e1d787f1b3
Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.
...
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.
[1] https://bugs.python.org/issue36384
2021-06-02 10:58:39 +02:00
5a8e8f80bb
Fixed #32772 -- Made database cache count size once per set.
2021-05-26 11:21:11 +02:00
c2e6047c72
Fixed #32740 -- Caught possible exception when initializing colorama.
2021-05-19 10:33:15 +02:00
958cdf65ae
Fixed #32747 -- Prevented initialization of unused caches.
...
Thanks Alexander Ebral for the report.
Regression in 98e05ccde4
2021-05-18 18:24:19 +02:00
de32fe83a2
Fixed #32317 -- Refactored loaddata command to make it extensible.
...
Moved deeply nested blocks out of inner loops to improve readability
and maintainability.
Thanks to Mariusz Felisiak, Shreyas Ravi, and Paolo Melchiorre for
feedback.
2021-05-18 07:05:33 +02:00
1557778121
Refs #32317 -- Simplified find_fixtures() in loaddata command.
...
This always replaces 'fixture_name' with its base name, which preserves
the previous behavior, because os.path.basename() was not called only on
relative paths without os.path.sep i.e. when base name was equal to the
file name.
This also changes os.path.dirname() and os.path.basename() calls to the
equivalent os.path.split() call.
2021-05-14 20:45:04 +02:00
1e655d35ad
Refs #32317 -- Cleaned up try/except blocks in loaddata command.
...
This moves code unable to trigger relevant exceptions outside of
try/except blocks, and changes 'objects' to 'objects_in_fixture'
which is equal to the length of 'objects'.
2021-05-14 20:45:04 +02:00
530f58caaa
Fixed #32734 -- Fixed validation of startapp's directory with trailing slash.
...
Regression in fc9566d42d
2021-05-14 12:45:00 +02:00
b55699968f
Fixed #32718 -- Relaxed file name validation in FileField.
...
- Validate filename returned by FileField.upload_to() not a filename
passed to the FileField.generate_filename() (upload_to() may
completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.
Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.
Regression in 0b79eb3691
2021-05-13 08:53:44 +02:00
d06c5b3581
Fixed #32366 -- Updated datetime module usage to recommended approach.
...
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
2021-05-12 11:08:41 +02:00
028f10fac6
Fixed #32712 -- Deprecated django.utils.baseconv module.
2021-05-07 11:57:40 +02:00
e1e81aa1c4
Fixed #32713 , Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+.
...
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.
[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603
2021-05-06 08:45:23 +02:00
a0a5e0f4c8
Fixed #32705 -- Prevented database cache backend from checking .rowcount on closed cursor.
...
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-05-05 12:41:59 +02:00
0b79eb3691
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
2021-05-04 08:44:42 +02:00
54da6e2ac2
Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.
2021-04-30 12:32:52 +02:00
34d1905712
Fixed #32665 -- Fixed caches system check crash when STATICFILES_DIRS is a list of 2-tuples.
...
Thanks Jared Lockhart for the report.
Regression in c36075ac1d
2021-04-21 09:41:37 +02:00
823a9e6bac
Fixed #32416 -- Made ThreadedWSGIServer close connections after each thread.
...
ThreadedWSGIServer is used by LiveServerTestCase.
2021-04-12 10:23:56 +02:00
db5b75f10f
Fixed #31840 -- Added support for Cross-Origin Opener Policy header.
...
Thanks Adam Johnson and Tim Graham for the reviews.
Co-authored-by: Tim Graham <timograham@gmail.com>
2021-03-30 19:59:24 +02:00
474cc420bf
Refs #32508 -- Raised Type/ValueError instead of using "assert" in django.core.
2021-03-19 08:04:37 +01:00
dba44a7a7a
Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.
2021-03-18 20:00:22 +01:00
ec0ff40631
Fixed #32355 -- Dropped support for Python 3.6 and 3.7
2021-02-10 10:20:54 +01:00
9c6ba87692
Fixed #32145 -- Improved makemessages error message when app's locale directory doesn't exist.
2021-02-09 20:00:20 +01:00
8e90560aa8
Fixed #32420 -- Fixed detecting primary key values in deserialization when PK is also a FK.
2021-02-05 12:33:43 +01:00
3f8979e37b
Fixed #32350 -- Fixed showmigrations crash for applied squashed migrations.
...
Thanks Simon Charette for reviews.
2021-02-04 21:17:26 +01:00
f23b05696e
Fixed #32395 -- Allowed capturing stdout of migration signals.
2021-02-04 11:19:49 +01:00
b1821fbad5
Fixed #32360 -- Added system check for FILE_UPLOAD_TEMP_DIR setting.
2021-01-22 07:51:00 +01:00
8c7ff7b8cf
Removed unreachable SystemExit check.
...
This check dates back to Python <2.5, before Python introduced
BaseException to prevent exactly unwarranted catching of SystemExit
(and others).
response_for_exception() is only called under `except Exception` or
`except Http404` so it's now impossible for a SystemExit instance to
reach the branch.
2021-01-19 07:04:53 +01:00
34aa4f1997
Fixed #32296 -- Added --skip-checks option to runserver command.
2021-01-18 12:51:35 +01:00
88e972e46d
Fixed #32265 , Refs #32355 -- Removed unnecessary ServerHandler.handle_error().
...
ConnectionAbortedError, BrokenPipeError, ConnectionResetError raised
from SocketServer.BaseServer.finish_request() are already suppressed
by wsgiref.handlers.BaseHandler.run() in Python 3.7+, see
47ffc1a9f6
2021-01-16 17:37:53 +01:00
0aa6a602b2
Refs #31842 -- Removed DEFAULT_HASHING_ALGORITHM transitional setting.
...
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
d32a232fe9
Refs #27468 -- Removed support for the pre-Django 3.1 signatures in Signer and signing.dumps()/loads().
...
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
52a238ddf2
Refs #30165 -- Removed ugettext(), ugettext_lazy(), ugettext_noop(), ungettext(), and ungettext_lazy() per deprecation timeline.
2021-01-14 17:50:04 +01:00
c412d9af7e
Fixed #32291 -- Added fixtures compression support to dumpdata.
2021-01-12 15:47:58 +01:00
ba3fb2e4d0
Refs #32311 -- Fixed CSRF_FAILURE_VIEW system check errors code.
2021-01-12 11:22:13 +01:00
64331419c8
Fixed #32311 -- Added system check for CSRF_FAILURE_VIEW setting.
2021-01-12 09:44:36 +01:00
102d92fc09
Refs #32191 -- Added Signer.sign_object()/unsign_object().
...
Co-authored-by: Craig Smith <hello@craigiansmith.com.au>
2021-01-06 20:16:47 +01:00
b41d38ae26
Fixed #32298 -- Fixed URLValidator hostname length validation.
...
URLValidator now validates the maximum length of a hostname without
the userinfo and port.
2021-01-04 09:25:40 +01:00
98ad327864
Fixed #32299 -- Prevented mutating handlers when processing middlewares marking as unused in an async context.
...
Thanks Hubert Bielenia for the report.
2020-12-29 09:04:35 +01:00
ce30e750e6
Used model's Options.label where applicable.
...
Follow up to b7a3a6c9ef
2020-12-29 08:56:39 +01:00
bb64b99b78
Fixed #29867 -- Added support for storing None value in caches.
...
Many of the cache operations make use of the default argument to the
.get() operation to determine whether the key was found in the cache.
The default value of the default argument is None, so this results in
these operations assuming that None is not stored in the cache when it
actually is. Adding a sentinel object solves this issue.
Unfortunately the unmaintained python-memcached library does not support
a default argument to .get(), so the previous behavior is preserved for
the deprecated MemcachedCache backend.
2020-12-17 09:57:21 +01:00
593829a5ab
Fixed typo in django/core/cache/backends/base.py docstring.
2020-12-15 07:05:02 +01:00
772eca0b02
Fixed #32240 -- Made runserver suppress ConnectionAbortedError/ConnectionResetError errors.
...
See https://bugs.python.org/issue27682 and
https://github.com/python/cpython/pull/9713
2020-12-14 20:46:18 +01:00
cf2ca22a57
Ensured that registered checks accept keyword arguments.
2020-12-14 18:08:37 +01:00
5ce31d6a71
Fixed #32193 -- Deprecated MemcachedCache.
2020-12-09 21:27:32 +01:00
98e05ccde4
Fixed #32233 -- Cleaned-up duplicate connection functionality.
2020-12-08 08:55:44 +01:00
148702e725
Refs #21012 -- Removed unnecessary _create_cache() hook.
...
This removes unused (since d038c547b5
2020-12-07 17:44:16 +01:00
f63f3cdf09
Fixed #29712 -- Made makemessages warn if locales have hyphens and skip them.
2020-11-13 09:25:42 +01:00
f1585c54d0
Fixed #31216 -- Added support for colorama terminal colors on Windows.
...
Modern setups on Windows support terminal colors.
The colorama library may also be used, as an
alternative to the ANSICON library.
2020-11-11 14:27:10 +01:00
b7f500396e
Fixed #31757 -- Adjusted system check for SECRET_KEY to warn about autogenerated default keys.
...
Thanks Nick Pope, René Fleschenberg, and Carlton Gibson for reviews.
2020-11-11 12:45:34 +01:00
721c95ba0b
Fixed #32180 -- Added system check for file system caches absolute location.
2020-11-11 11:04:52 +01:00
c0fc5ba380
Fixed #32183 -- Fixed shell crash when passing code with nested scopes.
2020-11-11 09:18:26 +01:00
cc22693505
Fixed #32177 -- Made execute_from_command_line() use program name from the argv argument.
...
This caused crash in environments where sys.argv[0] is incorrectly set
to None.
2020-11-10 08:16:53 +01:00
c36075ac1d
Fixed #31983 -- Added system check for file system caches location.
...
Thanks Johannes Maron and Nick Pope for reviews.
2020-11-04 20:30:23 +01:00
f06beea929
Fixed #32153 -- Fixed management commands when using required list options.
...
Thanks Mark Gajdosik for the report and initial patch.
2020-10-30 12:01:33 +01:00
302caa40e4
Made small readability improvements.
2020-10-28 20:20:20 +01:00
e17ee44688
Fixed #32128 -- Added asgiref 3.3 compatibility.
...
Thread sensitive parameter is True by default from asgiref v3.3.0.
Added an explicit thread_sensitive=False to previously implicit uses.
2020-10-27 11:24:07 +01:00
f1f24539d8
Fixed #32094 -- Fixed flush() calls on management command self.stdout/err proxies.
2020-10-09 12:59:00 +02:00
4c675523bd
Refs #29838 , Refs #28507 -- Made make_hashable() ignore key order.
2020-10-05 20:42:46 +02:00
6eb3f53bdd
Fixed #32047 -- Fixed call_command() crash if a constant option from required mutually exclusive group is passed in options.
2020-09-30 20:10:38 +02:00
11c4a4412b
Fixed #30422 -- Made TemporaryFileUploadHandler handle interrupted uploads.
...
This patch allows upload handlers to handle interrupted uploads.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-09-30 10:30:43 +02:00
e387f191f7
Fixed #31777 -- Added support for database collations to Char/TextFields.
...
Thanks Simon Charette and Mariusz Felisiak for reviews.
2020-09-21 18:24:56 +02:00
b376297d6c
Tweaked loaddata command to re-use a calculated value.
...
Removed a dublicated call to get_public_serializer_formats which
had already populated self.serialization_formats.
Thanks to Nick Pope for review.
2020-09-17 10:49:54 +02:00
b4d46df5ca
Fixed #29887 -- Added a cache backend for pymemcache.
2020-09-16 09:40:30 +02:00
7be6a6a4d6
Fixed #31989 -- Fixed return value of django.core.files.locks.lock()/unlock() on POSIX systems.
2020-09-15 10:21:26 +02:00
2808cdc8fb
Fixed #31962 -- Made SessionMiddleware raise SessionInterrupted when session destroyed while request is processing.
2020-09-09 09:04:28 +02:00
a629139425
Refs #29887 , Refs #24212 -- Added servers configuration hook for memcached backends.
...
The servers property can be overridden to allow memcached backends to
alter the server configuration prior to it being passed to instantiate
the client. This allows avoidance of documentation for per-backend
differences, e.g. stripping the 'unix:' prefix for pylibmc.
2020-09-02 08:51:17 +02:00
cc1f2c6a19
Refs #29887 -- Simplified memcached client instantiation.
2020-09-01 10:51:00 +02:00
1853724aca
Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+.
2020-09-01 09:17:23 +02:00
8d7271578d
Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+.
...
Thanks WhiteSage for the report.
2020-09-01 09:17:23 +02:00
b5acb9db75
Fixed #31907 -- Fixed missing validate_key() calls in cache backends.
2020-08-24 09:41:21 +02:00
e2013b260a
Refs #29887 , #27480 -- Moved touch() to BaseMemcachedCache.
2020-08-20 09:00:21 +02:00
0cb0d59b23
Fixed comments related to nonexistent keys for incr()/decr() in memcached backends.
2020-08-20 08:58:50 +02:00
61a0ba43cf
Refs #31811 -- Added optional timing outputs to the test runner.
2020-08-13 17:17:15 +02:00
0a306f7da6
Fixed #25513 -- Extracted admin pagination to Paginator.get_elided_page_range().
2020-08-06 12:38:56 +02:00
d907371ef9
Fixed #31842 -- Added DEFAULT_HASHING_ALGORITHM transitional setting.
...
It's a transitional setting helpful in migrating multiple instance of
the same project to Django 3.1+.
Thanks Markus Holtermann for the report and review, Florian
Apolloner for the implementation idea and review, and Carlton Gibson
for the review.
2020-08-04 09:35:24 +02:00
e74b3d724e
Bumped minimum isort version to 5.1.0.
...
Fixed inner imports per isort 5.
isort 5.0.0 to 5.1.0 was unstable.
2020-07-30 10:58:59 +02:00
95da207bdb
Fixed #28507 -- Made ValidationError.__eq__() ignore messages and params ordering.
...
Co-authored-by: caleb logan <clogan202@gmail.com>
2020-07-29 12:04:13 +02:00
948a874425
Fixed #29324 -- Made SECRET_KEY validation lazy (on first access).
2020-07-29 09:06:54 +02:00
83fbaa9231
Fixed #31806 -- Made validators include the value in ValidationErrors.
2020-07-27 13:03:26 +02:00
cc3d24d7d5
Removed redundant forms.DecimalField.validate() in favor of DecimalValidator.
2020-07-27 12:07:53 +02:00
41065cfed5
Fixed #31802 -- Added system check for non-integer SITE_ID.
2020-07-24 10:41:55 +02:00
796be5901a
Fixed #31769 -- Improved default naming of merged migrations.
...
47 gives 60 in total (47 + 5 + 5 + 3).
2020-07-20 15:04:22 +02:00
96a3ea39ef
Fixed #31784 -- Fixed crash when sending emails on Python 3.6.11+, 3.7.8+, and 3.8.4+.
...
Fixed sending emails crash on email addresses with display names longer
then 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+.
Wrapped display names were passed to email.headerregistry.Address()
what caused raising an exception because address parts cannot contain
CR or LF.
See https://bugs.python.org/issue39073
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-07-20 07:10:40 +02:00
9a54a9172a
Fixed typo in django/core/management/templates.py docstring.
2020-06-24 21:46:01 +02:00
02ea98bc2f
Refs #31692 -- Fixed compilemessages crash on Windows with Python < 3.8.
...
Regression in ed0a040773https://bugs.python.org/issue31961
2020-06-23 11:14:27 +02:00
6e5041f57c
Removed unused param_dict return from URLResolver.resolve_error_handler().
...
Unused since its introduction in ed114e1510
2020-06-22 21:28:56 +02:00
e62d55a4fe
Fixed #31692 -- Prevented unneeded .po file compilation.
...
Thanks Nick Pope and Simon Charette for the reviews.
2020-06-22 08:44:16 +02:00
ed0a040773
Refs #31692 -- Updated compilemessages and tests to use pathlib.
2020-06-22 08:33:00 +02:00
f386454d13
Fixed #31728 -- Fixed cache culling when no key is found for deletion.
...
DatabaseCache._cull implementation could fail if no key was found to
perform a deletion in the table. This prevented the new cache key/value
from being correctly added.
2020-06-22 06:29:35 +02:00
27c09043da
Refs #31670 -- Renamed whitelist argument and attribute of EmailValidator.
2020-06-18 21:43:20 +02:00
47651eadb8
Fixed #30583 -- Fixed handling JSONFields in XML serializer.
...
Co-authored-by: Chason Chaffin <chason@gmail.com>
2020-06-17 11:12:18 +02:00
78c811334c
Refs #30190 -- Minor edits to JSONL serializer.
...
Follow up to e29637681b
2020-06-17 07:59:40 +02:00
e29637681b
Fixed #30190 -- Added JSONL serializer.
2020-06-16 16:51:58 +02:00
2928019e0c
Fixed #31645 -- Enhanced the migration warning for migrate commmand.
...
Added the list of apps with changes not reflected in migrations.
2020-06-12 10:26:06 +02:00
07506a6114
Fixed #31661 -- Removed period in makemigrations history check warning.
2020-06-08 06:46:23 +02:00
926148ef01
Fixed #31654 -- Fixed cache key validation messages.
2020-06-05 07:21:52 +02:00
f997b5e6ae
Refs #5086 -- Removed unused only_django argument from sql_flush().
...
Unused (always True) since its introduction in 132605d889
2020-06-04 11:59:47 +02:00
e24b63fe85
Refs #31630 -- Removed DatabaseFeatures.can_introspect_autofield.
2020-06-04 08:27:46 +02:00
dbdc192ca3
Preferred usage of among/while to amongst/whilst.
2020-06-03 21:02:48 +02:00
2c82414914
Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends.
2020-06-03 09:24:26 +02:00
Mariusz Felisiak
Michael Lissner
Carlton Gibson
William Schwartz
Rohith PR
Nick Pope
Hasan Ramezani
ecogels
Florian Apolloner
Tim Graham
Chris Jerdonek
bankc
Daniyal
Josh Santos
Mikolaj Rybinski
Daniel Ebrahimian
Simon Charette
Timothy McCurrach
Adam Johnson
Paolo Melchiorre
Akshat1Nar
Nick Pope
Abhishek Ghaskata
Petter Strandmark
manav014
MinchinWeb
Artem Kosenko
Carles Pina i Estany
christa
Martin Thoma
Thomas Riccardi
aryan
Tom Carrick
Владимир Лысенко
Ahmad A. Hussein
David Smith
Florian Apolloner
Jon Dufresne
Parth Verma
excursus
Claude Paroz
Guillermo Bonvehí
Ali Vakilzade
Chinmoy Chakraborty
davidchorpash
Dan Palmer