innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity
28,713 Commits 25 Branches 361 Tags 501 MiB
Commit Graph

11049 Commits

Author SHA1 Message Date
Florian Apolloner 22bd174881 [3.1.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths. 
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd from main.
 2021-12-07 06:56:06 +01:00
Mariusz Felisiak 9dd1f9572f [3.1.x] Fixed #33082 -- Fixed CommandTests.test_subparser_invalid_option on Python 3.9.7+. 
Thanks Michał Górny for the report.

Backport of 50ed545e2f from main.
 2021-09-02 11:04:51 +02:00
Simon Charette 0bd57a879a [3.1.x] Fixed CVE-2021-35042 -- Prevented SQL injection in QuerySet.order_by(). 
Regression introduced in 513948735b
by marking the raw SQL column reference feature for deprecation in
Django 4.0 while lifting the column format validation.

In retrospective the validation should have been kept around and the
user should have been pointed at using RawSQL expressions during the
deprecation period.

The main branch is not affected because the raw SQL column reference
support has been removed in 06eec31970
per the 4.0 deprecation life cycle.

Thanks Joel Saunders for the report.
 2021-07-01 08:36:17 +02:00
Mariusz Felisiak 203d4ab9eb [3.1.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses. 
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.

[1] https://bugs.python.org/issue36384
 2021-06-02 10:38:07 +02:00
Florian Apolloner 20c67a0693 [3.1.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView. 2021-06-02 10:38:07 +02:00
Mariusz Felisiak b7d4a6fa65 [3.1.x] Fixed #32718 -- Relaxed file name validation in FileField. 
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb3691.

Backport of b55699968f from main.
 2021-05-13 08:56:06 +02:00
Mariusz Felisiak afb23f5929 [3.1.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+. 
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.

[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603

Backport of e1e81aa1c4 from main.
 2021-05-06 08:50:52 +02:00
Carlton Gibson fdbf4a7c16 [3.1.x] Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows. 
The validate_file_name() sanitation introduced in
0b79eb3691 correctly rejects the example
file name as containing path elements on Windows. This breaks the test
introduced in 914c72be2a to allow path
components for storages that may allow them.

Test is skipped pending a discussed storage refactoring to support this
use-case.

Backport of a708f39ce6 from main
 2021-05-06 07:42:45 +02:00
Florian Apolloner 25d84d6412 [3.1.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-27 19:12:15 +02:00
Mariusz Felisiak cca0d98118 [3.1.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files. 
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.

Backport of d4d800ca1a from main.
 2021-04-06 08:25:24 +02:00
Nick Pope 8f6d431b08 [3.1.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.http.limited_parse_qsl(). 2021-02-18 10:15:30 +01:00
Mariusz Felisiak efaf9f4ac9
[3.1.x] Fixed backends.postgresql.tests.Tests.test_nodb_cursor_raises_postgres_authentication_failure(). 
Follow up to 9efe832ee1.
 2021-02-05 06:08:08 +01:00
Christopher Keith 5dec57a6fc [3.1.x] Fixed #31550 -- Adjusted ASGI test_file_response for various Windows content types. 
Backport of 76181308fb from master
 2021-02-04 21:58:38 +01:00
Mariusz Felisiak 9efe832ee1 [3.1.x] Fixed #32403 -- Fixed re-raising DatabaseErrors when using only 'postgres' database. 
Thanks Kazantcev Andrey for the report.

Regression in f48f671223.
Backport of f131841c60 from master
 2021-02-02 21:36:06 +01:00
Mariusz Felisiak 02e6592835 [3.1.x] Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract(). 
Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.

Thanks Wang Baohua for the report.

Backport of 05413afa8c from master.
 2021-02-01 09:13:58 +01:00
Mariusz Felisiak 03a86784d0 [3.1.x] Fixed GeoIPTest.test04_city() failure with the latest GeoIP2 database. 
Backport of 135c800fe6 from master
 2021-01-29 11:03:04 +01:00
Mariusz Felisiak 5fdc81d893 [3.1.x] Fixed #32304 -- Fixed prefixing STATIC_URL and MEDIA_URL by SCRIPT_NAME for absolute URLs with no domain. 
Thanks Adam Hooper for the report.

Regression in c574bec092.
Backport of e13b71403b from master
 2020-12-31 13:19:34 +01:00
Mariusz Felisiak 6b4b7da740 [3.1.x] Fixed #32299 -- Prevented mutating handlers when processing middlewares marking as unused in an async context. 
Thanks Hubert Bielenia for the report.
Backport of 98ad327864 from master
 2020-12-29 09:06:03 +01:00
sage a891e1bb0a [3.1.x] Fixed #32252 -- Fixed __isnull=True on key transforms on SQLite and Oracle. 
__isnull=True on key transforms should not match keys with NULL values.

Backport of 8d7085e0fd from master
 2020-12-11 11:18:15 +01:00
sage a7935fe942 [3.1.x] Fixed #32203 -- Fixed QuerySet.values()/values_list() crash on key transforms with non-string values on SQLite. 
Thanks Gordon Wrigley for the report.

Backport of fe6e582421 from master
 2020-11-25 20:30:38 +01:00
sage a2abeb3de7 [3.1.x] Refs #32203 -- Added tests for QuerySet.values()/values_list() on key transforms with non-trivial values. 
Backport of 7408c4cd15 from master
 2020-11-25 20:30:30 +01:00
Mariusz Felisiak 97bfe0cba5 [3.1.x] Fixed #32224 -- Avoided suppressing connection errors in supports_json_field on SQLite. 
Regression in 6789ded0a6.

Thanks Juan Garcia Alvite for the report.
Backport of f5e5aac59e from master
 2020-11-25 12:21:29 +01:00
Mariusz Felisiak a582ef8b89 [3.1.x] Added test for filtering JSONField key transforms with quoted strings. 
Backport of bec415b290 from master
 2020-11-25 06:55:39 +01:00
Hasan Ramezani 166c0d2474 [3.1.x] Fixed #32200 -- Fixed grouping by ExpressionWrapper() with Q objects. 
Thanks Gordon Wrigley for the report.

Regression in df32fd42b8.

Backport of fe9c7ded29 from master
 2020-11-19 21:42:14 +01:00
Carlton Gibson 012822c7f9 [3.1.x] Fixed #32202 -- Fixed autoreloader argument generation for Windows with Python 3.7-. 
Backport of ead37dfb58 from master
 2020-11-19 12:12:47 +01:00
Nick Pope 1f6e7fb4ab [3.1.x] Changed docs and a code comment to use gender-neutral pronouns. 
Follow up to e1b7723817.

Backport of 477c800443 from master.
 2020-11-13 22:29:41 +01:00
Hannes Ljungberg cc3870c30f [3.1.x] Fixed #32182 -- Fixed crash of JSONField nested key transforms with subquery annotations on PostgreSQL. 
Backport of 0773837e15 from master
 2020-11-10 08:13:03 +01:00
Carlton Gibson 8b3010a298 [3.1.x] Fixed #32159 -- Ensured AsyncRequestFactory correctly sets headers. 
Backport of ebb08d1942 from master
 2020-11-04 11:09:52 +01:00
Patrick Arminio bb74d2db98 [3.1.x] Fixed #32162 -- Fixed setting Content-Length header in AsyncRequestFactory. 
Backport of 542b4b3ab4 from master
 2020-11-03 10:33:34 +01:00
Max Smolens e707a1bd9a [3.1.x] Fixed #31850 -- Fixed BasicExtractorTests.test_extraction_warning with xgettext 0.21+. 
"format string with unnamed arguments cannot be properly localized"
warning is not raised in xgettext 0.21+.

This patch uses a message that causes an xgettext warning regardless of
the version.

Backport of 07a30f5616 from master
 2020-11-02 10:29:14 +01:00
Christian Klus ab951d242e [3.1.x] Fixed #32152 -- Fixed grouping by subquery aliases. 
Regression in 42c08ee465.

Thanks Simon Charette for the review.

Backport of 4ac2d4fa42 from master
 2020-10-29 11:30:53 +01:00
Mariusz Felisiak 767e06b5a8 [3.1.x] Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation. 
Thanks Gordon Wrigley for the report and implementation idea.

Regression in 226ebb1729.
Backport of 3418092238 from master
 2020-10-22 13:22:00 +02:00
Hasan Ramezani 2212927c1b [3.1.x] Fixed #32107 -- Fixed ProtectedError.protected_objects and RestrictedError.restricted_objects. 
Regression in 4ca5c565f4 and
ab3cbd8b9a.

Thanks Vitaliy Yelnik for the report.

Backport of 3b1746d519 from master
 2020-10-19 13:10:13 +02:00
Claude Paroz 8caf524a1d [3.1.x] Fixed #32110 -- Doc'd and tested enumerations for ChoiceField.choices. 
Backport of 7f85498eef from master
 2020-10-17 21:01:54 +02:00
Mariusz Felisiak 536213278c [3.1.x] Refs #32096 -- Fixed ExclusionConstraint crash with JSONField key transforms in expressions. 
Regression in 6789ded0a6.

Backport of ee0abac169 from master.
 2020-10-14 22:10:09 +02:00
Mariusz Felisiak ae6b24093c [3.1.x] Refs #32096 -- Fixed ExpressionWrapper crash with JSONField key transforms. 
Regression in 6789ded0a6.

Thanks Simon Charette and Igor Jerosimić for the report.

Backport of bbd55e5863 from master
 2020-10-14 21:03:40 +02:00
Mariusz Felisiak 59fe0b8541 [3.1.x] Refs #32096 -- Fixed __in lookup crash against key transforms for JSONField. 
Regression in 6789ded0a6 and
1251772cb8.

Thanks Simon Charette and Igor Jerosimić for the report.

Backport of 7e1e198494 from master
 2020-10-14 21:03:15 +02:00
Mariusz Felisiak d94e777b66 [3.1.x] Refs #32096 -- Fixed crash of ArrayAgg/StringAgg/JSONBAgg with ordering over JSONField key transforms. 
Regression in 6789ded0a6.

Thanks Igor Jerosimić for the report.

Backport of 1f31027bb3 from master
 2020-10-14 21:02:29 +02:00
Mariusz Felisiak 735c88fdd7 [3.1.x] Refs #32096 -- Added test for ArrayAgg over JSONField key transforms. 
Backport of 1d650ad019 from master
 2020-10-14 20:57:03 +02:00
Tim Schilling 4047c1602c [3.1.x] Fixed #32091 -- Fixed admin search bar width on filtered admin page. 
Backport of b7da588e88 from master
 2020-10-09 12:11:15 +02:00
Qi Zhao 8c403b17f9 [3.1.x] Fixed #32080 -- Fixed displaying Unicode chars in forms.JSONField and read-only JSONField values in admin. 
Backport of de81676b51 from master
 2020-10-09 08:44:32 +02:00
Mariusz Felisiak 322f0f7012 [3.1.x] Skipped GetImageDimensionsTests.test_webp when WEBP is not installed. 
Backport of fce389af7c from master
 2020-10-06 11:26:30 +02:00
David Smith 12ba61ed17 [3.1.x] Bumped minimum isort version to 5.1.0. 
Fixed inner imports per isort 5.
isort 5.0.0 to 5.1.0 was unstable.

Backport of e74b3d724e from master
 2020-09-30 09:51:31 +02:00
Mariusz Felisiak b7df7de44f [3.1.x] Fixed #32038 -- Fixed EmptyFieldListFilter crash with GenericRelation. 
Thanks Javier Matos Odut for the report.

Backport of e4ab44a4b2 from master
 2020-09-25 10:10:26 +02:00
Mariusz Felisiak fbb7881956 [3.1.x] Fixed #32012 -- Made test database creation sync apps models when migrations are disabled. 
Thanks Jaap Roes for the report.
Backport of 77caeaea88 from master
 2020-09-23 10:54:50 +02:00
Mariusz Felisiak 5a03e14deb [3.1.x] Refs #32007 -- Skipped test_q_expression_annotation_with_aggregation on Oracle. 
Backport of 3a9f192b13 from master
 2020-09-16 11:47:48 +02:00
Mariusz Felisiak 1afc9b31bb [3.1.x] Fixed #32007 -- Fixed queryset crash with Q() annotation and aggregation. 
Thanks Gordon Wrigley for the report.

Regression in 8a6df55f2d.
Backport of eaf9764d3b from master
 2020-09-15 11:41:42 +02:00
Mariusz Felisiak a3bb80dc31 [3.1.x] Fixed #31990 -- Fixed QuerySet.ordered for GROUP BY queries on models with Meta.ordering. 
Regression in 0ddb4ebf7b.

Thanks Julien Dutriaux for the report.
Backport of e11d05e0b4 from master
 2020-09-14 20:08:18 +02:00
Mariusz Felisiak 17d5b16dbf [3.1.x] Refs #31901 -- Fixed SeleniumTests.test_list_editable_popups with headless mode. 
Backport of 6a881197e9 from master
 2020-09-02 15:18:15 +02:00
Brian Helba c69c6886de [3.1.x] Fixed #31941 -- Corrected FileField.deconstruct() with a callable storage. 
Backport of 2d42e23b6d from master
 2020-09-02 11:07:43 +02:00