Commit Graph

162 Commits

Author SHA1 Message Date
Tomasz Kontusz b62dc60c98 [1.8.x] Fixed ImportError message in utils.module_loading.import_string()
Backport of c2b4967e76 from master
2015-06-06 11:55:56 -04:00
zauddelig 7f92b6e576 [1.8.x] Fixed #24897 -- Allowed using choices longer than 1 day with DurationField
Backport of 262d4db8c4 from master
2015-06-02 12:42:31 -04:00
Moritz Sichert 44a05a8a91 [1.8.x] Fixed #24469 -- Refined escaping of Django's form elements in non-Django templates.
Backport of 1f2abf784a from master
2015-03-27 20:01:41 -04:00
Tim Graham 770427c289 [1.8.x] Made is_safe_url() reject URLs that start with control characters.
This is a security fix; disclosure to follow shortly.
2015-03-18 19:23:21 -04:00
Tim Graham 5447709a57 [1.8.x] Fixed an infinite loop possibility in strip_tags().
This is a security fix; disclosure to follow shortly.
2015-03-18 19:23:21 -04:00
Aymeric Augustin e3953de900 [1.8.x] Normalized usage of the tempfile module.
Specifically stopped using the dir argument.

Backport of a8fe12417f from master
2015-02-23 15:26:35 -05:00
Tim Graham 2aa06e439a [1.8.x] Refs #24324 -- Fixed Python 2 test failures when path to Django source contains non-ASCII characters.
Backport of 307c0f299a from master
2015-02-17 19:05:31 -05:00
Lukas Klein 1904022f91 [1.8.x] Fixed #24321 -- Improved `utils.http.same_origin` compliance with RFC6454
Backport of 93b3ef9b2e from master.
2015-02-12 09:01:59 +01:00
Tim Graham a8b70d251d [1.8.x] Sorted imports with isort; refs #23860.
Backport of 0ed7d15563 from master
2015-02-09 14:24:06 -05:00
Varun Sharma b44a56c308 [1.8.x] Fixed #24181 -- Fixed multi-char THOUSAND_SEPARATOR insertion
Report and original patch by Kay Cha.
Backport of 540ca563de from master.
2015-02-08 20:09:04 +01:00
Matthew Somerville 2a55301f9f [1.8.x] Fixed #24242 -- Improved efficiency of utils.text.compress_sequence()
The function no longer flushes zfile after each write as doing so can
lead to the gzipped streamed content being larger than the original
content; each flush adds a 5/6 byte type 0 block. Removing this means
buf.read() may return nothing, so only yield if that has some data.
Testing shows without the flush() the buffer is being flushed every 17k
or so and compresses the same as if it had been done as a whole string.

Backport of caa3562d5b from master
2015-02-04 15:17:22 -05:00
Tim Graham 69b5e66738 Fixed is_safe_url() to handle leading whitespace.
This is a security fix. Disclosure following shortly.
2015-01-13 13:03:06 -05:00
Aymeric Augustin 79deb6a071 Accounted for multiple template engines in template responses. 2015-01-12 21:01:34 +01:00
Claude Paroz 51890ce889 Applied ignore_warnings to Django tests 2014-12-30 18:16:25 +01:00
Aymeric Augustin 6d52f6f8e6 Fixed #23831 -- Supported strings escaped by third-party libs in Django.
Refs #7261 -- Made strings escaped by Django usable in third-party libs.

The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.

Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.

Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.

Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.

Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:

    if isinstance(text, SafeData):
        return text
    else:
        return escape(text)

render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.

This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.

Thanks mitsuhiko for the report.
2014-12-27 18:02:34 +01:00
Aymeric Augustin 5c5eb5fea4 Fixed an inconsistency introduced in 547b1810.
mark_safe and mark_for_escaping should have been kept similar.

On Python 2 this change has no effect. On Python 3 it fixes the use case
shown in the regression test for mark_for_escaping, which used to raise
a TypeError. The regression test for mark_safe is just for completeness.
2014-12-27 17:44:54 +01:00
Gavin Wahl b4e76f30d1 Fixed #23346 -- Fixed lazy() to lookup methods on the real object, not resultclasses.
Co-Authored-By: Rocky Meza <rmeza@fusionbox.com>
2014-12-26 11:30:34 -05:00
Oscar Ramirez 54085b0f9b Fixed #23998 -- Added datetime.time support to migrations questioner. 2014-12-22 07:24:54 -05:00
Marc Tamlyn 57554442fe Fixed #2443 -- Added DurationField.
A field for storing periods of time - modeled in Python by timedelta. It
is stored in the native interval data type on PostgreSQL and as a bigint
of microseconds on other backends.

Also includes significant changes to the internals of time related maths
in expressions, including the removal of DateModifierNode.

Thanks to Tim and Josh in particular for reviews.
2014-12-20 18:28:29 +00:00
Michael Hall 895dc880eb Fixed #23812 -- Changed django.utils.six.moves.xrange imports to range 2014-12-13 12:45:58 -05:00
Diego Guimarães 9f427617e4 Refs #23947 -- Worked around a bug in Python that prevents deprecation warnings from appearing in tests. 2014-12-06 14:46:01 -05:00
Berker Peksag 560b4207b1 Removed redundant numbered parameters from str.format().
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
2014-12-03 14:27:38 -05:00
Eric Rouleau 9d1a69579b Fixed #23935 -- Converted decimals to fixed point in utils.numberformat.format 2014-12-03 07:49:06 -05:00
Aymeric Augustin b8ba73cd0c Raised SuspiciousFileOperation in safe_join.
Added a test for the condition safe_join is designed to prevent.

Previously, a generic ValueError was raised. It was impossible to tell
an intentional exception raised to implement safe_join's contract from
an unintentional exception caused by incorrect inputs or unexpected
conditions. That resulted in bizarre exception catching patterns, which
this patch removes.

Since safe_join is a private API and since the change is unlikely to
create security issues for users who use it anyway -- at worst, an
uncaught SuspiciousFileOperation exception will bubble up -- it isn't
documented.
2014-11-11 19:05:14 +01:00
Thomas Chaumeny d89f56dc4d Fixed #21281 -- Made override_settings act at class level when used as a TestCase decorator. 2014-11-03 14:14:39 -05:00
Berker Peksag f7969b0920 Fixed #23620 -- Used more specific assertions in the Django test suite. 2014-11-03 11:56:37 -05:00
Unai Zalakain c548c8d0d1 Fixed #18456 -- Added path escaping to HttpRequest.get_full_path(). 2014-11-03 07:59:19 -05:00
Markus Holtermann 98da408964 Fixed #23670 -- Prevented partial import state during module autodiscovery
Thanks kostko for the report.
2014-10-31 08:01:47 -04:00
John-Scott Atlakson dbf7a3df45 Fixed #23688 -- Updated cached_property to preserve docstring of original function 2014-10-20 17:59:07 -04:00
Jon Dufresne 54e695331b Fixed #20221 -- Allowed some functions that use mark_safe() to result in SafeText.
Thanks Baptiste Mispelon for the report.
2014-10-20 17:08:29 -04:00
Thomas Chaumeny b962653060 Fixed #23664 -- Provided a consistent definition for OrderedSet.__bool__
This also defines QuerySet.__bool__ for consistency though this should not have any consequence as bool(qs) used to fallback on QuerySet.__len__ in Py3.
2014-10-16 14:16:24 +02:00
Anubhav Joshi 10b17a22be Fixed #19508 -- Implemented uri_to_iri as per RFC.
Thanks Loic Bistuer for helping in shaping the patch and Claude Paroz
for the review.
2014-10-16 02:31:17 +07:00
Florian Apolloner 3af5af1a61 Fixed remaining test failure in jslex tests. 2014-10-15 17:36:19 +02:00
Florian Apolloner 2ccbaba1f2 Added unicode_literals to the jslexer.
This ensure that ''.join(c) in jslex.py always returns text.
2014-10-15 15:09:35 +02:00
Jaap Roes 115c307184 Fixed #23613 -- Deprecated django.utils.checksums 2014-10-10 09:22:20 -04:00
Thomas Chaumeny b2aad7b836 Replaced set([foo, ...]) by {foo, ...} literals. Refs PR 3282.
Thanks Collin Anderson for the review.
2014-09-29 00:01:38 +07:00
Loic Bistuer 3c6ac0bab8 Consolidated some text utils into the utils_tests test package. 2014-09-23 19:45:59 +07:00
Claude Paroz b9d9287f59 Fixed urlize after smart_urlquote rewrite
Refs #22267.
2014-09-09 21:59:35 +02:00
Claude Paroz 4b8a1d2c0d Fixed #22267 -- Fixed unquote/quote in smart_urlquote
Thanks Md. Enzam Hossain for the report and initial patch, and
Tim Graham for the review.
2014-09-09 21:58:07 +02:00
Thomas Chaumeny 032c091659 Fixed #23388 -- Made django.utils.timezone.override usable as a decorator 2014-08-31 09:03:53 +02:00
Ian Foote 03d89168a2 Fixed #23333 -- Made urlsafe_base64_decode() return proper type on Python 3. 2014-08-22 20:07:12 -04:00
Tim Graham e122facbd8 Fixed #23269 -- Deprecated django.utils.remove_tags() and removetags filter.
Also the unused, undocumented django.utils.html.strip_entities() function.
2014-08-15 08:20:02 -04:00
Tim Graham c2ab501bab Fixed test failure on Windows.
os.close(fd) is needed to avoid "The process cannot access the file
because it is being used by another process"
2014-07-30 14:31:59 -04:00
Tim Graham 57d2b3f2a7 Fixed bad usage of rstrip() that caused test failure.
If the temporary file name contained a p or y as its last
characters, it would be stripped. refs #23083.
2014-07-25 15:16:47 -04:00
Tim Graham b8cb5ba708 Fixed #23083 -- Fixed runserver reloading when deleting a file.
Thanks Collin Anderson for the report and hirokiky for the fix.
2014-07-25 13:23:52 -04:00
Claude Paroz 4e424084e6 Fixed #22991 -- Prevented *.pyc files in autoreload monitoring
This fixes a regression introduced in 6d302f639.
Thanks lorinkoz at gmail.com for the report, Collin Anderson
for the initial patch and Simon Charette for the review.
2014-07-15 09:57:54 +02:00
Tim Graham 38e001ab6c Fixed #22789 -- Deprecated django.contrib.webdesign.
Moved the {% lorem %} tag to built-in tags.
2014-07-14 08:45:19 -04:00
Tim Graham fddd95254e Fixed flake8 errors. 2014-07-07 19:12:39 -04:00
Tim Graham 89b9e6e5d6 Fixed #22909 -- Removed camelCasing in some tests.
Thanks brylie.
2014-07-07 19:08:42 -04:00
Claude Paroz 6d302f6396 Fixed pyinotify performance regression in 15f82c7011
Refs #9722. Thanks Tim Graham for the review.
2014-07-06 21:41:02 +02:00