Commit Graph

3107 Commits

Author SHA1 Message Date
Jacob Walls 32f1fe5f89 Fixed #29470 -- Logged makemigrations automatic decisions in non-interactive mode. 2021-10-12 15:19:39 +02:00
Ade Lee d10c7bfe56 Fixed #28401 -- Allowed hashlib.md5() calls to work with FIPS kernels.
md5 is not an approved algorithm in FIPS mode, and trying to instantiate
a hashlib.md5() will fail when the system is running in FIPS mode.

md5 is allowed when in a non-security context. There is a plan to add a
keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether
or not the instance is being used in a security context.

In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.

Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() has been added.
This encapsulation will pass through the usedforsecurity parameter in
the case where the parameter is supported, and strip it if it is not.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-10-12 08:58:27 +02:00
Jacob Walls f153e9214f Refs #29026 -- Added log() to makemigrations. 2021-10-05 06:57:01 +02:00
Adam Johnson 840ad06300 Refs #32355 -- Modernized subprocess.run() calls. 2021-09-27 08:20:24 +02:00
Mariusz Felisiak 05f3a6186e Refs #32193 -- Removed MemcachedCache per deprecation timeline. 2021-09-20 21:23:01 +02:00
Mariusz Felisiak d25710a625 Refs #31670 -- Removed whitelist argument and domain_whitelist attribute in EmailValidator per deprecation timeline. 2021-09-20 21:23:01 +02:00
Mariusz Felisiak 1cb495074f Refs #31546 -- Removed support for boolean values in Command.requires_system_checks.
Per deprecation timeline.
2021-09-20 21:23:01 +02:00
Daniyal ec212c6616 Fixed #33012 -- Added Redis cache backend.
Thanks Carlton Gibson, Chris Jerdonek, David Smith, Keryn Knight,
Mariusz Felisiak, and Nick Pope for reviews and mentoring this
Google Summer of Code 2021 project.
2021-09-14 15:50:08 +02:00
Andrew-Chen-Wang 301a85a12f Fixed #32076 -- Added async methods to BaseCache.
This also makes DummyCache async-compatible.
2021-09-07 20:14:25 +02:00
Nick Pope 42dfa97e19 Fixed #33060 -- Added BaseCache.make_and_validate_key() hook.
This helper function reduces the amount of duplicated code and makes it
easier to ensure that we always validate the keys.
2021-09-07 11:59:59 +02:00
Nick Pope 4b82578a60 Refs #33060 -- Ensured cache backends validate keys.
The validate_key() function should be called after make_key() to ensure
that the validation is performed on the key that will actually be
stored in the cache.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-09-07 11:59:40 +02:00
Peter Inglesby 3921b1c6d2 Refs #32363 -- Made shell ignore a missing sys.___interactivehook__.
Thanks Tim Graham for the report.

Follow up to 1bbb98d9a4.
2021-09-06 10:18:13 +02:00
Nick Pope 68b8eda788 Refs #33060 -- Added .make_key() in .touch() for dummy cache backend.
All cache operations should use make_key().
2021-09-03 10:36:14 +02:00
Daniyal Abbasi dca4c2ff76 Refs #33012 -- Moved PickleSerializer to django.core.serializers.base and added tests. 2021-09-02 11:24:55 +02:00
Stefanos I. Tsaklidis d0ea01af28 Fixed #33079 -- Fixed get_image_dimensions() on nonexistent images.
Thanks Nick Pope for the review.
2021-09-02 07:08:50 +02:00
sage 84c7c4a477 Fixed #32309 -- Added --exclude option to startapp/startproject management commands. 2021-09-01 12:08:02 +02:00
Jan Szoja b667ac24ea Fixed #25264 -- Allowed suppressing base command options in --help output.
This also suppresses -verbosity and --trackback options in the
runserver's help.
2021-08-31 11:04:02 +02:00
Mariusz Felisiak 93e06f2978
Refs #33061 -- Removed unnecessary BaseMemcachedCache.decr(). 2021-08-31 10:37:59 +02:00
Sondre Lillebø Gundersen 2c912c3488 Fixed #33061 -- Fixed handling nonexistent keys with negative deltas in incr()/decr() in memcached backends.
Thanks Chris Jerdonek for the review.
2021-08-31 07:34:53 +02:00
Mariusz Felisiak 36714be874 Refs #31621 -- Fixed handling --parallel option in test management command and runtests.py.
Regression in ae89daf46f.
Thanks Tim Graham for the report.
2021-08-19 09:18:32 +02:00
qimingmafan ee46722cb9 Fixed typo in regex for IPv6 literals in EmailValidator. 2021-08-06 12:58:55 +02:00
Jacob Walls 910ecd1b8d Fixed #29063 -- Fixed migrate crash when specifying a name of partially applied squashed migrations. 2021-08-04 09:57:32 +02:00
Jacob Walls 202d3e193a Fixed typos in migrations tests, comments, and error message. 2021-08-04 09:28:23 +02:00
David Smith 1024b5e74a Fixed 32956 -- Lowercased spelling of "web" and "web framework" where appropriate. 2021-07-29 06:24:12 +02:00
Wu Haotian 65b880b726 Fixed #32930 -- Fixed URLValidator when port numbers < 10. 2021-07-22 11:58:28 +02:00
Wilhelm Klopp bbf93efa19
Refs #23359 -- Corrected showmigrations help text for the --database option. 2021-07-13 06:29:21 +02:00
Allan Feldman 36fa071d6e Fixed #32889 -- Allowed per-request sync_to_async context in ASGIHandler .
By using a asgiref's ThreadSensitiveContext context manager, requests
will be able to execute independently of other requests when sync work
is involved.

Prior to this commit, a single global thread was used to execute any
sync work independent of the request from which that work was scheduled.
This could result in contention for the global sync thread in the case
of a slow sync function.

Requests are now isolated to their own sync thread.
2021-07-01 12:13:19 +02:00
Carlton Gibson 4af162d4de Refs #32144 -- Made makemessages remove temporary files on preprocessing error.
Co-authored-by: Anders Hovmöller <anders.hovmoller@dryft.se>
2021-07-01 10:11:10 +02:00
Carlton Gibson dfa7781033 Fixed #32144 -- Made makemessages remove temporary files when locale path doesn't exist. 2021-07-01 10:11:10 +02:00
Peter Inglesby 1bbb98d9a4 Fixed #32363 -- Ensured sys.__interactivehook__ is called in shell
By default, this means that readline is properly registered, so that
.python_history is used.

sys.__interactivehook__ may be set by a $PYTHONSTARTUP file.
2021-06-23 14:53:41 +02:00
Jacob Walls 501a371411 Fixed typo in makemessages error message. 2021-06-21 21:23:59 +02:00
Jacob Walls 2dfc1066a0 Fixed #25250 -- Clarified partially recorded state of squashed migrations in showmigrations --list. 2021-06-11 09:35:42 +02:00
Chris Jerdonek 7272e1963f Fixed #32821 -- Updated os.scandir() uses to use a context manager. 2021-06-07 06:52:42 +02:00
Jacob Walls ec2727efef Fixed #28154 -- Prevented infinite loop in FileSystemStorage.save() when a broken symlink with the same name exists. 2021-06-02 12:20:22 +02:00
Mariusz Felisiak e1d787f1b3 Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.

[1] https://bugs.python.org/issue36384
2021-06-02 10:58:39 +02:00
Michael Lissner 5a8e8f80bb Fixed #32772 -- Made database cache count size once per set. 2021-05-26 11:21:11 +02:00
Carlton Gibson c2e6047c72 Fixed #32740 -- Caught possible exception when initializing colorama. 2021-05-19 10:33:15 +02:00
Mariusz Felisiak 958cdf65ae Fixed #32747 -- Prevented initialization of unused caches.
Thanks Alexander Ebral for the report.

Regression in 98e05ccde4.
2021-05-18 18:24:19 +02:00
William Schwartz de32fe83a2 Fixed #32317 -- Refactored loaddata command to make it extensible.
Moved deeply nested blocks out of inner loops to improve readability
and maintainability.

Thanks to Mariusz Felisiak, Shreyas Ravi, and Paolo Melchiorre for
feedback.
2021-05-18 07:05:33 +02:00
William Schwartz 1557778121 Refs #32317 -- Simplified find_fixtures() in loaddata command.
This always replaces 'fixture_name' with its base name, which preserves
the previous behavior, because os.path.basename() was not called only on
relative paths without os.path.sep i.e. when base name was equal to the
file name.

This also changes os.path.dirname() and os.path.basename() calls to the
equivalent os.path.split() call.
2021-05-14 20:45:04 +02:00
William Schwartz 1e655d35ad Refs #32317 -- Cleaned up try/except blocks in loaddata command.
This moves code unable to trigger relevant exceptions outside of
try/except blocks, and changes 'objects' to 'objects_in_fixture'
which is equal to the length of 'objects'.
2021-05-14 20:45:04 +02:00
Rohith PR 530f58caaa Fixed #32734 -- Fixed validation of startapp's directory with trailing slash.
Regression in fc9566d42d.
2021-05-14 12:45:00 +02:00
Mariusz Felisiak b55699968f
Fixed #32718 -- Relaxed file name validation in FileField.
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb3691.
2021-05-13 08:53:44 +02:00
Nick Pope d06c5b3581 Fixed #32366 -- Updated datetime module usage to recommended approach.
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
2021-05-12 11:08:41 +02:00
Hasan Ramezani 028f10fac6 Fixed #32712 -- Deprecated django.utils.baseconv module. 2021-05-07 11:57:40 +02:00
Mariusz Felisiak e1e81aa1c4
Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+.
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.

[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603
2021-05-06 08:45:23 +02:00
ecogels a0a5e0f4c8 Fixed #32705 -- Prevented database cache backend from checking .rowcount on closed cursor.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-05-05 12:41:59 +02:00
Florian Apolloner 0b79eb3691 Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-05-04 08:44:42 +02:00
Tim Graham 54da6e2ac2 Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting. 2021-04-30 12:32:52 +02:00
Mariusz Felisiak 34d1905712
Fixed #32665 -- Fixed caches system check crash when STATICFILES_DIRS is a list of 2-tuples.
Thanks Jared Lockhart for the report.

Regression in c36075ac1d.
2021-04-21 09:41:37 +02:00