innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity
30,249 Commits 25 Branches 361 Tags 501 MiB
Commit Graph

12030 Commits

Author SHA1 Message Date
Mariusz Felisiak 0dc9c016fa [4.0.x] Fixed CVE-2022-34265 -- Protected Trunc(kind)/Extract(lookup_name) against SQL injection. 
Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
 2022-07-04 08:26:57 +02:00
Mariusz Felisiak 2b901c1be4 [4.0.x] Fixed GEOSTest.test_emptyCollections() on GEOS 3.8.0. 
It's a regression in GEOS 3.8.0 fixed in GEOS 3.8.1.
Backport of 863aa7541d from main
 2022-07-01 19:06:44 +02:00
Mariusz Felisiak 1c28443fc9 [4.0.x] Fixed CoveringIndexTests.test_covering_partial_index() when DEFAULT_INDEX_TABLESPACE is set. 
Backport of aa8b9279e4 from main
 2022-06-21 11:43:53 +02:00
Sankalp fe2e147846 [4.0.x] Fixed #33725 -- Made hidden quick filter in admin's navigation sidebar not focusable. 
Regression in d915dd1c58.

Follow up to 780473d756.

Backport of 90dcf27114 from main.
 2022-05-21 14:38:53 +02:00
David Wobrock 4a86883e0a [4.0.x] Fixed #33705 -- Fixed crash when using IsNull() lookup in filters. 
Thanks Florian Apolloner for the report.
Thanks Simon Charette for the review.

Backport of 9f55489529 from main
 2022-05-19 07:53:06 +02:00
Mariusz Felisiak 5c6ebe19cc [4.0.x] Fixed #33681 -- Made Redis client pass CACHES["OPTIONS"] to a connection pool. 
Thanks Ben Picolo for the report.
Backport of d27e6b233f from main
 2022-05-16 06:18:49 +02:00
Tim Graham fe2140c1c2 [4.0.x] Removed 'tests' path prefix in a couple tests. 
Backport of 694cf458f1 from main
 2022-05-02 07:32:00 +02:00
Jacob Walls 3f5d43ce54 [4.0.x] Refs #31026 -- Changed @jinja2_tests imports to be relative. 
Backport of 03a6488116 from main
 2022-05-02 06:11:32 +02:00
Mariusz Felisiak 00b0fc50e1 [4.0.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL. 
Backport of 6723a26e59 from main.
 2022-04-11 09:02:58 +02:00
Mariusz Felisiak 800828887a [4.0.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases. 
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.

Backport of 93cae5cb2f from main.
 2022-04-11 09:02:14 +02:00
Manel Clos 78e553b48a [4.0.x] Fixed #33628 -- Ignored directories with empty names in autoreloader check for template changes. 
Regression in 68357b2ca9.

Backport of 62739b6e26 from main.
 2022-04-11 08:29:10 +02:00
Mariusz Felisiak 7d540d67a8 [4.0.x] Fixed #33598 -- Reverted "Removed unnecessary reuse_with_filtered_relation argument from Query methods." 
Thanks lind-marcus for the report.

This reverts commit 0c71e0f9cf.

Regression in 0c71e0f9cf.
Backport of fac662f479 from main
 2022-03-30 07:32:38 +02:00
Mariusz Felisiak efb26f1b8d [4.0.x] Reverted "Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+." 
This reverts commit 1d9d082acf.
Backport of abfdb4d7f3 from main
 2022-03-26 12:28:33 +01:00
Mariusz Felisiak 6a80fd1465 [4.0.x] Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+. 
See https://github.com/pallets/jinja/pull/1621.
Backport of 1d9d082acf from main
 2022-03-25 08:49:57 +01:00
Mariusz Felisiak 82f25266bf [4.0.x] Fixed #33547 -- Fixed error when rendering invalid inlines with readonly fields in admin. 
Regression in de95c82667.

Thanks David Glenck for the report.
Backport of 445b075def from main
 2022-03-01 08:10:35 +01:00
Mariusz Felisiak 760b7e7f4f [4.0.x] Fixed #33515 -- Prevented recreation of migration for ManyToManyField to lowercased swappable setting. 
Thanks Chris Lee for the report.

Regression in 4328970780.

Refs #23916.
Backport of 1e2e1be02b from main
 2022-02-16 21:10:30 +01:00
Mariusz Felisiak 3278c31fa5 [4.0.x] Refs #33476 -- Refactored code to strictly match 88 characters line length. 
Backport of 7119f40c98 from main.
 2022-02-08 19:25:02 +01:00
django-bot 6a682b38e7 [4.0.x] Refs #33476 -- Reformatted code with Black. 
Backport of 9c19aff7c7 from main.
 2022-02-08 12:15:38 +01:00
Mariusz Felisiak e73ce08888 [4.0.x] Refs #33476 -- Changed quotation marks in DebugViewTests.test_template_exceptions(). 
This prevents a failure after reformatting the code with Black.

Backport of f68fa8b45d from main
 2022-02-08 12:02:37 +01:00
Mariusz Felisiak d55a1e5809 [4.0.x] Refs #33476 -- Refactored problematic code before reformatting by Black. 
In these cases Black produces unexpected results, e.g.

def make_random_password(
    self,
    length=10,
    allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789',
):

or

cursor.execute("""
SELECT ...
""",
    [table name],
)

Backport of c5cd878382 from main.
 2022-02-03 11:38:46 +01:00
Mariusz Felisiak f9c7d48fdd [4.0.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. 
Thanks Alan Ryan for the report and initial patch.

Backport of fc18f36c4a from main.
 2022-02-01 07:44:49 +01:00
Markus Holtermann 0142204606 [4.0.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag. 
Thanks Keryn Knight for the report.

Backport of 394517f078 from main.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-02-01 07:43:45 +01:00
Kirill Safronov 6928227dff [4.0.x] Fixed #33480 -- Fixed makemigrations crash when renaming field of renamed model. 
Regression in aa4acc164d.

Backport of 97a7274468 from main
 2022-02-01 07:33:22 +01:00
Mariusz Felisiak aff79be03a [4.0.x] Fixed #33468 -- Fixed QuerySet.aggregate() after annotate() crash on aggregates with default. 
Thanks Adam Johnson for the report.
Backport of 71e7c8e737 from main
 2022-01-31 11:34:29 +01:00
Mariusz Felisiak 7c2d4d943b [4.0.x] Fixed #33462 -- Fixed migration crash when altering type of primary key with MTI and foreign key. 
This prevents duplicated operations when altering type of primary key
with MTI and foreign key. Previously, a foreign key to the base model
was added twice, once directly and once by the inheritance model.

Thanks bcail for the report.

Regression in 325d7710ce.
Backport of e972620ada from main
 2022-01-27 18:52:35 +01:00
Fabian Büchler b32080219e [4.0.x] Fixed #33449 -- Fixed makemigrations crash on models without Meta.order_with_respect_to but with _order field. 
Regression in aa4acc164d.

Backport of eeff1787b0 from main
 2022-01-21 08:46:14 +01:00
Keryn Knight c8a6bf951b [4.0.x] Fixed #33426 -- Fixed ResolverMatch.__repr_() for class-based views. 
Regression in 7c08f26bf0.

Backport of f4b06a3cc1 from main
 2022-01-10 18:39:59 +01:00
Keryn Knight 2ea0321058 [4.0.x] Fixed #33425 -- Fixed view name for CBVs on technical 404 debug page. 
Regression in 0c0b87725b.

Backport of 2a66c102d9 from main
 2022-01-08 14:54:10 +01:00
David c959aa99aa [4.0.x] Fixed #33419 -- Restored marking forms.Field.help_text as HTML safe. 
Regression in 456466d932.

Thanks Matt Westcott for the report.

Backport of 4c60c3edff from main
 2022-01-07 16:12:15 +01:00
Petter Friberg 11475958f6 [4.0.x] Fixed #33410 -- Fixed recursive capturing of callbacks by TestCase.captureOnCommitCallbacks(). 
Regression in d89f976bdd.

Backport of bc174e6ea0 from main
 2022-01-07 16:12:01 +01:00
Florian Apolloner e1592e0f26 [4.0.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. 
Thanks to Dennis Brinkrolf for the report.
 2022-01-04 10:10:14 +01:00
Florian Apolloner 2a8ec7f546 [4.0.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. 
Thanks to Dennis Brinkrolf for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:10:14 +01:00
Florian Apolloner df79ef03ac [4.0.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator. 
Thanks Chris Bailey for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:10:14 +01:00
Mariusz Felisiak b5f60ef5a7 [4.0.x] Refs #32355 -- Bumped required psycopg2 version to 2.8.4. 
psycopg2 2.8.4 is the first release to support Python 3.8.
Backport of ca04659b4b from main
 2021-12-22 20:33:49 +01:00
Simon Charette 7e6a2e3b45 [4.0.x] Fixed #33366 -- Fixed case handling with swappable setting detection in migrations autodetector. 
The migration framework uniquely identifies models by case insensitive
labels composed of their app label and model names and so does the app
registry in most of its methods (e.g. AppConfig.get_model) but it
wasn't the case for get_swappable_settings_name() until this change.

This likely slipped under the radar for so long and only regressed in
b9df2b74b9 because prior to the changes
related to the usage of model states instead of rendered models in the
auto-detector the exact value settings value was never going through a
case folding hoop.

Thanks Andrew Chen Wang for the report and Keryn Knight for the
investigation.

Backport of 4328970780 from main
 2021-12-17 10:00:33 +01:00
Mariusz Felisiak c1d2e8b9b8 [4.0.x] Fixed #33350 -- Reallowed using cache decorators with duck-typed HttpRequest. 
Regression in 3fd82a6241.

Thanks Terence Honles for the report.
Backport of 40165eecc4 from main
 2021-12-16 20:14:17 +01:00
Jeremy Lainé 3b03bce122 [4.0.x] Fixed #33361 -- Fixed Redis cache backend crash on booleans. 
Backport of 2f33217ea2 from main
 2021-12-14 08:46:16 +01:00
Baptiste Mispelon 15031852c5 [4.0.x] Fixed #33346 -- Fixed SimpleTestCase.assertFormsetError() crash on a formset named "form". 
Thanks OutOfFocus4 for the report.

Regression in 456466d932.

Backport of cb383753c0 from main.
 2021-12-08 21:13:00 +01:00
Mariusz Felisiak 01c0fb9d19 [4.0.x] Updated asgiref dependency for 4.0 release series. 
Backport of 513441240f from main
 2021-12-07 09:55:18 +01:00
Florian Apolloner 20b9ad36ff [4.0.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths. 
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd from main.
 2021-12-07 06:29:34 +01:00
Mariusz Felisiak 4c5215ab03
[4.0.x] Updated translations from Transifex. 
This also fixes related i18n tests.

Co-authored-by: Claude Paroz <claude@2xlibre.net>
 2021-12-06 20:29:53 +01:00
Hannes Ljungberg fed7f992ac [4.0.x] Fixed #33335 -- Made model validation ignore functional unique constraints. 
Regression in 3aa545281e.

Thanks Hervé Le Roy for the report.

Backport of 1eaf38fa87 from main
 2021-12-06 13:28:54 +01:00
Mariusz Felisiak 7bde53a7ae [4.0.x] Refs #33333 -- Fixed PickleabilityTestCase.test_annotation_with_callable_default() crash on Oracle. 
Grouping by LOBs is not allowed on Oracle. This moves a binary field to
a separate model.
Backport of d3a64bea51 from main
 2021-12-04 15:55:31 +01:00
Mariusz Felisiak 2c20883cb0 [4.0.x] Fixed #33333 -- Fixed setUpTestData() crash with models.BinaryField on PostgreSQL. 
This makes models.BinaryField pickleable on PostgreSQL.

Regression in 3cf80d3fcf.

Thanks Adam Zimmerman for the report.

Backport of 2c7846d992 from main.
 2021-12-03 11:58:55 +01:00
Can Sarigol d54aa49a7d [4.0.x] Fixed #33279 -- Fixed handling time zones with "-" sign in names. 
Thanks yakimka for the report.

Regression in fde9b7d35e.

Backport of 661316b066 from main.
 2021-11-12 11:14:08 +01:00
Mariusz Felisiak 45de30dc69 [4.0.x] Refs #33263 -- Added warning to BaseDeleteView when delete() method is overridden. 
Follow up to 3a45fea083.
Backport of 6bc437c0d8 from main
 2021-11-09 09:04:12 +01:00
Mariusz Felisiak b7b3bbc835 [4.0.x] Fixed #33253 -- Reverted "Fixed #32319 -- Added ES module support to ManifestStaticFilesStorage." 
This reverts commit 91e21836f6.

`export` and `import` directives have several syntax variants and not
all of them were properly covered.

Thanks Hervé Le Roy for the report.
Backport of ba9ced3e9a from main
 2021-11-05 12:11:59 +01:00
Carlton Gibson 499384b6d1 [4.0.x] Fixed #33237 -- Fixed detecting source maps in ManifestStaticFilesStorage for multiline files. 
Switched regex to multiline mode in order to match per-line, rather
than against the whole file.

Thanks to Joseph Abrahams for the report.

Regression in 781b44240a.

Backport of 4816dc9428 from main
 2021-11-04 21:41:25 +01:00
Mariusz Felisiak e2fe0429ab [4.0.x] Fixed #33234 -- Fixed autodetector crash for proxy models inheriting from non-model class. 
Regression in aa4acc164d.

Thanks Kevin Marsh for the report.
Backport of dab48b7482 from main
 2021-11-02 15:35:52 +01:00
David Wobrock ea00a0843e [4.0.x] Fixed #31503 -- Made autodetector remove unique/index_together before altering fields. 
Backport of 0314593fe8 from main
 2021-10-25 10:45:35 +02:00