Commit Graph

13927 Commits

Author SHA1 Message Date
Cody Scott 3e6d895912 [1.5.x] Small improvements to docs/topics/db/models.txt
Backport of 695bc0d191 from master
2013-10-10 20:57:20 -04:00
Anssi Kääriäinen 9f8a36eb20 [1.5.x] Fixed #21248 -- Skipped test_bcrypt if no py-bcrypt found
Pre 1.6 Django worked only with py-bcrypt, not with bcrypt. Skipped
test_bcrypt when using bcrypt to avoid false positives.
2013-10-09 14:40:32 +03:00
Tai Lee b495c24375 [1.5.x] Fixed #16436 -- defer + annotate + select_related crash
Correctly calculate the ``aggregate_start`` offset from loaded fields,
if any are deferred, instead of ``self.query.select`` which includes all
fields on the model.

Backpatch of 69f7db153d from master.
2013-10-09 13:55:32 +03:00
Dan Loewenherz f8393edb52 [1.5.x] Fix grammatical errors in email documentation
Backport of 43f213e475 from master
2013-10-08 20:30:50 -04:00
Tim Graham 67d887fbae [1.5.x] Fixed #21218 -- Typo on docs/howto/upgrade-version.txt
Thanks ryan at ryangallen.com for the report.

Backport of 36e220f923 from master
2013-10-03 20:14:07 -04:00
Tim Graham 1f63061060 [1.5.x] Clarified session replay attack differences with cookie backend.
Backport of 00a0d3de02 from master
2013-10-02 10:15:42 -04:00
Michael Manfre 7ebd10019d [1.5.x] Fixed #21203 -- resolve_columns fields misalignment
In queries using .defer() together with .select_related() the values
and fields arguments didn't align properly for resolve_columns().

Backpatch of 8c27247397 from master.
2013-10-01 21:34:39 +03:00
Tim Graham 997a332cbb [1.5.x] Fixed #21180 -- Additional deprecation notes for databrowse.
Thanks einsteiger for the suggestion.
2013-10-01 10:21:04 -04:00
Curtis Maloney 20f394f4d5 [1.5.x] Fixed #21154 -- Updated TemplateResponse docs to better explain context.
Thanks mrmachine for the report.

Backport of c39c9f2ad8 from master
2013-09-30 10:21:40 -04:00
Baptiste Mispelon 73ffe26816 [1.5.x] Fix #21185: Added tests for unescape_entities.
Also fixed a py3 incompatibility.
Thanks to brutasse for the report.

Backport of 3754f4ad41 from master.
2013-09-27 18:45:26 +02:00
Aymeric Augustin cb95516a88 [1.5.x] Updated the bundled version of six to 1.4.0.
Backport of 4292097078 from master.
2013-09-27 18:44:49 +02:00
Anssi Kääriäinen b7e5b5ba1e [1.5.x] Fixed #21126 -- QuerySet value conversion failure
A .annotate().select_related() query resulted in misaligned rows vs
columns for compiler.resolve_columns() method.

Report & patch by Michael Manfre.

Backpatch of 83554b018e from master.
2013-09-25 20:53:00 +03:00
Baptiste Mispelon 43ab759ce3 [1.5.X] Fixed wording in unit tests documentation.
Backport of 42b9feb2e7 from master.
2013-09-25 18:32:07 +02:00
Florian Apolloner f3853172a4 [1.5.x] Fixed #21138 -- Increased the performance of our PBKDF2 implementation.
Thanks go to Michael Gebetsroither for pointing out this issue and help on
the patch.

Backport of 68540fe4df from master.
2013-09-24 21:14:30 +02:00
Florian Apolloner 1cc572a071 Revert "[1.5.x] Ensure that passwords are never long enough for a DoS."
This reverts commit 22b74fa09d.

This fix is no longer necessary, our pbkdf2 (see next commit) implementation
no longer rehashes the password every iteration.
2013-09-24 21:12:25 +02:00
Tim Graham de8715ca97 [1.5.x] Fixed #21137 -- Corrected ULRconf include example.
Thanks marfire for the report.

Backport of 77f6b468e5 from master
2013-09-24 09:41:44 -04:00
Brett Koonce 13aff91ae7 [1.5.x] Removed extra p (topppings->toppings)
Backport of 946a2226ea from master
2013-09-23 19:25:19 -04:00
Tim Graham 959adcc1de [1.5.x] Removed implication that six is part of Python stdlib.
Backport of 45969bdeb5 from master
2013-09-23 18:30:23 -04:00
Daley Chetwynd c695f293e3 [1.5.x] Fixed #20830 -- Clarified that Django uses a customized version of six.
Thanks glarrain for the suggestion.

Backport of a53caf28bf from master
2013-09-23 11:07:40 -04:00
Ben Huckvale a722dfda93 [1.5.x] Fixed #21120 -- Added more explicit text on using validators and link to writing validators.
Thanks nicolas at niconomicon.net for the suggestion.

Backport of 98e0453f00 from master
2013-09-23 10:40:27 -04:00
Tim Garner 938d98c8d1 [1.5.x] Fixed #21702 -- Added different bullet styles for nested lists.
Thanks moc at mocpa.com for the suggestion.

Backport of c81b6f7b83 from master
2013-09-23 07:40:07 -04:00
Florian Apolloner 1fa8c612fc [1.5.x] Stopped a test from executing queries at the module level.
Currently module level queries are executed against the real database
(specified in NAME) instead of the test database; since it is to late
to fix this for 1.6, we at least ensures stable builds. Refs #21443.

Backport of 4fcc1e4ad8 from master.
2013-09-22 23:07:54 +02:00
Florian Apolloner 18fe77e4ed [1.5.x] Fixed "Address already in use" from liveserver.
Our WSGIServer rewrapped the socket errors from server_bind into
WSGIServerExceptions, which is used later on to provide nicer
error messages in runserver and used by the liveserver to see if
the port is already in use. But wrapping server_bind isn't enough since
it only binds to the socket, socket.listen (which is called from
server_activate) could also raise "Address already in use".

Instead of overriding server_activate too I chose to just catch socket
errors, which seems to make more sense anyways and should be more robust
against changes in wsgiref.

Backport of 2ca00faa91 from master
2013-09-22 22:08:59 +02:00
Ramiro Morales b5eddde095 [1.5.x] Reference Meta.index_together in DB performance guide.
9dc45efeba from master.
2013-09-22 14:07:36 -03:00
Ramiro Morales 8e51bea4fb [1.5.x] Fixed a couple of typos in GeoDjango docs.
8b366a50f4 from master.
2013-09-22 14:07:14 -03:00
mlissner 177270ea73 [1.5.x] Correct very minor typo
Just changed as to has.

Backport of d8f2d940cc from master
2013-09-21 18:18:46 -04:00
Michael DiBernardo 61b685847e [1.5.x] Fixed #21137 -- Documented best practice for URLconfs with repeated pattern prefixes.
Backport of 222460a994 from master
2013-09-21 18:18:26 -04:00
Curtis Maloney b8e7730f3e [1.5.x] Fixed #21133 -- Clarifed documentation about strftime formatting.
Backport of 43a2ec7999 from master
2013-09-21 06:56:17 -04:00
Markus Amalthea Magnuson b541cf24d0 [1.5.x] Added missing "in" in sentence.
Backport of 2c5c422d34 from master
2013-09-19 13:29:56 -04:00
Tim Graham 1ef9a296da [1.5.x] Added __pycache__ to gitignore
Backport of 55b9bff07f from master
2013-09-19 06:38:01 -04:00
Russell Keith-Magee 75c0aa43d3 [1.5.x] Fixed #21121: Added archive of security issues.
Backport of 9d3e60a, 8e134c2, 8b3bae9, c65ae7c, bbabc53,
and a2e25e8 from master.
2013-09-19 15:07:29 +08:00
Florian Apolloner 87c8de2a06 Revert "[1.5.x] Silenced last sporadic failure on 1.5."
This reverts commit 6a708cd654.

Reverted since it only moved the failures to some other tests and it apperently
only worked by accident. Patched selenium for now to include:
https://github.com/SeleniumHQ/selenium/pull/118
which seems to be the root cause for sporadic extra requests to the live server,
which then cause all sorts of issues.
2013-09-18 16:54:30 +02:00
Tim Graham 72f7932cfb [1.5.x] Fixed #21118 -- Isolated a test that uses the database.
Thanks rmboggs for the report.

Backport of 4f40b97d97 from master
2013-09-18 09:43:34 -04:00
Florian Apolloner 6a708cd654 [1.5.x] Silenced last sporadic failure on 1.5.
This commit is a last resort; technically the test is correct but our testsuite
has some threading issues when LiveServer is used. Since this will never get
fixed in 1.5 and apperently doesn't get triggered on 1.6 we just make sure the
test doesn't error out. I am not 100% sure why this actually fixes the issue,
but this is still better than having failing builds wheneever we do a security
release for 1.5.

(Tested on jenkins itself, should work (tm)).
2013-09-17 22:33:11 +02:00
Florian Apolloner 3c3b3fc10b [1.5.x] Final attempt to solve sporadic test failures.
tearDownClass is not called if setUpClass throws an exception, in our case
this means that LiveServerTestCase leaks LiveServerThread sockets if the
test happens to be skipped later on, and AdminSeleniumWebDriverTestCase
doesn't close it's already open browser window. To prevent this leakage
we catch errors where needed and manually call _tearDownClassInternal.
_tearDownClassInternal should be written as defensively as possible since
it is not allowed to make any assumptions on how far setUpClass got.

This patch should fix the sporadic "Address already in use"-errors on jenkins
and also the "This code isn't under transaction management"-error for sqlite
(also just on jenkins).

After discussion with koniiiik, jezdez, kmtracey, tos9, lifeless, nedbat and
voidspace it was decided that this is the safest approach (thanks to everyone
for their comments and help). Manually calling tearDownClass was shut down
cause we don't know how our users override our classes.

This is a private and very specialized API on purpose and should not be used
without a strong reason!

This patch partially reverts the earlier attempts to fix those issues,
namely:
	2fa0dd73b1 and
	3c5775d36f

Final note: If this patch breaks in a later version of Django, please be
very careful on how you fix it, you might not see test failures locally.
That said, this patch hopefully doesn't produce even more failures.

Backport of 73a610d2a8 from master.
2013-09-17 18:42:19 +02:00
Ramiro Morales efcf4d2bd9 [1.5.x] Reworded a paragraph in the logging docs.
9d12f68a53 from master.
2013-09-16 17:53:02 -03:00
Tim Graham 12a30e9221 [1.5.x] Cleaned up 1.5.4/1.4.8 release notes
Backport of 8d29005524 from master
2013-09-15 14:25:34 -04:00
Tim Graham ae5f4a04b4 [1.5.x] Bump version post-release. 2013-09-15 12:59:53 -04:00
Florian Apolloner 4770fc1c62 [1.5.x] (Hopefully) fixed a failure in a selenium test.
No forward port to 1.6 since it has new transactionmanagement. The
wait_page_loaded should ensure that the liveserver has time to tear
down properly after the submit.
2013-09-15 10:44:29 +02:00
James Bennett 4607c7325d [1.5.x] Add release notes and bump version numbers for 1.5.4 security release. 2013-09-15 00:29:31 -06:00
Russell Keith-Magee 22b74fa09d [1.5.x] Ensure that passwords are never long enough for a DoS.
* Limit the password length to 4096 bytes
  * Password hashers will raise a ValueError
  * django.contrib.auth forms will fail validation
 * Document in release notes that this is a backwards incompatible change

Thanks to Josh Wright for the report, and Donald Stufft for the patch.

This is a security fix; disclosure to follow shortly.

Backport of aae5a96d57 from master.
2013-09-15 13:48:15 +08:00
Minjong Chung e66fe357b2 Fixed #21102 -- pickling a QuerySet with prefetches twice
Fixed the bug that a QuerySet that prefetches related objects cannot be
pickled and unpickled more than once (The second pickling attempt
raises an exception).

Added a new test for the queryset pickling idempotency.

The bug was introduced by
bac187c0d8.
2013-09-14 10:03:03 +03:00
Goetz dbc2e8eb73 [1.5.x] Fixed #21101 -- Updated urlize documentation to mention email addresses
Backport of 39b49fd339 from master
2013-09-13 12:42:47 -04:00
Tim Graham 61de57260b [1.5.x] Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth
Thanks Collin Anderson for the report.

Backport of 425d076d0c from master
2013-09-13 09:40:15 -04:00
Tim Graham 7cfb5243f1 [1.5.x] Fixed #21094 -- Updated reuseable apps tutorial to use pip for installation.
Thanks ylb415 at gmail.com for the suggestion.

Backport of e4aab1bb8d from master
2013-09-13 09:30:20 -04:00
Kevin Christopher Henry 61867e226d [1.5.x] Documentation -- added instructions on working with pull requests
Since non-core contributors are asked to review patches, instructions
on working with pull requests were added to the Working with Git and
GitHub page (based on the existing instructions in the core
committers page).

Backport of 990ce9aab9 from master
2013-09-13 08:27:28 -04:00
Tim Graham 169594f5ae [1.5.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.
Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7dba from master
2013-09-11 08:18:52 -04:00
Kevin Christopher Henry 2a7d3030f9 [1.5.x] Documentation -- Improved description of cache arguments
- Fixed some grammar and formatting mistakes
- Added the type and default for CULL_FREQUENCY
- Made the note on culling the entire cache more precise. (It's actually
  slower on the filesystem backend.)

Backport of 5eca021d48 from master
2013-09-11 07:43:29 -04:00
Tim Graham 91a073a337 [1.5.x] Bump version post-release. 2013-09-11 07:04:04 -04:00
James Bennett 0a34f39759 [1.5.x] Bump version numbers for 1.5.3 security release. 2013-09-10 20:25:27 -05:00