Commit Graph

3977 Commits

Author SHA1 Message Date
Mariusz Felisiak 820408d842 Added stub release notes for Django 3.2.4. 2021-05-13 09:42:26 +02:00
Mariusz Felisiak b55699968f
Fixed #32718 -- Relaxed file name validation in FileField.
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb3691.
2021-05-13 08:53:44 +02:00
Simon Charette b81c7562fc Fixed #32717 -- Fixed filtering of querysets combined with the | operator.
Address a long standing bug in a Where.add optimization to discard
equal nodes that was surfaced by implementing equality for Lookup
instances in bbf141bcdc.

Thanks Shaheed Haque for the report.
2021-05-13 07:26:52 +02:00
Raffaele Salmaso 3733ae8957 Fixed #32031 -- Added model class for each model to AdminSite.each_context(). 2021-05-13 06:57:09 +02:00
Nick Pope 29e4ccb1a2 Fixed #32738 -- Deprecated django.utils.datetime_safe module. 2021-05-12 14:42:17 +02:00
Nick Pope 1061f52436 Fixed #32732 -- Removed usage of deprecated 'db' and 'passwd' connection options in MySQL backend.
The 'db' and 'passwd' connection options have been deprecated, use
'database' and 'password' instead (available since mysqlclient >= 1.3.8).

This also allows the 'database' option in DATABASES['OPTIONS'] on MySQL.
2021-05-12 12:21:57 +02:00
Mariusz Felisiak d1f1417cae
Refs #32718 -- Corrected CVE-2021-31542 release notes. 2021-05-12 10:42:01 +02:00
Jordi Castells 205c36b58f Fixed #32670 -- Allowed GDALRasters to use any GDAL virtual filesystem. 2021-05-07 20:03:46 +02:00
Hasan Ramezani 028f10fac6 Fixed #32712 -- Deprecated django.utils.baseconv module. 2021-05-07 11:57:40 +02:00
Mariusz Felisiak 29779075d7 Added stub release notes for Django 3.2.3. 2021-05-06 10:08:00 +02:00
Mariusz Felisiak efebcc429f Added CVE-2021-32052 to security archive. 2021-05-06 09:58:24 +02:00
Mariusz Felisiak e1e81aa1c4
Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+.
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.

[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603
2021-05-06 08:45:23 +02:00
Simon Charette 96f55ccf79 Fixed #32714 -- Prevented recreation of migration for Meta.ordering with OrderBy expressions.
Regression in c8b6594305.

Thanks Kevin Marsh for the report.
2021-05-05 08:43:57 +02:00
Carlton Gibson 62b2e8b37e Added commits for CVE-2021-31542 to security archive. 2021-05-04 11:09:21 +02:00
Carlton Gibson 607ebbfba9 Added CVE-2021-31542 to security archive. 2021-05-04 11:06:07 +02:00
Carlton Gibson 5a43cfe245 Added stub release notes for Django 3.2.2. 2021-05-04 11:01:33 +02:00
Florian Apolloner 0b79eb3691 Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-05-04 08:44:42 +02:00
Tim Graham 54da6e2ac2 Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting. 2021-04-30 12:32:52 +02:00
Hasan Ramezani 8bcb00858e Fixed #32698 -- Moved HttpRequest.get_raw_uri() to ExceptionReporter._get_raw_insecure_uri(). 2021-04-30 08:05:42 +02:00
Carlton Gibson 907d3a7ff4 Refs #32674 -- Noted that auto-created through table PKs cannot be automatically migrated. 2021-04-29 13:53:56 +02:00
Mariusz Felisiak baba733dcc
Refs #32682 -- Renamed lookup_needs_distinct() to lookup_spawns_duplicates().
Follow up to 1871182031.
2021-04-29 12:04:30 +02:00
David Wobrock 4ab3ef238e Fixed #32675 -- Doc'd that autodector changes might cause generation of no-op migrations.
Follow up to aa4acc164d.
2021-04-29 07:46:22 +02:00
Simon Charette c8b6594305 Fixed #32632, Fixed #32657 -- Removed flawed support for Subquery deconstruction.
Subquery deconstruction support required implementing complex and
expensive equality rules for sql.Query objects for little benefit as
the latter cannot themselves be made deconstructible to their reference
to model classes.

Making Expression @deconstructible and not BaseExpression allows
interested parties to conform to the "expression" API even if they are
not deconstructible as it's only a requirement for expressions allowed
in Model fields and meta options (e.g. constraints, indexes).

Thanks Phillip Cutter for the report.

This also fixes a performance regression in bbf141bcdc.
2021-04-28 12:13:55 +02:00
Konstantin Alekseev 6e742dabc9 Fixed #32687 -- Restored passing process’ environment to underlying tool in dbshell on PostgreSQL.
Regression in bbe6fbb876.
2021-04-27 10:43:35 +02:00
Mariusz Felisiak 1871182031 Fixed #32682 -- Made admin changelist use Exists() instead of distinct() for preventing duplicates.
Thanks Zain Patel for the report and Simon Charette for reviews.

The exception introduced in 6307c3f1a1
revealed a possible data loss issue in the admin.
2021-04-27 10:34:47 +02:00
Zain Patel 4e5bbb6ef2 Fixed #32681 -- Fixed VariableDoesNotExist when rendering some admin template.
Regression in 84609b3205.
2021-04-26 07:08:16 +02:00
Simon Charette 6d0cbe42c3 Fixed #32650 -- Fixed handling subquery aliasing on queryset combination.
This issue started manifesting itself when nesting a combined subquery
relying on exclude() since 8593e162c9 but
sql.Query.combine never properly handled subqueries outer refs in the
first place, see QuerySetBitwiseOperationTests.test_subquery_aliases()
(refs #27149).

Thanks Raffaele Salmaso for the report.
2021-04-21 09:49:15 +02:00
Mariusz Felisiak 34d1905712
Fixed #32665 -- Fixed caches system check crash when STATICFILES_DIRS is a list of 2-tuples.
Thanks Jared Lockhart for the report.

Regression in c36075ac1d.
2021-04-21 09:41:37 +02:00
Carlton Gibson 5c73fbb6a9 Fixed #32647 -- Restored multi-row select with shift-modifier in admin changelist.
Regression in 30e59705fc.
2021-04-21 08:31:06 +02:00
Tobias Bengfort 54e94640ac Refs #25287 -- Added support for multiplying and dividing DurationField by scalar values on SQLite. 2021-04-20 11:44:41 +02:00
Florian Apolloner 4511d14598 Fixed #32643 -- Fixed decoding of messages in the pre-Django 3.2 format.
Thanks Jan Pieter Waagmeester for the report.

Regression in 2d6179c819.
2021-04-14 22:52:59 +02:00
Mariusz Felisiak ca98729055
Fixed #32645 -- Fixed QuerySet.update() crash when ordered by joined fields on MySQL/MariaDB.
Thanks Matt Westcott for the report.

Regression in 779e615e36.
2021-04-14 21:11:17 +02:00
Mariusz Felisiak 338eb65b6e Refs #32548 -- Forwardported 3.2.1 release note. 2021-04-14 20:25:58 +02:00
Arthur Jovart 08c60cce3b Fixed #32648 -- Fixed VariableDoesNotExist rendering sitemaps template. 2021-04-14 16:50:47 +02:00
Mariusz Felisiak 23fa29f6a6
Fixed #32649 -- Fixed ModelAdmin.search_fields crash when searching against phrases with unbalanced quotes.
Thanks Dlis for the report.

Regression in 26a413507a.
2021-04-14 12:23:47 +02:00
Hasan Ramezani a77c9a4229 Fixed #32635 -- Fixed system check crash for reverse o2o relations in CheckConstraint.check and UniqueConstraint.condition.
Regression in b7b7df5fbc.

Thanks Szymon Zmilczak for the report.
2021-04-14 10:06:18 +02:00
Mariusz Felisiak 3b8527e32b
Fixed #32637 -- Restored exception message on technical 404 debug page.
Thanks Atul Varma for the report.
2021-04-13 09:15:04 +02:00
Iuri de Silvio 9760e262f8 Fixed #32627 -- Fixed QuerySet.values()/values_list() crash on combined querysets ordered by unannotated columns. 2021-04-12 21:11:40 +02:00
Adam Johnson 45a58c31e6 Fixed #32620 -- Allowed subclasses of Big/SmallAutoField for DEFAULT_AUTO_FIELD. 2021-04-08 13:17:08 +02:00
Claude Paroz 30e123ed35 Fixed #32575 -- Added support for SpatiaLite 5. 2021-04-08 09:36:29 +02:00
Claude Paroz 3ae4344bbd Dropped support for GEOS 3.5 and GDAL 2.0. 2021-04-07 20:39:30 +02:00
girishsontakke 98abc0c90e Fixed #32501 -- Added support for returning fields from INSERT statements on SQLite 3.35+. 2021-04-07 20:09:56 +02:00
Carlton Gibson 3f2920ae1d Corrected release number format in 3.2.1 release notes. 2021-04-07 19:44:29 +02:00
Claude Paroz e3cfba0029 Fixed #32544 -- Confirmed support for GDAL 3.2 and GEOS 3.9. 2021-04-07 15:54:24 +02:00
Carlton Gibson 5b05a45c62
Corrected wrapping in 3.2 release notes.
Partially reverts 0802b404a2.
2021-04-07 07:27:31 +02:00
Carlton Gibson df0a9e6d5c Added stub release notes for Django 3.2.1. 2021-04-06 11:49:48 +02:00
Carlton Gibson 0802b404a2 Added release date for Django 3.2.
Adjusted wrapping in release notes where needed.
2021-04-06 11:20:59 +02:00
Carlton Gibson 5aea50e57f Updated asgiref dependency for 3.2 release series. 2021-04-06 10:38:43 +02:00
Mariusz Felisiak 1eac8468cb Added CVE-2021-28658 to security archive. 2021-04-06 09:42:31 +02:00
Mariusz Felisiak d4d800ca1a Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.
2021-04-06 08:15:17 +02:00