5864e1f8e9
[1.4.x] Updated xhtml2pdf URL in docs.
2016-02-16 07:10:13 -05:00
9ff23eb7cc
[1.4.x] Bumped version for 1.4.22 release.
2015-08-18 08:39:59 -04:00
575f59f9bc
[1.4.x] Fixed DoS possiblity in contrib.auth.views.logout()
...
Refs #20936 -- When logging out/ending a session, don't create a new, empty session.
Previously, when logging out, the existing session was overwritten by a
new sessionid instead of deleting the session altogether.
This behavior added overhead by creating a new session record in
whichever backend was in use: db, cache, etc.
This extra session is unnecessary at the time since no session data is
meant to be preserved when explicitly logging out.
Backport of 393c0e2422088579638b2dee853ed4
2015-08-18 08:35:42 -04:00
8b0d63914f
[1.4.x] Added stub release notes for security releases.
2015-08-18 08:35:33 -04:00
3b324970e3
[1.4.x] Fixed #25119 -- Disabled wheel support.
2015-07-13 19:57:52 -04:00
622a11513e
[1.4.x] Bumped version for 1.4.21 release.
2015-07-08 07:39:43 -04:00
1ba1cdce7d
[1.4.x] Prevented newlines from being accepted in some validators.
...
This is a security fix; disclosure to follow shortly.
Thanks to Sjoerd Job Postmus for the report and draft patch.
2015-07-08 07:38:06 -04:00
2e47f3e401
[1.4.x] Fixed #19324 -- Avoided creating a session record when loading the session.
...
The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.
This is a security fix; disclosure to follow shortly.
2015-07-08 07:38:06 -04:00
c570a5ec3e
[1.4.x] Added security release note stubs.
2015-07-08 07:38:06 -04:00
664ad1252c
[1.4.x] Added link to download page to find supported versions.
...
Backport of 8c4827ec1d
2015-04-04 08:00:44 -04:00
5388692144
[1.4.x] Bumped version for 1.4.20 release.
2015-03-18 08:43:42 -04:00
2342693b31
[1.4.x] Made is_safe_url() reject URLs that start with control characters.
...
This is a security fix; disclosure to follow shortly.
2015-03-18 08:39:37 -04:00
3b20558beb
[1.4.x] Added stub release notes for security releases.
2015-03-18 08:39:12 -04:00
7dd4c5221a
[1.4.x] Bumped version for 1.4.19 release.
2015-01-27 11:55:02 -05:00
1e39d0f628
[1.4.x] Fixed #24158 -- Allowed GZipMiddleware to work with streaming responses
...
Backport of django.utils.text.compress_sequence and fix for
django.middleware.gzip.GZipMiddleware when using iterators as
response.content.
2015-01-26 19:22:47 -05:00
9435474068
[1.4.x] Designated Django 1.8 as the next LTS.
...
Backport of c38db4d7e0
2015-01-19 12:09:43 -05:00
bd9dcd226b
[1.4.x] Bumped version for 1.4.18 release.
2015-01-13 13:14:08 -05:00
88b7957b34
[1.4.x] Added dates to release notes.
2015-01-13 13:10:54 -05:00
d020da6646
[1.4.x] Prevented views.static.serve() from using large memory on large files.
...
This is a security fix. Disclosure following shortly.
2015-01-05 13:43:54 -05:00
4c241f1b71
[1.4.x] Fixed is_safe_url() to handle leading whitespace.
...
This is a security fix. Disclosure following shortly.
2015-01-05 13:43:32 -05:00
4f6fffc1dc
[1.4.x] Stripped headers containing underscores to prevent spoofing in WSGI environ.
...
This is a security fix. Disclosure following shortly.
Thanks to Jedediah Smith for the report.
2015-01-05 13:43:15 -05:00
113a8980f4
[1.4.x] Added stub release notes for security releases.
2015-01-05 13:42:52 -05:00
2fd8054fda
[1.4.x] Fixed #24081 -- Downgraded six to 1.8.0.
...
This reverts commit a25c444bc7
2015-01-05 13:41:06 -05:00
592187e11b
[1.4.x] Bumped version for 1.4.17 release.
2015-01-02 21:07:00 -05:00
35dc639cd6
[1.4.x] Added dates to release notes.
...
Backport of 15cd71ed24
2015-01-02 19:23:14 -05:00
a25c444bc7
[1.4.x] Updated six to 1.9.0.
...
Backport of 52f0b2b622
2015-01-02 13:38:58 -05:00
5940da16af
[1.4.x] Fixed #23754 -- Always allowed reference to the primary key in the admin
...
This change allows dynamically created inlines "Add related" button to work
correcly as long as their associated foreign key is pointing to the primary
key of the related model.
Thanks to amorce for the report, Julien Phalip for the initial patch,
and Collin Anderson for the review.
Backport of f9c4e14aec
2014-11-25 14:04:56 -05:00
a1dcd82b28
[1.4.x] Updated six to 1.8.0.
...
Backport of 81477c91f6
2014-11-04 21:30:21 -05:00
151d6dbf9c
[1.4.x] Bump version numbers for bugfix release.
2014-10-22 12:36:19 -04:00
a92e386e26
[1.4.x] Added release dates to release notes.
...
Backport of 9dc782b631
2014-10-22 12:25:45 -04:00
643374bcf5
[1.4.x] Fixed #23631 -- Removed outdated note on MySQL timezone support.
...
Thanks marfire for the report.
Backport of 9db3653670
2014-10-10 15:22:46 -04:00
f58392d8d8
[1.4.x] Fixed #23604 -- Allowed related m2m fields to be references in the admin.
...
Thanks Simon Charette for review.
Backport of a24cf21722
2014-10-06 09:08:45 -04:00
3132edae41
[1.4.x] Fixed #23499 -- Error in built-in template tag "now" documentation
...
Backport of ab8248361e
2014-09-17 09:26:45 +02:00
ba2be27613
[1.4.x] Fixed #20036 -- Improved GEOS version string parsing
...
Thanks chikiro.spam at gmail.com for the report.
2014-09-11 20:54:33 +02:00
065caafa70
[1.4.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.
...
This fixes a regression introduced by the 53ff096982#23329 .
Backport of 342ccbd
2014-09-08 14:22:29 -04:00
78085844a7
[1.4.x] Added dates to release notes.
...
Backport of 0fd23545db
2014-09-02 21:36:44 -04:00
0517f498cd
[1.4.x] Bump version numbers for bugfix release.
2014-09-02 15:43:24 -05:00
4685026840
[1.4.x] Fixed #23329 -- Allowed inherited and m2m fields to be referenced in the admin.
...
Thanks to Trac alias Markush2010 and ross for the detailed reports.
Backport of 3cbb759
2014-08-27 22:12:37 -04:00
8adc56ca78
[1.4.x] Fixed spelling mistake in file docs.
...
Backport of a3e88e64a4
2014-08-26 09:45:06 -04:00
e484df76b6
[1.4.x] Added dates to release notes.
2014-08-20 16:33:50 -04:00
4fce0193d2
[1.4.x] Bump version numbers for security release.
2014-08-20 15:00:40 -05:00
027bd34864
[1.4.x] Prevented data leakage in contrib.admin via query string manipulation.
...
This is a security fix. Disclosure following shortly.
2014-08-11 16:01:41 -04:00
c9e3b9949c
[1.4.x] Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USE change.
...
This is a security fix. Disclosure following shortly.
2014-08-11 12:15:06 -04:00
30042d475b
[1.4.x] Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names.
...
This is a security fix. Disclosure following shortly.
2014-08-11 10:14:06 -04:00
c2fe73133b
[1.4.x] Prevented reverse() from generating URLs pointing to other hosts.
...
This is a security fix. Disclosure following shortly.
2014-08-11 09:04:23 -04:00
4d5e972a2c
[1.4.x] Added release note stub for 1.4.14.
2014-08-11 08:47:06 -04:00
88cb7aa6aa
[1.4.x] Added a warning that remove_tags() output shouldn't be considered safe.
...
Backport of 7efce77de2
2014-08-11 07:11:30 -04:00
399052d224
[1.4.x] Noted that django-jython requires Django 1.7.
...
Backport of 72e98d5c16
2014-08-08 12:47:31 -04:00
d23d19c15e
[1.4.x] Fixed #23239 -- Clarified a phrase in the contrib.markup docs.
...
Backport of e0fb48c254
2014-08-06 08:30:49 -04:00
bc03817b42
[1.4.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs
...
Backport of e26366da44
2014-08-02 19:01:23 +02:00
Ramon Moraes
Tim Graham
Carl Meyer
Benjamin Richter
Simon Charette
James Bennett
Emmanuelle Delescolle
Joseph Dougherty
Claude Paroz
Preston Holmes
Florian Apolloner
Erik Romijn