p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
27,062 Commits 25 Branches 361 Tags 501 MiB
Commit Graph

10099 Commits

Author SHA1 Message Date
Mariusz Felisiak 29a6c98b4c [2.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL. 
Backport of 6723a26e59 from main.
 2022-04-11 09:23:12 +02:00
Mariusz Felisiak 2c09e68ec9 [2.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases. 
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.

Backport of 93cae5cb2f from main.
 2022-04-11 09:22:17 +02:00
Mariusz Felisiak 2801f29dad [2.2.x] Reverted "Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+." 
This reverts commit 1d9d082acf.
Backport of abfdb4d7f3 from main
 2022-03-26 12:29:29 +01:00
Mariusz Felisiak e03648f09c [2.2.x] Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+. 
See https://github.com/pallets/jinja/pull/1621.
Backport of 1d9d082acf from main
 2022-03-25 08:54:13 +01:00
Mariusz Felisiak c477b76180 [2.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. 
Thanks Alan Ryan for the report and initial patch.

Backport of fc18f36c4a from main.
 2022-02-01 07:57:28 +01:00
Markus Holtermann c27a7eb9f4 [2.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag. 
Thanks Keryn Knight for the report.

Backport of 394517f078 from main.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-02-01 07:56:29 +01:00
Florian Apolloner 4cb35b384c [2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. 
Thanks to Dennis Brinkrolf for the report.
 2022-01-04 10:20:31 +01:00
Florian Apolloner c9f648ccfa [2.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. 
Thanks to Dennis Brinkrolf for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:20:31 +01:00
Florian Apolloner 2135637fdd [2.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator. 
Thanks Chris Bailey for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:20:31 +01:00
Florian Apolloner 7cf7d74e8a [2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths. 
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd from main.
 2021-12-07 07:02:14 +01:00
Mariusz Felisiak 05bc1c81aa [2.2.x] Fixed #33082 -- Fixed CommandTests.test_subparser_invalid_option on Python 3.9.7+. 
Thanks Michał Górny for the report.

Backport of 50ed545e2f from main.
 2021-09-02 11:06:10 +02:00
Mariusz Felisiak 837ffcfa68
[2.2.x] Refs #32856 -- Doc'd that psycopg2 < 2.9 is required. 2021-06-21 13:06:31 +02:00
Mariusz Felisiak f27c38ab5d [2.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses. 
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.

[1] https://bugs.python.org/issue36384
 2021-06-02 10:26:22 +02:00
Florian Apolloner 053cc9534d [2.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView. 2021-06-02 10:26:22 +02:00
Mariusz Felisiak 63f0d7a0f6 [2.2.x] Refs #32718 -- Fixed file_storage.test_generate_filename and model_fields.test_filefield tests on Python 3.5. 2021-05-14 06:59:11 +02:00
Mariusz Felisiak b8ecb06436 [2.2.x] Fixed #32718 -- Relaxed file name validation in FileField. 
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb3691.

Backport of b55699968f from main.
 2021-05-13 09:00:25 +02:00
Mariusz Felisiak d9594c4ea5 [2.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+. 
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.

[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603

Backport of e1e81aa1c4 from main.
 2021-05-06 08:53:27 +02:00
Carlton Gibson 163700388c [2.2.x] Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows. 
The validate_file_name() sanitation introduced in
0b79eb3691 correctly rejects the example
file name as containing path elements on Windows. This breaks the test
introduced in 914c72be2a to allow path
components for storages that may allow them.

Test is skipped pending a discussed storage refactoring to support this
use-case.

Backport of a708f39ce6 from main
 2021-05-06 07:44:15 +02:00
Florian Apolloner 04ac1624bd [2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-27 19:10:08 +02:00
Mariusz Felisiak 4036d62bda [2.2.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files. 
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.

Backport of d4d800ca1a from main.
 2021-04-06 08:38:19 +02:00
Nick Pope fd6b6afd59 [2.2.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.http.limited_parse_qsl(). 2021-02-18 10:27:25 +01:00
Mariusz Felisiak 21e7622dec [2.2.x] Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract(). 
Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.

Thanks Wang Baohua for the report.

Backport of 05413afa8c from master.
 2021-02-01 09:14:54 +01:00
Mariusz Felisiak ee9d623831 [2.2.x] Fixed GeoIPTest.test04_city() failure with the latest GeoIP2 database. 
Backport of 135c800fe6 from master
 2021-01-29 11:03:59 +01:00
Max Smolens e893c0ad8b [2.2.x] Fixed #31850 -- Fixed BasicExtractorTests.test_extraction_warning with xgettext 0.21+. 
"format string with unnamed arguments cannot be properly localized"
warning is not raised in xgettext 0.21+.

This patch uses a message that causes an xgettext warning regardless of
the version.

Backport of 07a30f5616 from master
 2020-11-02 10:30:40 +01:00
Jon Dufresne 01742aa932 [2.2.x] Refs #31040 -- Fixed Python PendingDeprecationWarning in select_for_update.tests. 
Backport of 0dd2308cf6 from master
 2020-10-12 12:21:33 +02:00
Mariusz Felisiak 87b9a8b4de [2.2.x] Refs #31040 -- Fixed crypt.crypt() call in test_hashers.py. 
An empty string is invalid salt in Python 3 and raises exception since
Python 3.9, see https://bugs.python.org/issue38402.
Backport of 1960d55f8b from master
 2020-10-07 09:16:58 +02:00
Mariusz Felisiak 657fea55cb [2.2.x] Skipped GetImageDimensionsTests.test_webp when WEBP is not installed. 
Bumped minimum Pillow version to 4.2.0 in test requirements.

Backport of fce389af7c from master
 2020-10-06 11:32:34 +02:00
Mariusz Felisiak a3aebfdc81 [2.2.x] Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+. 
Backport of f56b57976133129b0b351a38bba4ac882badabf0 from master.
 2020-08-25 11:09:40 +02:00
Mariusz Felisiak 375657a71c [2.2.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+. 
Thanks WhiteSage for the report.

Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
 2020-08-25 10:59:42 +02:00
Gert Burger 0a7d321bf7 [2.2.x] Fixed #31863 -- Prevented mutating model state by copies of model instances. 
Regression in bfb746f983.

Backport of 94ea79be13 from master
 2020-08-13 15:28:21 +02:00
Daniel Hillier 839f906a23 [2.2.x] Fixed #31866 -- Fixed locking proxy models in QuerySet.select_for_update(of=()). 
Backport of 60626162f7 from master
 2020-08-11 12:33:18 +02:00
Mariusz Felisiak d74e1c0521
[2.2.x] Pinned geoip2 < 4.0.0 in test requirements. 
geoip2 4+ doesn't support Python 3.5.
 2020-07-23 10:07:35 +02:00
Mariusz Felisiak eb81593875 [2.2.x] Fixed #31805 -- Fixed SchemaTests.tearDown() when table names are case-insensitive. 
Backport of fd53db842c from master
 2020-07-22 12:52:45 +02:00
Florian Apolloner 1a3835fdf3 [2.2.x] Fixed #31784 -- Fixed crash when sending emails on Python 3.6.11+, 3.7.8+, and 3.8.4+. 
Fixed sending emails crash on email addresses with display names longer
then 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+.

Wrapped display names were passed to email.headerregistry.Address()
what caused raising an exception because address parts cannot contain
CR or LF.

See https://bugs.python.org/issue39073

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>

Backport of 96a3ea39ef from master.
 2020-07-20 08:11:30 +02:00
Mariusz Felisiak f1a6e6c817 [2.2.x] Fixed #31790 -- Fixed setting SameSite cookies flag in HttpResponse.delete_cookie(). 
Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.

This affects sessions and messages cookies.

Backport of 331324ecce from stable/3.0.x
 2020-07-16 09:35:35 +02:00
Mariusz Felisiak 5968a23e15
[2.2.x] Fixed ForeignKeyRawIdWidgetTest.test_render_unsafe_limit_choices_to on Python 3.5. 2020-07-02 10:59:15 +02:00
Mariusz Felisiak fc2a3682f6
[2.2.x] Refs #31751 -- Doc'd that cx_Oracle < 8 is required. 2020-06-30 09:47:50 +02:00
Stephen Rauch cdad78e6ee [2.2.x] Refs #30183 -- Doc'd dropping support for sqlparse < 0.2.2. 
Support for sqlparse < 0.2.2 was broken in
782d85b6df because is_whitespace property
was added in sqlparse 0.2.2.

Backport of 4b6db766ba from master.
 2020-06-10 06:18:44 +02:00
Mariusz Felisiak b2b2723512 [2.2.x] Fixed #31654 -- Fixed cache key validation messages. 
Backport of 926148ef01 from master.
 2020-06-05 07:24:04 +02:00
Mariusz Felisiak b87719034a
[2.2.x] Fixed ForeignKeyRawIdWidgetTest.test_render_unsafe_limit_choices_to on Python 3.5. 2020-06-04 07:37:40 +02:00
Mariusz Felisiak ea9bc392c4 [2.2.x] Refs CVE-2020-13254 -- Fixed cache.tests when KEY_PREFIX is defined. 
Follow up to 2c82414914.

Backport of 229c9c6653 from master
 2020-06-03 13:01:31 +02:00
Dan Palmer 07e59caa02 [2.2.x] Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends. 2020-06-03 09:34:29 +02:00
Jon Dufresne 6d61860b22 [2.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget. 2020-06-03 09:33:38 +02:00
Mariusz Felisiak 8301bc9cfa [2.2.x] Fixed E128, E741 flake8 warnings. 
Backport of 0668164b4a from master.
 2020-06-02 11:04:23 +02:00
Carlton Gibson 027840d7de [2.2.x] Fixed #31570 -- Corrected translation loading for apps providing territorial language variants with different plural equations. 
Regression in e3e48b0012.

Thanks to Shai Berger for report, reproduce and suggested fix.

Backport of dd1ca50b09 from master.
 2020-06-01 09:29:03 +02:00
Mariusz Felisiak e33220ffd8 [2.2.x] Fixed LiveWidgetTests.test_textarea_trailing_newlines() crash on Chrome 75+. 
Backport of b08a18f17b from master
 2020-05-29 09:51:42 +02:00
Claude Paroz 996be04c3c [2.2.x] Fixed #30439 -- Added support for different plural forms for a language. 
Thanks to Michal Čihař for review.
Backport of e3e48b0012 from master
 2020-03-10 16:04:58 +01:00
Mariusz Felisiak 3acffe1420 [2.2.x] Fixed GeoQuerySetTest.test_unionagg_tolerance() test on Oracle 18c. 
Backport of 5ca76baa72 from master
 2020-03-05 08:56:56 +01:00
Mariusz Felisiak fe886a3b58 [2.2.x] Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. 
Thanks to Norbert Szetei for the report.
 2020-03-04 09:34:39 +01:00
Abhijeet Viswa 32d89bf114 [2.2.x] Fixed #31246 -- Fixed locking models in QuerySet.select_for_update(of=()) for related fields and parent link fields with multi-table inheritance. 
Partly regression in 0107e3d105.

Backport of 1712a76b9d from master.
 2020-02-11 21:37:17 +01:00