -- Added support for multiple enclosures in Atom feeds.
...
The ``item_enclosures`` hook returns a list of ``Enclosure`` objects which is
then used by the feed builder. If the feed is a RSS feed, an exception is
raised as RSS feeds don't allow multiple enclosures per feed item.
The ``item_enclosures`` hook defaults to an empty list or, if the
``item_enclosure_url`` hook is defined, to a list with a single ``Enclosure``
built from the ``item_enclosure_url``, ``item_enclosure_length``, and
``item_enclosure_mime_type`` hooks.
2015-09-18 18:31:58 -04:00
Matt Robenolt
b0c56b895f
Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
...
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Zan Anderle
f3dc173240
Fixed #24917 -- Made admindocs display model methods that take arguments.
2015-09-07 15:07:39 -04:00
Alexandre Pocquet
e7b7f94678
Fixed #25297 -- Allowed makemessages to work with {% trans %} tags that use template filters.
2015-09-04 15:09:09 -04:00
Maxime Lorant
c92cd22d02
Refs #25345 -- Updated links to code.google.com.
2015-09-04 08:14:21 -04:00