Commit Graph

29649 Commits

Author SHA1 Message Date
Mariusz Felisiak 65a9d0013d
Removed unused TestHashedFiles._max_post_process_passes.
Unused since f1894bae30
2021-05-06 12:26:25 +02:00
Mariusz Felisiak 29779075d7 Added stub release notes for Django 3.2.3. 2021-05-06 10:08:00 +02:00
Mariusz Felisiak efebcc429f Added CVE-2021-32052 to security archive. 2021-05-06 09:58:24 +02:00
Mariusz Felisiak e1e81aa1c4
Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+.
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.

[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603
2021-05-06 08:45:23 +02:00
Carlton Gibson a708f39ce6 Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows.
The validate_file_name() sanitation introduced in
0b79eb3691 correctly rejects the example
file name as containing path elements on Windows. This breaks the test
introduced in 914c72be2a to allow path
components for storages that may allow them.

Test is skipped pending a discussed storage refactoring to support this
use-case.
2021-05-06 07:04:52 +02:00
ecogels a0a5e0f4c8 Fixed #32705 -- Prevented database cache backend from checking .rowcount on closed cursor.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-05-05 12:41:59 +02:00
Simon Charette 136ff592ad Fixed #32690 -- Fixed __in lookup crash when combining with filtered aggregates.
Having lookups group by subquery right-hand-sides is likely unnecessary
in the first place but relatively large amount of work would be needed
to achieve that such as making Lookup instances proper resolvable
expressions.

Regression in 3543129822.

Thanks James A. Munsch for the report.
2021-05-05 11:41:35 +02:00
Maxim Beder 06fd4df41a Fixed #32479 -- Added fallbacks to subsequent language codes in translations.
Thanks Claude Paroz and Nick Pope for reviews.
2021-05-05 09:37:54 +02:00
Simon Charette 96f55ccf79 Fixed #32714 -- Prevented recreation of migration for Meta.ordering with OrderBy expressions.
Regression in c8b6594305.

Thanks Kevin Marsh for the report.
2021-05-05 08:43:57 +02:00
Karthikeyan Singaravelan f9f6bd63c9 Refs #32074 -- Removed usage of deprecated Thread.setDaemon().
Thread.setDaemon() was deprecated in Python 3.10 and will be removed in
Python 3.12.
2021-05-04 12:07:18 +02:00
Mariusz Felisiak 623c8cd8f4
Refs #32074 -- Used asyncio.get_running_loop() instead of get_event_loop().
Using asyncio.get_event_loop() when there is no running event loop was
deprecated in Python 3.10, see https://bugs.python.org/issue39529.
2021-05-04 11:29:23 +02:00
Carlton Gibson 62b2e8b37e Added commits for CVE-2021-31542 to security archive. 2021-05-04 11:09:21 +02:00
Carlton Gibson 607ebbfba9 Added CVE-2021-31542 to security archive. 2021-05-04 11:06:07 +02:00
Carlton Gibson 5a43cfe245 Added stub release notes for Django 3.2.2. 2021-05-04 11:01:33 +02:00
Florian Apolloner 0b79eb3691 Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-05-04 08:44:42 +02:00
Hasan Ramezani 8de4ca74ba Fixed #32693 -- Quoted and lowercased generated column aliases. 2021-05-04 07:36:56 +02:00
pythonwood 071cf68630
Fixed #32709 -- Corrected examples in django/utils/baseconv.py docstring. 2021-05-04 07:09:09 +02:00
Susan Wright 7582d913e7
Added spelling option to make.bat. 2021-04-30 14:04:22 +02:00
Mariusz Felisiak 1f643c28b5
Fixed #32653 -- Made quoting names in the Oracle backend consistent with db_table. 2021-04-30 12:59:07 +02:00
Tim Graham 54da6e2ac2 Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting. 2021-04-30 12:32:52 +02:00
Hasan Ramezani 8bcb00858e Fixed #32698 -- Moved HttpRequest.get_raw_uri() to ExceptionReporter._get_raw_insecure_uri(). 2021-04-30 08:05:42 +02:00
Hasan Ramezani ca34db4650
Refs #32178 -- Doc'd DatabaseFeatures.django_test_skips/django_test_expected_failures in contributing guide. 2021-04-29 20:55:34 +02:00
Nick Pope 2161db0792
Fixed capitalization of "ECMAScript" and "JavaScript". 2021-04-29 20:29:08 +02:00
Carlton Gibson 907d3a7ff4 Refs #32674 -- Noted that auto-created through table PKs cannot be automatically migrated. 2021-04-29 13:53:56 +02:00
Mariusz Felisiak baba733dcc
Refs #32682 -- Renamed lookup_needs_distinct() to lookup_spawns_duplicates().
Follow up to 1871182031.
2021-04-29 12:04:30 +02:00
Carlton Gibson 4f128fcf5d
Refs #32694 -- Clarified when colorama requirement is needed in Windows how-to. 2021-04-29 11:26:38 +02:00
David Wobrock 4ab3ef238e Fixed #32675 -- Doc'd that autodector changes might cause generation of no-op migrations.
Follow up to aa4acc164d.
2021-04-29 07:46:22 +02:00
David Wobrock ee3b719a81 Refs #32675 -- Removed to_field from ForeignKeys in contrib apps' migrations.
Refs #22889.
2021-04-29 07:46:22 +02:00
Nick Pope 0c71e0f9cf Removed unnecessary reuse_with_filtered_relation argument from Query methods.
In Query.join() the argument reuse_with_filtered_relation was used to
determine whether to use == or .equals(). As this area of code is
related to aliases, we only expect an instance of Join or BaseTable to
be provided - the only two classes that provide .equals().

In both cases, the implementations of __eq__() and equals() are based
on use of the "identity" property. __eq__() performs an isinstance()
check first, returning NotImplemented if required. BaseTable.equals()
then does a straightforward equality check on "identity". Join.equals()
is a little bit different as it skips checking the last element of the
"identity" property: filtered_relation. This was only included
previously when the with_filtered_relation argument was True, impossible
since bbf141bcdc.
2021-04-28 21:19:42 +02:00
Nick Pope a6c79f4987 Removed unused with_filtered_relation argument from .equals()
Unused since bbf141bcdc.
2021-04-28 20:42:20 +02:00
Adam Johnson 68e876c095
Corrected introduction to range field lookups docs.
Follow up to 24b9f50823.
2021-04-28 20:35:05 +02:00
Simon Charette c8b6594305 Fixed #32632, Fixed #32657 -- Removed flawed support for Subquery deconstruction.
Subquery deconstruction support required implementing complex and
expensive equality rules for sql.Query objects for little benefit as
the latter cannot themselves be made deconstructible to their reference
to model classes.

Making Expression @deconstructible and not BaseExpression allows
interested parties to conform to the "expression" API even if they are
not deconstructible as it's only a requirement for expressions allowed
in Model fields and meta options (e.g. constraints, indexes).

Thanks Phillip Cutter for the report.

This also fixes a performance regression in bbf141bcdc.
2021-04-28 12:13:55 +02:00
Mariusz Felisiak 4f600673d7 Refs #32632 -- Added tests for returning a copy when combining Q() objects. 2021-04-28 11:31:17 +02:00
Konstantin Alekseev 6e742dabc9 Fixed #32687 -- Restored passing process’ environment to underlying tool in dbshell on PostgreSQL.
Regression in bbe6fbb876.
2021-04-27 10:43:35 +02:00
Mariusz Felisiak 1871182031 Fixed #32682 -- Made admin changelist use Exists() instead of distinct() for preventing duplicates.
Thanks Zain Patel for the report and Simon Charette for reviews.

The exception introduced in 6307c3f1a1
revealed a possible data loss issue in the admin.
2021-04-27 10:34:47 +02:00
Mariusz Felisiak cd74aad90e Refs #32682 -- Renamed use_distinct variable to may_have_duplicates.
QuerySet.distinct() is not the only way to avoid duplicate, it's also
not preferred.
2021-04-27 10:34:47 +02:00
Mariusz Felisiak 4074f38e1d Refs #32682 -- Fixed QuerySet.delete() crash on querysets with self-referential subqueries on MySQL. 2021-04-27 10:34:47 +02:00
Mariusz Felisiak 158eca4f93 Refs #19080 -- Added tests for preserving select_related() in the admin changelist. 2021-04-27 10:34:47 +02:00
Mariusz Felisiak d68be0494b
Refs 32637 -- Made technical 404 debug page display exception message when URL is resolved.
Follow up to 3b8527e32b.
2021-04-27 08:40:52 +02:00
Hannes Ljungberg eab71f7690 Fixed #32686 -- Removed unnecessary semicolon on collected multiline SQL for RunSQL. 2021-04-27 08:01:07 +02:00
Hannes Ljungberg 95754dbc9b Refs #32686 -- Added tests for adding a semicolon when collecting SQL for RunSQL. 2021-04-27 07:59:41 +02:00
Zain Patel 4e5bbb6ef2 Fixed #32681 -- Fixed VariableDoesNotExist when rendering some admin template.
Regression in 84609b3205.
2021-04-26 07:08:16 +02:00
Mariusz Felisiak af609c2f4d
Fixed isolation of test_rename_table_renames_deferred_sql_references(). 2021-04-26 06:11:13 +02:00
Mariusz Felisiak 0aacbdcf27
Refs #32673 -- Fixed lookups crash when comparing against lookups on Oracle.
Follow up to 170b006ce8.
2021-04-23 16:32:53 +02:00
Simon Charette 170b006ce8 Fixed #32673 -- Fixed lookups crash when comparing against lookups on PostgreSQL.
Regression in 3a505c70e7.

Nonlitteral right-hand-sides of lookups need to be wrapped in
parentheses to avoid operator precedence ambiguities.

Thanks Charles Lirsac for the detailed report.
2021-04-23 15:38:32 +02:00
Clumart.G 67bb1f516c
Refs #28034 -- Corrected docs example in contributing tutorial. 2021-04-23 15:24:16 +02:00
Mariusz Felisiak 2f435e75ab
Fixed isolation of test_showmigrations_unmigrated_app().
Follow up to 90916f050c.
2021-04-23 10:06:08 +02:00
Mariusz Felisiak ac2e6e6869
Fixed isolation of i18n.tests.FormattingTests.test_get_custom_format(). 2021-04-22 19:57:27 +02:00
Mariusz Felisiak 90916f050c
Fixed isolation of test_showmigrations_unmigrated_app(). 2021-04-22 17:43:58 +02:00
Mariusz Felisiak c3278bb71f
Used assertCountEqual() in ExcludeTests.test_exclude_subquery(). 2021-04-22 10:47:10 +02:00