p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
26,944 Commits 25 Branches 361 Tags 501 MiB
Commit Graph

10058 Commits

Author SHA1 Message Date
Dan Palmer 07e59caa02 [2.2.x] Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends. 2020-06-03 09:34:29 +02:00
Jon Dufresne 6d61860b22 [2.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget. 2020-06-03 09:33:38 +02:00
Mariusz Felisiak 8301bc9cfa [2.2.x] Fixed E128, E741 flake8 warnings. 
Backport of 0668164b4a from master.
 2020-06-02 11:04:23 +02:00
Carlton Gibson 027840d7de [2.2.x] Fixed #31570 -- Corrected translation loading for apps providing territorial language variants with different plural equations. 
Regression in e3e48b0012.

Thanks to Shai Berger for report, reproduce and suggested fix.

Backport of dd1ca50b09 from master.
 2020-06-01 09:29:03 +02:00
Mariusz Felisiak e33220ffd8 [2.2.x] Fixed LiveWidgetTests.test_textarea_trailing_newlines() crash on Chrome 75+. 
Backport of b08a18f17b from master
 2020-05-29 09:51:42 +02:00
Claude Paroz 996be04c3c [2.2.x] Fixed #30439 -- Added support for different plural forms for a language. 
Thanks to Michal Čihař for review.
Backport of e3e48b0012 from master
 2020-03-10 16:04:58 +01:00
Mariusz Felisiak 3acffe1420 [2.2.x] Fixed GeoQuerySetTest.test_unionagg_tolerance() test on Oracle 18c. 
Backport of 5ca76baa72 from master
 2020-03-05 08:56:56 +01:00
Mariusz Felisiak fe886a3b58 [2.2.x] Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. 
Thanks to Norbert Szetei for the report.
 2020-03-04 09:34:39 +01:00
Abhijeet Viswa 32d89bf114 [2.2.x] Fixed #31246 -- Fixed locking models in QuerySet.select_for_update(of=()) for related fields and parent link fields with multi-table inheritance. 
Partly regression in 0107e3d105.

Backport of 1712a76b9d from master.
 2020-02-11 21:37:17 +01:00
Simon Charette c67a368c16 [2.2.x] Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter. 2020-01-26 18:51:25 +01:00
Mariusz Felisiak 96d6443121 [2.2.x] Fixed timezones tests for PyYAML 5.3+. 
Backport of 8be477be5c from master
 2020-01-07 09:55:41 +01:00
Simon Charette 4d334bea06 [2.2.x] Fixed CVE-2019-19844 -- Used verified user email for password reset requests. 
Backport of 5b1fbcef7a from master.

Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
 2019-12-18 09:16:08 +01:00
Peter Andersen f33be1e8ae [2.2.x] Fixed #31073 -- Prevented CheckboxInput.get_context() from mutating attrs. 
Backport of 02eff7ef60 from master
 2019-12-11 09:38:49 +01:00
Carlton Gibson 36f580a17f Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin. 
Thank you to Shen Ying for reporting this issue.
 2019-12-02 08:58:14 +01:00
Mariusz Felisiak 6cf3b6f5cf [2.2.x] Fixed #30953 -- Made select_for_update() lock queryset's model when using "self" with multi-table inheritance. 
Thanks Abhijeet Viswa for the report and initial patch.
Backport of 0107e3d105 from master
 2019-12-02 07:58:44 +01:00
Mariusz Felisiak 9a17ae50c6 [2.2.x] Fixed #31021 -- Fixed proxy model permissions data migration crash with a multiple databases setup. 
Regression in 98296f86b3.

Backport of e8fcdaad5c from master
 2019-11-29 11:10:59 +01:00
Baptiste Mispelon 7873d3757d [2.2.x] Fixed #31031 -- Fixed data loss in admin changelist view when formset's prefix contains regex special chars. 
Regression in b18650a263.

Backport of 52936eface from master
 2019-11-26 09:19:39 +01:00
Mariusz Felisiak 8eda248dc9 [2.2.x] Refs #29926 -- Bumped minimum tblib version to 1.5.0 in test requirements. 
Backport of 25903e41fb from master.
 2019-11-12 21:49:09 +01:00
Carlton Gibson 785d1706c4 [2.2.x] Fixed #30931 -- Restored ability to override Model.get_FIELD_display(). 
Thanks Sergey Fedoseev for the implementation idea.

Regression in a68ea23101.

Backport of 2d38eb0ab9 from master
 2019-11-04 08:17:50 +01:00
Hannes Ljungberg 7fe09e6d41 [2.2.x] Fixed #30903 -- Fixed migrations crash on PostgreSQL when adding Index with opclasses and ordering. 
Backport of fa5f3291e7 from master
 2019-10-24 09:53:33 +02:00
Mariusz Felisiak d2f02aa56b [2.2.x] Fixed #30870 -- Fixed showing that RunPython operations are irreversible by migrate --plan. 
Thanks Hasan Ramezani for the initial patch and Kyle Dickerson for the
report.

Backport of 06d34aab7c from master.
 2019-10-14 11:45:47 +02:00
Louise Grandjonc 323467e286 [2.2.x] Fixed #30826 -- Fixed crash of many JSONField lookups when one hand side is key transform. 
Regression in 6c3dfba892.

Backport of 7d1bf29977 from master
 2019-10-11 11:52:32 +02:00
Pablo García 38af257988 [2.2.x] Fixed #30810 -- Fixed WatchmanReloaderTests.test_setting_timeout_from_environment_variable test. 
client_timeout is an instance attribute.

Backport of 2fd610eb30 from master
 2019-09-27 08:36:48 +02:00
Simon Charette 7806e45454 [2.2.x] Fixed #30769 -- Fixed a crash when filtering against a subquery JSON/HStoreField annotation. 
This was a regression introduced by 7deeabc7c7
to address CVE-2019-14234.

Thanks Tim Kleinschmidt for the report and Mariusz for the tests.

Backport of 6c3dfba892 from master
 2019-09-16 08:53:31 +02:00
Simon Charette 964dd4f4f2 [2.2.x] Fixed #30754 -- Prevented inclusion of aliases in partial index conditions. 
SQLite doesn't repoint table aliases in partial index conditions on table
rename which breaks the documented table alteration procedure.

Thanks Pēteris Caune for the report.

Backport of 34decdebf1 from master
 2019-09-10 10:04:12 +02:00
Mariusz Felisiak 6624a3de28
[2.2.x] Fixed test_json.TestQuerying.test_key_transform_expression() on Python 3.5. 2019-08-15 19:38:12 +02:00
zeyneloz c2732e6839 [2.2.x] Fixed #30449 -- Fixed RelatedFieldListFilter/RelatedOnlyFieldListFilter to respect model's Meta.ordering. 
Regression in 6d4e5feb79.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>

Backport of 00035672a4 from master
 2019-08-15 13:14:17 +02:00
Mariusz Felisiak 52a7759a49 [2.2.x] Fixed #30672 -- Fixed crash of JSONField/HStoreField key transforms on expressions with params. 
Regression in 4f5b58f5cd.

Thanks Florian Apolloner for the report and helping with tests.

Backport of 1f8382d34d from master.
 2019-08-14 15:29:13 +02:00
Adnan Umer 1265a26b2f [2.2.x] Fixed #30673 -- Relaxed system check for db_table collision when database routers are installed by turning the error into a warning. 
Backport of 8d3519071e from master.
 2019-08-08 21:40:06 +02:00
Florian Apolloner cf694e6852 [2.2.x] Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri(). 
Thanks to Guido Vranken for initial report.
 2019-07-29 11:06:54 +02:00
Mariusz Felisiak 4f5b58f5cd [2.2.x] Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection. 
Thanks to Sage M. Abdullah for the report and initial patch.
Thanks Florian Apolloner for reviews.
 2019-07-29 11:06:54 +02:00
Florian Apolloner e34f3c0e9e [2.2.x] Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities. 
Thanks to Guido Vranken for initial report.
 2019-07-29 11:06:54 +02:00
Florian Apolloner c3289717c6 [2.2.X] Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML. 
Thanks to Guido Vranken for initial report.
 2019-07-29 11:00:01 +02:00
Tom Forbes 4d6449e125 [2.2.x] Fixed #30647 -- Fixed crash of autoreloader when extra directory cannot be resolved. 
Backport of fc75694257 from master.
 2019-07-24 14:38:24 +02:00
Tom Forbes 2d2859bec2 [2.2.x] Fixed #30506 -- Fixed crash of autoreloader when path contains null characters. 
Backport of 2ff517ccb6 from master.
 2019-07-23 10:41:50 +02:00
Mariusz Felisiak 1088a9777d [2.2.x] Fixed #30621 -- Fixed crash of __contains lookup for Date/DateTimeRangeField when the right hand side is the same type. 
Thanks Tilman Koschnick for the report and initial patch.
Thanks Carlton Gibson for the review.

Regression in 6b048b364c.
Backport of 7991111af1 from master
 2019-07-10 10:34:49 +02:00
Simon Charette 9dee8515d6 [2.2.x] Fixed #30628 -- Adjusted expression identity to differentiate bound fields. 
Expressions referring to different bound fields should not be
considered equal.

Thanks Julien Enselme for the detailed report.

Regression in bc7e288ca9.

Backport of ee6e93ec87 from master
 2019-07-10 08:04:45 +02:00
Carlton Gibson 77706a3e47 [2.2.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. 
An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.

HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.

Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.

Backport of 54d0f5e62f from master
 2019-07-01 07:50:48 +02:00
Mariusz Felisiak 395cf7c375 [2.2.x] Fixed GeoIPTest.test04_city() failure with the latest GeoIP2 database. 
Backport of 4305fbe8b1 from master
 2019-06-30 19:46:40 +02:00
Tom Forbes bdc1de2199 [2.2.x] Fixed #30588 -- Fixed crash of autoreloader when __main__ module doesn't have __file__ attribute. 
Backport of 8454f6dea4 from master
 2019-06-26 06:44:57 +02:00
Étienne Beaulé 4e6f0024f1 [2.2.x] Fixed #30542 -- Fixed crash of numerical aggregations with filter. 
Filters in annotations crashed when used with numerical-type
aggregations (i.e. Avg, StdDev, and Variance). This was caused as the
source expressions no not necessarily have an output_field (such as the
filter field), which lead to an AttributeError: 'WhereNode' object has
no attribute output_field.

Thanks to Chuan-Zheng Lee for the report.

Regression in c690afb873 and two following
commits.

Backport of 4b6dfe1622 from master.
 2019-06-05 09:15:21 +02:00
Carlton Gibson afddabf842 [2.2.x] Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link. 
Backport of deeba6d920 from master.
 2019-06-03 11:37:28 +02:00
Tom Forbes 7089502b98 [2.2.x] Fixed #30523 -- Fixed updating file modification times on seen files in auto-reloader when using StatReloader. 
Previously we updated the file mtimes if the file has not been seen
before - i.e on the first iteration of the loop.

If the mtime has been changed we triggered the notify_file_changed()
method which in all cases except the translations will result in the
process being terminated. To be strictly correct we need to update the
mtime for either branch of the conditional.

Regression in 6754bffa2b.

Backport of 480492fe70 from master
 2019-05-29 09:43:10 +02:00
Tom Forbes ace0bec804 [2.2.x] Fixed #30516 -- Fixed crash of autoreloader when re-raising exceptions with custom signature. 
Regression in c8720e7696.

Backport of 0344565179 from master
 2019-05-29 08:30:22 +02:00
Caio Ariede 1172f078eb [2.2.x] Fixed #30315 -- Fixed crash of ArrayAgg and StringAgg with ordering when used in Subquery. 
Backport of a3f91891d2 from master.
 2019-05-28 10:39:28 +02:00
Tom Forbes 5bf2c87ece [2.2.x] Fixed #30479 -- Fixed detecting changes in manage.py by autoreloader when using StatReloader. 
Regression in c8720e7696.

Backport of b2790f74d4 from master
 2019-05-28 09:01:29 +02:00
Thomasina Lee 3d4e53bcb1 [2.2.x] Fixed #30488 -- Removed redundant Coalesce call in SQL generated by SearchVector. 
Regression in 405c836336.

Backport of c38e7a79f4 from master
 2019-05-20 09:12:32 +02:00
ruchit2801 db7d7901ee [2.2.x] Fixed #30463 -- Fixed crash of deprecation message when Meta.ordering contains expressions. 
Regression in 1b1f64ee5a.

Backport of 04042b2b44 from master
 2019-05-18 20:05:31 +02:00
Claude Paroz 34a357d519 [2.2.x] Fixed #30459 -- Delegated hide/show JS toggle to parent div. 
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>

Backport of e286987a27 from master
 2019-05-17 08:04:59 +02:00
can 58391b4d16 [2.2.x] Fixed #30412 -- Fixed crash when adding check constraints with OR'ed condition on Oracle and SQLite. 
Backport of 719b746620 from master
 2019-04-30 13:43:02 +02:00