p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
26,979 Commits 25 Branches 361 Tags 501 MiB
Commit Graph

10075 Commits

Author SHA1 Message Date
Jon Dufresne 01742aa932 [2.2.x] Refs #31040 -- Fixed Python PendingDeprecationWarning in select_for_update.tests. 
Backport of 0dd2308cf6 from master
 2020-10-12 12:21:33 +02:00
Mariusz Felisiak 87b9a8b4de [2.2.x] Refs #31040 -- Fixed crypt.crypt() call in test_hashers.py. 
An empty string is invalid salt in Python 3 and raises exception since
Python 3.9, see https://bugs.python.org/issue38402.
Backport of 1960d55f8b from master
 2020-10-07 09:16:58 +02:00
Mariusz Felisiak 657fea55cb [2.2.x] Skipped GetImageDimensionsTests.test_webp when WEBP is not installed. 
Bumped minimum Pillow version to 4.2.0 in test requirements.

Backport of fce389af7c from master
 2020-10-06 11:32:34 +02:00
Mariusz Felisiak a3aebfdc81 [2.2.x] Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+. 
Backport of f56b57976133129b0b351a38bba4ac882badabf0 from master.
 2020-08-25 11:09:40 +02:00
Mariusz Felisiak 375657a71c [2.2.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+. 
Thanks WhiteSage for the report.

Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
 2020-08-25 10:59:42 +02:00
Gert Burger 0a7d321bf7 [2.2.x] Fixed #31863 -- Prevented mutating model state by copies of model instances. 
Regression in bfb746f983.

Backport of 94ea79be13 from master
 2020-08-13 15:28:21 +02:00
Daniel Hillier 839f906a23 [2.2.x] Fixed #31866 -- Fixed locking proxy models in QuerySet.select_for_update(of=()). 
Backport of 60626162f7 from master
 2020-08-11 12:33:18 +02:00
Mariusz Felisiak d74e1c0521
[2.2.x] Pinned geoip2 < 4.0.0 in test requirements. 
geoip2 4+ doesn't support Python 3.5.
 2020-07-23 10:07:35 +02:00
Mariusz Felisiak eb81593875 [2.2.x] Fixed #31805 -- Fixed SchemaTests.tearDown() when table names are case-insensitive. 
Backport of fd53db842c from master
 2020-07-22 12:52:45 +02:00
Florian Apolloner 1a3835fdf3 [2.2.x] Fixed #31784 -- Fixed crash when sending emails on Python 3.6.11+, 3.7.8+, and 3.8.4+. 
Fixed sending emails crash on email addresses with display names longer
then 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+.

Wrapped display names were passed to email.headerregistry.Address()
what caused raising an exception because address parts cannot contain
CR or LF.

See https://bugs.python.org/issue39073

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>

Backport of 96a3ea39ef from master.
 2020-07-20 08:11:30 +02:00
Mariusz Felisiak f1a6e6c817 [2.2.x] Fixed #31790 -- Fixed setting SameSite cookies flag in HttpResponse.delete_cookie(). 
Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.

This affects sessions and messages cookies.

Backport of 331324ecce from stable/3.0.x
 2020-07-16 09:35:35 +02:00
Mariusz Felisiak 5968a23e15
[2.2.x] Fixed ForeignKeyRawIdWidgetTest.test_render_unsafe_limit_choices_to on Python 3.5. 2020-07-02 10:59:15 +02:00
Mariusz Felisiak fc2a3682f6
[2.2.x] Refs #31751 -- Doc'd that cx_Oracle < 8 is required. 2020-06-30 09:47:50 +02:00
Stephen Rauch cdad78e6ee [2.2.x] Refs #30183 -- Doc'd dropping support for sqlparse < 0.2.2. 
Support for sqlparse < 0.2.2 was broken in
782d85b6df because is_whitespace property
was added in sqlparse 0.2.2.

Backport of 4b6db766ba from master.
 2020-06-10 06:18:44 +02:00
Mariusz Felisiak b2b2723512 [2.2.x] Fixed #31654 -- Fixed cache key validation messages. 
Backport of 926148ef01 from master.
 2020-06-05 07:24:04 +02:00
Mariusz Felisiak b87719034a
[2.2.x] Fixed ForeignKeyRawIdWidgetTest.test_render_unsafe_limit_choices_to on Python 3.5. 2020-06-04 07:37:40 +02:00
Mariusz Felisiak ea9bc392c4 [2.2.x] Refs CVE-2020-13254 -- Fixed cache.tests when KEY_PREFIX is defined. 
Follow up to 2c82414914.

Backport of 229c9c6653 from master
 2020-06-03 13:01:31 +02:00
Dan Palmer 07e59caa02 [2.2.x] Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends. 2020-06-03 09:34:29 +02:00
Jon Dufresne 6d61860b22 [2.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget. 2020-06-03 09:33:38 +02:00
Mariusz Felisiak 8301bc9cfa [2.2.x] Fixed E128, E741 flake8 warnings. 
Backport of 0668164b4a from master.
 2020-06-02 11:04:23 +02:00
Carlton Gibson 027840d7de [2.2.x] Fixed #31570 -- Corrected translation loading for apps providing territorial language variants with different plural equations. 
Regression in e3e48b0012.

Thanks to Shai Berger for report, reproduce and suggested fix.

Backport of dd1ca50b09 from master.
 2020-06-01 09:29:03 +02:00
Mariusz Felisiak e33220ffd8 [2.2.x] Fixed LiveWidgetTests.test_textarea_trailing_newlines() crash on Chrome 75+. 
Backport of b08a18f17b from master
 2020-05-29 09:51:42 +02:00
Claude Paroz 996be04c3c [2.2.x] Fixed #30439 -- Added support for different plural forms for a language. 
Thanks to Michal Čihař for review.
Backport of e3e48b0012 from master
 2020-03-10 16:04:58 +01:00
Mariusz Felisiak 3acffe1420 [2.2.x] Fixed GeoQuerySetTest.test_unionagg_tolerance() test on Oracle 18c. 
Backport of 5ca76baa72 from master
 2020-03-05 08:56:56 +01:00
Mariusz Felisiak fe886a3b58 [2.2.x] Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. 
Thanks to Norbert Szetei for the report.
 2020-03-04 09:34:39 +01:00
Abhijeet Viswa 32d89bf114 [2.2.x] Fixed #31246 -- Fixed locking models in QuerySet.select_for_update(of=()) for related fields and parent link fields with multi-table inheritance. 
Partly regression in 0107e3d105.

Backport of 1712a76b9d from master.
 2020-02-11 21:37:17 +01:00
Simon Charette c67a368c16 [2.2.x] Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter. 2020-01-26 18:51:25 +01:00
Mariusz Felisiak 96d6443121 [2.2.x] Fixed timezones tests for PyYAML 5.3+. 
Backport of 8be477be5c from master
 2020-01-07 09:55:41 +01:00
Simon Charette 4d334bea06 [2.2.x] Fixed CVE-2019-19844 -- Used verified user email for password reset requests. 
Backport of 5b1fbcef7a from master.

Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
 2019-12-18 09:16:08 +01:00
Peter Andersen f33be1e8ae [2.2.x] Fixed #31073 -- Prevented CheckboxInput.get_context() from mutating attrs. 
Backport of 02eff7ef60 from master
 2019-12-11 09:38:49 +01:00
Carlton Gibson 36f580a17f Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin. 
Thank you to Shen Ying for reporting this issue.
 2019-12-02 08:58:14 +01:00
Mariusz Felisiak 6cf3b6f5cf [2.2.x] Fixed #30953 -- Made select_for_update() lock queryset's model when using "self" with multi-table inheritance. 
Thanks Abhijeet Viswa for the report and initial patch.
Backport of 0107e3d105 from master
 2019-12-02 07:58:44 +01:00
Mariusz Felisiak 9a17ae50c6 [2.2.x] Fixed #31021 -- Fixed proxy model permissions data migration crash with a multiple databases setup. 
Regression in 98296f86b3.

Backport of e8fcdaad5c from master
 2019-11-29 11:10:59 +01:00
Baptiste Mispelon 7873d3757d [2.2.x] Fixed #31031 -- Fixed data loss in admin changelist view when formset's prefix contains regex special chars. 
Regression in b18650a263.

Backport of 52936eface from master
 2019-11-26 09:19:39 +01:00
Mariusz Felisiak 8eda248dc9 [2.2.x] Refs #29926 -- Bumped minimum tblib version to 1.5.0 in test requirements. 
Backport of 25903e41fb from master.
 2019-11-12 21:49:09 +01:00
Carlton Gibson 785d1706c4 [2.2.x] Fixed #30931 -- Restored ability to override Model.get_FIELD_display(). 
Thanks Sergey Fedoseev for the implementation idea.

Regression in a68ea23101.

Backport of 2d38eb0ab9 from master
 2019-11-04 08:17:50 +01:00
Hannes Ljungberg 7fe09e6d41 [2.2.x] Fixed #30903 -- Fixed migrations crash on PostgreSQL when adding Index with opclasses and ordering. 
Backport of fa5f3291e7 from master
 2019-10-24 09:53:33 +02:00
Mariusz Felisiak d2f02aa56b [2.2.x] Fixed #30870 -- Fixed showing that RunPython operations are irreversible by migrate --plan. 
Thanks Hasan Ramezani for the initial patch and Kyle Dickerson for the
report.

Backport of 06d34aab7c from master.
 2019-10-14 11:45:47 +02:00
Louise Grandjonc 323467e286 [2.2.x] Fixed #30826 -- Fixed crash of many JSONField lookups when one hand side is key transform. 
Regression in 6c3dfba892.

Backport of 7d1bf29977 from master
 2019-10-11 11:52:32 +02:00
Pablo García 38af257988 [2.2.x] Fixed #30810 -- Fixed WatchmanReloaderTests.test_setting_timeout_from_environment_variable test. 
client_timeout is an instance attribute.

Backport of 2fd610eb30 from master
 2019-09-27 08:36:48 +02:00
Simon Charette 7806e45454 [2.2.x] Fixed #30769 -- Fixed a crash when filtering against a subquery JSON/HStoreField annotation. 
This was a regression introduced by 7deeabc7c7
to address CVE-2019-14234.

Thanks Tim Kleinschmidt for the report and Mariusz for the tests.

Backport of 6c3dfba892 from master
 2019-09-16 08:53:31 +02:00
Simon Charette 964dd4f4f2 [2.2.x] Fixed #30754 -- Prevented inclusion of aliases in partial index conditions. 
SQLite doesn't repoint table aliases in partial index conditions on table
rename which breaks the documented table alteration procedure.

Thanks Pēteris Caune for the report.

Backport of 34decdebf1 from master
 2019-09-10 10:04:12 +02:00
Mariusz Felisiak 6624a3de28
[2.2.x] Fixed test_json.TestQuerying.test_key_transform_expression() on Python 3.5. 2019-08-15 19:38:12 +02:00
zeyneloz c2732e6839 [2.2.x] Fixed #30449 -- Fixed RelatedFieldListFilter/RelatedOnlyFieldListFilter to respect model's Meta.ordering. 
Regression in 6d4e5feb79.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>

Backport of 00035672a4 from master
 2019-08-15 13:14:17 +02:00
Mariusz Felisiak 52a7759a49 [2.2.x] Fixed #30672 -- Fixed crash of JSONField/HStoreField key transforms on expressions with params. 
Regression in 4f5b58f5cd.

Thanks Florian Apolloner for the report and helping with tests.

Backport of 1f8382d34d from master.
 2019-08-14 15:29:13 +02:00
Adnan Umer 1265a26b2f [2.2.x] Fixed #30673 -- Relaxed system check for db_table collision when database routers are installed by turning the error into a warning. 
Backport of 8d3519071e from master.
 2019-08-08 21:40:06 +02:00
Florian Apolloner cf694e6852 [2.2.x] Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri(). 
Thanks to Guido Vranken for initial report.
 2019-07-29 11:06:54 +02:00
Mariusz Felisiak 4f5b58f5cd [2.2.x] Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection. 
Thanks to Sage M. Abdullah for the report and initial patch.
Thanks Florian Apolloner for reviews.
 2019-07-29 11:06:54 +02:00
Florian Apolloner e34f3c0e9e [2.2.x] Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities. 
Thanks to Guido Vranken for initial report.
 2019-07-29 11:06:54 +02:00
Florian Apolloner c3289717c6 [2.2.X] Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML. 
Thanks to Guido Vranken for initial report.
 2019-07-29 11:00:01 +02:00