99e6ac77f2
[1.4.x] Fixed a static view test on Windows.
...
Backport of a6f144fd4f
2015-01-14 13:57:59 -05:00
d020da6646
[1.4.x] Prevented views.static.serve() from using large memory on large files.
...
This is a security fix. Disclosure following shortly.
2015-01-05 13:43:54 -05:00
4c241f1b71
[1.4.x] Fixed is_safe_url() to handle leading whitespace.
...
This is a security fix. Disclosure following shortly.
2015-01-05 13:43:32 -05:00
4f6fffc1dc
[1.4.x] Stripped headers containing underscores to prevent spoofing in WSGI environ.
...
This is a security fix. Disclosure following shortly.
Thanks to Jedediah Smith for the report.
2015-01-05 13:43:15 -05:00
5940da16af
[1.4.x] Fixed #23754 -- Always allowed reference to the primary key in the admin
...
This change allows dynamically created inlines "Add related" button to work
correcly as long as their associated foreign key is pointing to the primary
key of the related model.
Thanks to amorce for the report, Julien Phalip for the initial patch,
and Collin Anderson for the review.
Backport of f9c4e14aec
2014-11-25 14:04:56 -05:00
f58392d8d8
[1.4.x] Fixed #23604 -- Allowed related m2m fields to be references in the admin.
...
Thanks Simon Charette for review.
Backport of a24cf21722
2014-10-06 09:08:45 -04:00
df657a7682
[1.4.x] Required numpy < 1.9 for tests; refs #23489 .
...
Backport of 4743a94429
2014-09-29 19:47:33 -04:00
065caafa70
[1.4.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.
...
This fixes a regression introduced by the 53ff096982#23329 .
Backport of 342ccbd
2014-09-08 14:22:29 -04:00
4685026840
[1.4.x] Fixed #23329 -- Allowed inherited and m2m fields to be referenced in the admin.
...
Thanks to Trac alias Markush2010 and ross for the detailed reports.
Backport of 3cbb759
2014-08-27 22:12:37 -04:00
027bd34864
[1.4.x] Prevented data leakage in contrib.admin via query string manipulation.
...
This is a security fix. Disclosure following shortly.
2014-08-11 16:01:41 -04:00
30042d475b
[1.4.x] Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names.
...
This is a security fix. Disclosure following shortly.
2014-08-11 10:14:06 -04:00
c2fe73133b
[1.4.x] Prevented reverse() from generating URLs pointing to other hosts.
...
This is a security fix. Disclosure following shortly.
2014-08-11 09:04:23 -04:00
778a555342
[1.4.x] Added tests/requirements/py2.txt.
...
This follows the convention used in other branches so we don't
need a special case in the build script for 1.4.
2014-07-25 09:46:15 -04:00
aa9c45c2e4
[1.4.x] Revert "Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet."
...
This reverts commit b44519072e
2014-07-14 21:09:38 -03:00
b44519072e
[1.4.x] Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet.
...
Thanks sebastien at clarisys.fr for the report and gautier
for the patch.
Backport of 5e2c4a4bd1
2014-07-14 12:38:00 -03:00
7feb54bbae
[1.4.x] Added additional checks in is_safe_url to account for flexible parsing.
...
This is a security fix. Disclosure following shortly.
2014-05-12 09:46:40 -04:00
28e23306aa
[1.4.x] Dropped fix_IE_for_vary/attach.
...
This is a security fix. Disclosure following shortly.
2014-05-12 09:46:22 -04:00
b91c385e32
[1.4.x] Fixed #22486 -- Restored the ability to reverse views created using functools.partial.
...
Regression in 8b93b313c06b2f2a3
2014-04-23 09:22:02 -04:00
aa80f498de
[1.4.x] Fixed queries that may return unexpected results on MySQL due to typecasting.
...
This is a security fix. Disclosure will follow shortly.
Backport of 75c0d4ea3a
2014-04-21 18:31:44 -04:00
1170f285dd
[1.4.x] Prevented leaking the CSRF token through caching.
...
This is a security fix. Disclosure will follow shortly.
Backport of c083e3815a
2014-04-21 18:31:44 -04:00
c1a8c420fe
[1.4.x] Fixed a remote code execution vulnerabilty in URL reversing.
...
Thanks Benjamin Bach for the report and initial patch.
This is a security fix; disclosure to follow shortly.
Backport of 8b93b31487
2014-04-21 18:31:44 -04:00
83420e70ef
[1.4.x] Fixed random aggregation_regress test_more_more_more() failure
...
The cause was assuming that an unordered queryset returns the values
always in the same order.
Backport of 33dd8f5442
2014-04-19 13:01:52 -04:00
23126866ec
[1.4.x] Fixed #21538 -- Added numpy to test/requirements/base.txt
...
Thanks Tim Graham for the report
Backport of c75dd664c
2013-12-02 13:45:56 -05:00
7984b58e78
Fixed SyntaxError on Python 2.5 caused by a @unittest.skipIf class decoration.
2013-11-01 03:35:29 +07:00
3203f684e8
Fixed failing test introduced by 87d2750b39.
...
The {% ssi %} tag in Django 1.4 doesn't support spaces in its argument.
Skip the test if run from a location that contains a space.
2013-09-11 18:05:39 +07:00
87d2750b39
[1.4.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.
...
Thanks Rainer Koirikivi for the report and draft patch.
This is a security fix; disclosure to follow shortly.
Backport of 7fe5b656c9
2013-09-10 21:05:47 -04:00
d9dc98159d
[1.4.x] Fixed #20904 : Test failure on Oracle
...
Just skip the failing test, the failure isn't really relevant; also,
both the test and the reason for its failure were removed in 1.5.
Thanks Tim Graham for advice on 1.5.
2013-08-17 23:12:01 +03:00
d5da495a2e
[1.4.x] Fixed #20906 -- Fixed a dependence on set-ordering in tests
...
Backport of 1ae64e96c1
2013-08-16 17:55:08 -04:00
bf611f14ec
[1.4.x] Fixed #20905 -- Fixed an Oracle-specific test case failure
...
Made a test checking ORM-generated query string case-insensitive.
Backport of ee0a7c741e
2013-08-16 12:23:05 -04:00
08e5fcb3e6
Fixed regression in validation tests since example.com is available via https now.
2013-08-13 22:34:52 +02:00
e8971345b4
[1.4.x] Fixed #19196 -- Added test/requirements
...
Backport of 4d92a0bd86
2013-07-10 12:12:15 -04:00
3872bc51c9
[1.4.x] Made a couple of selenium tests wait for page loaded
...
The admin_widgets tests were issuing click() to the browser but
didn't wait for the effects of those clicks. This caused the resulting
request to be processed concurrently with the test case. When using
in-memory SQLite this caused weird failures.
Also added wait_page_loaded() to admin selenium tests for code
reuse.
Fixed #19856 , cherry-pick of 50677b29af
2013-02-21 00:03:39 +02:00
0cc350a896
[1.4.x] Added a default limit to the maximum number of forms in a formset.
...
This is a security fix. Disclosure and advisory coming shortly.
2013-02-19 10:37:54 -07:00
0e7861aec7
[1.4.x] Checked object permissions on admin history view.
...
This is a security fix. Disclosure and advisory coming shortly.
Patch by Russell Keith-Magee.
2013-02-19 10:37:54 -07:00
1c60d07ba2
[1.4.x] Restrict the XML deserializer to prevent network and entity-expansion DoS attacks.
...
This is a security fix. Disclosure and advisory coming shortly.
2013-02-19 10:37:54 -07:00
9936fdb11d
[1.4.x] Added ALLOWED_HOSTS setting for HTTP host header validation.
...
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 10:37:54 -07:00
dec7dd99f0
[1.4.x] Removed try-except in django.db.close_connection()
...
The reason was that the except clause needed to remove a connection
from the django.db.connections dict, but other parts of Django do not
expect this to happen. In addition the except clause was silently
swallowing the exception messages.
Refs #19707 , special thanks to Carl Meyer for pointing out that this
approach should be taken.
2013-02-13 00:39:43 +02:00
9918b3f502
[1.4.x] Fixed #19707 -- Reset transaction state after requests
...
Backpatch of a4e97cf315
2013-02-10 17:34:38 +02:00
498a5de07b
[1.4.x] Fixed #19645 -- Added tests for TransactionMiddleware
...
Backpatch of f556df90be#19707 .
2013-02-10 17:34:27 +02:00
f2530dcb17
[1.4.X] Fixed a test failure in the comment tests.
...
Backport of 1eb0da1c5b
2012-12-10 23:37:12 +01:00
319627c184
[1.4.X] Fixed a security issue in get_host.
...
Full disclosure and new release forthcoming.
2012-12-10 22:14:16 +01:00
b2ae0a63ae
[1.4.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.
2012-12-10 22:14:16 +01:00
8c9a8fd5c4
[1.4.x] Fixed the admin_filters tests for Postgres.
...
Backport of c196e01100
2012-12-04 10:41:22 -08:00
c72172244e
[1.4.x] Fixed #19318 -- Ensured that the admin's SimpleListFilter options can be displayed as selected even if the lookup's first element is not a string.
...
Backport of 88e1715639
2012-12-03 20:58:54 -08:00
3e4058be9f
[1.4.x] Fixed ordering-related failure in m2m_through_regress tests
...
Backpatch of dc569c8801
2012-11-24 16:10:16 +02:00
046300c43b
[1.4.x] Restored Python 2.5 compatibility in m2m_through_regress tests.
...
Refs #18823 .
2012-11-24 09:49:30 +01:00
c7dcb1d808
[1.4.x] Fixed SQLite's collapsing of same-valued instances in bulk_create
...
SQLite used INSERT INTO tbl SELECT %s UNION SELECT %s, the problem
was that there should have been UNION ALL instead of UNION.
Refs #19351
Backpatch of a27582484c
2012-11-24 01:28:25 +02:00
37c87b785d
[1.4.x] Fixed #18823 -- Ensured m2m.clear() works when using through+to_field
...
There was a potential data-loss issue involved -- when clearing
instance's m2m assignments it was possible some other instance's
m2m data was deleted instead.
This commit also improved None handling for to_field cases.
Backpatch of 611c4d6f1c
2012-10-28 17:38:26 +02:00
773a29295a
Added missed poisoned host header test changes
2012-10-18 11:18:25 -07:00
cc0478606a
[1.4.x] Fixed #18881 -- Made the context option in {% trans %} and {% blocktrans %} accept literals wrapped in single quotes. Thanks to lanyjie for the report.
2012-10-13 10:51:53 -07:00
Tim Graham
Carl Meyer
Simon Charette
Emmanuelle Delescolle
Florian Apolloner
Ramiro Morales
Aymeric Augustin
Erik Romijn
Alasdair Nicol
Loic Bistuer
Shai Berger
Luke Plant
Anssi Kääriäinen
Julien Phalip
Sebastián Magrí
Preston Holmes