Commit Graph

17378 Commits

Author SHA1 Message Date
Simon Charette 384ac0990f Refs #32061 -- Prevented password leak on MySQL dbshell crash.
The usage of the --password flag when invoking the mysql CLI has the
potential of exposing the password in plain text if the command happens
to crash due to the inclusion of args provided to
subprocess.run(check=True) in the string representation of the
subprocess.CalledProcessError exception raised on non-zero return code.

Since this has the potential of leaking the password to logging
facilities configured to capture crashes (e.g. sys.excepthook, Sentry)
it's safer to rely on the MYSQL_PWD environment variable instead even
if its usage is discouraged due to potential leak through the ps
command on old flavors of Unix.

Thanks Charlie Denton for reporting the issue to the security team.

Refs #24999.
2020-10-30 10:12:52 +01:00
Simon Charette bbe6fbb876 Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-29 22:22:58 +01:00
Christian Klus 4ac2d4fa42 Fixed #32152 -- Fixed grouping by subquery aliases.
Regression in 42c08ee465.

Thanks Simon Charette for the review.
2020-10-29 09:56:09 +01:00
Martin Thoma 302caa40e4 Made small readability improvements. 2020-10-28 20:20:20 +01:00
Hasan Ramezani 4eb756793b
Refs #28215 -- Marked auth credentials as sensitive variables.
Co-authored-by: Collin Anderson <collin@onetencommunications.com>
2020-10-28 14:21:53 +01:00
Gagan Deep 982e860b73 Fixed #32062 -- Added %b support to Date.strftime.
This enables the admin to display the month as locale's abbreviated
name if %b is used in the date format.
2020-10-28 11:11:37 +01:00
Simon Charette 8593e162c9 Fixed #32143 -- Used EXISTS to exclude multi-valued relationships.
As mentioned in the pre-existing split_exclude() docstring EXISTS is
easier to optimize for query planers and circumvents the IN (NULL)
handling issue.
2020-10-28 07:22:00 +01:00
Simon Charette bbf141bcdc Refs #27149 -- Fixed sql.Query identity.
By making Query subclass BaseExpression in
3543129822 the former defined it's
identity based off _construct_args which is not appropriate.
2020-10-28 07:21:53 +01:00
alvinshaita 556fa4bbba Fixed #1891, Fixed #11707 -- Prevented duplicates with limit_choices_to on multi-value relations. 2020-10-27 20:40:04 +01:00
Josh Santos 36bc47069c Fixed #32127 -- Fixed admin change-form textarea layout for mid-sized displays. 2020-10-27 16:06:11 +01:00
Carlton Gibson e17ee44688 Fixed #32128 -- Added asgiref 3.3 compatibility.
Thread sensitive parameter is True by default from asgiref v3.3.0.
Added an explicit thread_sensitive=False to previously implicit uses.
2020-10-27 11:24:07 +01:00
Nguyen You 0b4fe82c74
Improved naming consistency in BaseManage.contribute_to_class().
Matches signatures of other contribute_to_class() methods.
2020-10-27 10:51:03 +01:00
Tim Graham 7734337bcb Made OracleSpatialAdapter clone geometries rather than mutate them. 2020-10-27 07:14:16 +01:00
Hannes Ljungberg 10f8b82d19 Fixed #29497 -- Fixed loss of assigned parent when saving child with bulk_create() after parent. 2020-10-26 12:00:34 +01:00
dokgeppo 6014fd89b3
Fixed #32138 -- Prevented admin's map from covering other widgets. 2020-10-26 08:35:55 +01:00
Jon Dufresne b2717c7532
Simplifed formset iteration using enumerate(). 2020-10-26 08:02:38 +01:00
Adam Johnson a56586eafe Fixed #32134 -- Fixed crash of __range lookup with namedtuple.
Regression in 8be79984dc.

Thanks Gordon Wrigley for the report.
2020-10-23 18:01:31 +02:00
Tim Graham 755dbf39fc Replaced @no_oracle skips with DatabaseFeatures.allows_group_by_lob. 2020-10-22 18:16:58 +02:00
Carlton Gibson ad11f5b8c9 Fixed #32124 -- Added per-view opt-out for APPEND_SLASH behavior. 2020-10-22 14:15:19 +02:00
Mariusz Felisiak 3418092238
Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation.
Thanks Gordon Wrigley for the report and implementation idea.

Regression in 226ebb1729.
2020-10-22 13:21:14 +02:00
Étienne Beaulé 509d9da26f Fixed #26390 -- Disabled grouping by Random().
Thanks to Tzu-ping Chung for the tests.
2020-10-21 20:54:53 +02:00
Carlton Gibson 257f8495d6 Fixed #32069 -- Fixed admin change-form layout on small screens.
Restored flex-wrap CSS declaration to form elements at smallest breakpoint.
This was present since the responsive admin was introduced in dc37e8846e.
Regression in 8ee4bb6ffc, where it was accidentally removed.
2020-10-21 15:06:43 +02:00
manav014 096b14f0ac Fixed #13060 -- Improved error message when ManagementForm data is missing. 2020-10-21 11:47:07 +02:00
Tom Carrick f5e07601b2 Fixed #32046 -- Added CreateCollation/RemoveCollation operations for PostgreSQL. 2020-10-21 10:53:44 +02:00
Jacob Walls 0362b0e986 Fixed #26615 -- Made password reset token invalidate when changing email.
Co-Authored-By: Silas Barta <sbarta@gmail.com>
2020-10-21 09:29:53 +02:00
Hannes Ljungberg 0e7a45fca0 Fixed #32126 -- Fixed grouping by Case() annotation without cases.
Co-authored-by: Simon Charette <charettes@users.noreply.github.com>
2020-10-21 07:22:52 +02:00
Hannes Ljungberg f7963615eb Fixed #32121 -- Fixed detecting uniqueness of USERNAME_FIELD when using Meta.constraints.
Co-authored-by: Simon Charette <charettes@users.noreply.github.com>
2020-10-20 07:23:51 +02:00
Tim Graham ede9fac758
Fixed #32120 -- Added DatabaseFeatures.indexes_foreign_keys. 2020-10-20 06:22:56 +02:00
Herbert Poul c897b1587c Fixed #32108 -- Made transaction.on_commit() raise TypeError when callback is not a callable. 2020-10-19 20:46:13 +02:00
Hasan Ramezani 3b1746d519 Fixed #32107 -- Fixed ProtectedError.protected_objects and RestrictedError.restricted_objects.
Regression in 4ca5c565f4 and
ab3cbd8b9a.

Thanks Vitaliy Yelnik for the report.
2020-10-19 12:43:32 +02:00
Tim Graham 0eee5c1b9c
Added DatabaseFeatures.can_alter_geometry_field. 2020-10-19 12:41:52 +02:00
Hannes Ljungberg c7c7615d00 Fixed #32116 -- Fixed QuerySet.order_by() crash on EmptyQuerySet with union() on a single non-empty ordered queryset. 2020-10-19 08:36:07 +02:00
manav014 af87574a3c Fixed #6517 -- Made dbshell use charset option on MySQL.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-10-17 12:24:36 +02:00
Mariusz Felisiak 1fb97fb965
Refs #32096 -- Made JSONField check respect Meta.required_db_vendor.
Thanks Simon Charette for the implementation idea.
2020-10-15 22:05:16 +02:00
Chris Jerdonek a492ccf0bc Refs #31672 -- Simplified ExceptionReporter.get_traceback_frames(). 2020-10-15 20:23:44 +02:00
Çağıl Uluşahin 9159d173c3 Fixed #25253 -- Made AlterField operation a noop when changing attributes that don't affect the schema. 2020-10-15 20:11:07 +02:00
Aarni Koskela 68e33b347d Fixed #32105 -- Added template paths as ExceptionReporter class attributes.
This allows replacement of the debugging templates without having to
copy-paste the `get_traceback_html` and `get_traceback_text` functions
into a subclass.

Thanks to Nick Pope for review.
2020-10-15 13:56:15 +02:00
Mariusz Felisiak ee0abac169 Refs #32096 -- Fixed ExclusionConstraint crash with JSONField key transforms in expressions.
Regression in 6789ded0a6.
2020-10-14 20:56:04 +02:00
Mariusz Felisiak bbd55e5863 Refs #32096 -- Fixed ExpressionWrapper crash with JSONField key transforms.
Regression in 6789ded0a6.

Thanks Simon Charette and Igor Jerosimić for the report.
2020-10-14 20:56:04 +02:00
Mariusz Felisiak 7e1e198494 Refs #32096 -- Fixed __in lookup crash against key transforms for JSONField.
Regression in 6789ded0a6 and
1251772cb8.

Thanks Simon Charette and Igor Jerosimić for the report.
2020-10-14 20:56:04 +02:00
Mariusz Felisiak 1f31027bb3 Refs #32096 -- Fixed crash of ArrayAgg/StringAgg/JSONBAgg with ordering over JSONField key transforms.
Regression in 6789ded0a6.

Thanks Igor Jerosimić for the report.
2020-10-14 20:56:04 +02:00
David-Wobrock ee005328c8 Fixed #31640 -- Made Trunc() truncate datetimes to Date/TimeField in a specific timezone. 2020-10-14 20:06:26 +02:00
David-Wobrock a0571c1003 Refs #31640 -- Made Extract raise ValueError when using tzinfo with Date/TimeField. 2020-10-14 20:03:07 +02:00
Matthias Kestenholz b26ec77deb
Updated the link documenting the de_CH number formats. 2020-10-14 14:37:26 +02:00
Jacob Walls ac6c426007 Fixed #20601 -- Allowed forcing format with thousand separators in floatformat filter.
Thanks Claude Paroz and Nick Pope for reviews.
2020-10-13 10:36:46 +02:00
Marco Richetta e92971ccb0
Removed unnecessary check in BaseModelAdmin.get_view_on_site_url(). 2020-10-13 06:28:14 +02:00
Hasan Ramezani 78ae8cc5d8 Fixed #31674 -- Fixed displaying traceback in technical 500 debug page.
Previously, the technical 500 debug page didn't contain a traceback
when the exception chain contained an exception without traceback.

Thanks Chris Jerdonek for the report.
2020-10-12 10:25:36 +02:00
Sultan 6599608c4d
Fixed #32098 -- Made FieldFile use FileField.attname.
After a93425a37f FileDescriptor is a
subclass of DeferredAttribute and uses FileField.attname to access the
field data, so that custom subclasses can not only save data to files,
but also represent the same data with a different data type by
attaching FileFiled.name to a particular descriptor.

Follow up to a93425a37f.
2020-10-12 07:22:59 +02:00
nik258heda 079deba530 Fixed #32087 -- Made technical 500 debug page use HTTPS for sharing traceback. 2020-10-12 06:29:36 +02:00
Thomas Riccardi f1f24539d8 Fixed #32094 -- Fixed flush() calls on management command self.stdout/err proxies. 2020-10-09 12:59:00 +02:00