Florian Apolloner
76ed1c49f8
Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri().
...
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Mariusz Felisiak
7deeabc7c7
Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection.
...
Thanks to Sage M. Abdullah for the report and initial patch.
Thanks Florian Apolloner for reviews.
2019-08-01 09:24:54 +02:00
Florian Apolloner
4b78420d25
Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities.
...
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Florian Apolloner
7f65974f82
Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML.
...
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Étienne Beaulé
5f24e7158e
Fixed #30665 -- Added support for distinct argument to Avg() and Sum().
2019-07-31 11:22:50 +02:00
Nick Pope
f618e033ac
Fixed #30160 -- Added support for LZMA and XZ templates to startapp/startproject management commands.
2019-07-31 10:02:13 +02:00
Jon Dufresne
4122d9d3f1
Refs #28147 -- Fixed setting of OneToOne and Foreign Key fields to None when using attnames.
...
Regression in 519016e5f2
.
2019-07-27 12:04:56 +02:00
Carlton Gibson
f13147c8de
Added stub release notes for security releases.
2019-07-25 10:49:30 +02:00
Jon Dufresne
5ed20b3aa3
Fixed #30657 -- Allowed customizing Field's descriptors with a descriptor_class attribute.
...
Allows model fields to override the descriptor class used on the model
instance attribute.
2019-07-25 08:15:20 +02:00
Tom Forbes
fc75694257
Fixed #30647 -- Fixed crash of autoreloader when extra directory cannot be resolved.
2019-07-24 14:08:37 +02:00
Tom Forbes
2ff517ccb6
Fixed #30506 -- Fixed crash of autoreloader when path contains null characters.
2019-07-23 10:03:23 +02:00
Mads Jensen
a3417282ac
Fixed #29824 -- Added support for database exclusion constraints on PostgreSQL.
...
Thanks to Nick Pope and Mariusz Felisiak for review.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-07-16 18:04:41 +02:00
Mads Jensen
7174cf0b00
Refs #29824 -- Added RangeOperators helper class.
2019-07-16 16:57:46 +02:00
Johannes Hoppe
00d4e6f8b5
Updated Select2 to version 4.0.7.
2019-07-10 12:31:16 +02:00
Mariusz Felisiak
7991111af1
Fixed #30621 -- Fixed crash of __contains lookup for Date/DateTimeRangeField when the right hand side is the same type.
...
Thanks Tilman Koschnick for the report and initial patch.
Thanks Carlton Gibson the review.
Regression in 6b048b364c
.
2019-07-10 10:33:36 +02:00
Simon Charette
ee6e93ec87
Fixed #30628 -- Adjusted expression identity to differentiate bound fields.
...
Expressions referring to different bound fields should not be
considered equal.
Thanks Julien Enselme for the detailed report.
Regression in bc7e288ca9
.
2019-07-10 07:46:08 +02:00
Mariusz Felisiak
08e69cad9c
Added stub release notes for 2.2.4.
2019-07-09 07:39:35 +02:00
can
febe136d4c
Fixed #30397 -- Added app_label/class interpolation for names of indexes and constraints.
2019-07-08 14:57:56 +02:00
Johannes Hoppe
bc91f27a86
Refs #29444 -- Added support for fetching a returned non-integer insert values on Oracle.
...
This is currently not actively used, since the ORM will ask the
SQL compiler to only return auto fields.
2019-07-08 08:53:08 +02:00
Hasan Ramezani
a5308514fb
Fixed #27801 -- Made createsuperuser fall back to environment variables for password and required fields.
2019-07-02 12:55:09 +02:00
Mariusz Felisiak
868cd56f05
Added CVE-2019-12781 to the security release archive.
2019-07-01 10:14:36 +02:00
Mariusz Felisiak
fc41401f33
Added release date for 2.2.3.
2019-07-01 07:48:45 +02:00
Carlton Gibson
54d0f5e62f
Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set.
...
An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.
HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.
Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.
2019-07-01 07:48:04 +02:00
Mariusz Felisiak
30b3ee9d0b
Added stub release notes for security releases.
2019-07-01 06:57:27 +02:00
Claude Paroz
d54baf6970
Updated translations from Transifex
...
Forward port of b3f7262e6e
from stable/2.2.x
2019-06-29 16:17:16 +02:00
nsasaki128
a289e79679
Fixed #30594 -- Added 'private' Cache-Control directive to never_cache() decorator.
2019-06-26 09:25:24 +02:00
Tom Forbes
8454f6dea4
Fixed #30588 -- Fixed crash of autoreloader when __main__ module doesn't have __file__ attribute.
2019-06-26 06:44:10 +02:00
Nadège Michel
87b1ad6e73
Fixed #30421 -- Allowed symmetrical intermediate table for self-referential ManyToManyField.
2019-06-21 15:03:17 +02:00
Jon Dufresne
2ef6f209f7
Fixed typos in 1.11.19, 2.0.11, 2.1.6 release notes.
2019-06-21 07:07:23 +02:00
Andrew Godwin
a415ce70be
Fixed #30451 -- Added ASGI handler and coroutine-safety.
...
This adds an ASGI handler, asgi.py file for the default project layout,
a few async utilities and adds async-safety to many parts of Django.
2019-06-20 12:29:43 +02:00
Sanyam Khurana
87f5d07eed
Fixed #12952 -- Adjusted admin log change messages to use form labels instead of field names.
2019-06-14 18:20:29 +02:00
can
fde9b7d35e
Fixed #30128 -- Fixed handling timedelta timezone in database functions.
2019-06-13 09:29:43 +02:00
Jon Dufresne
9e38ed0536
Fixed #27486 -- Fixed Python 3.7 DeprecationWarning in intword and filesizeformat filters.
...
intword and filesizeformat passed floats to ngettext() which is
deprecated in Python 3.7. The rationale for this warning is documented
in BPO-28692: https://bugs.python.org/issue28692 .
For filesizeformat, the filesize value is expected to be an int -- it
fills %d string formatting placeholders. It was likely coerced to a
float to ensure floating point division on Python 2. Python 3 always
does floating point division, so coerce to an int instead of a float to
fix the warning.
For intword, the number may contain a decimal component. In English, a
decimal component makes the noun plural. A helper function,
round_away_from_one(), was added to convert the float to an integer that
is appropriate for ngettext().
2019-06-11 20:34:59 +02:00
Hasan Ramezani
dcb8f00d06
Fixed #29379 -- Added autocomplete attribute to contrib.auth.forms fields.
...
Thank you to Nick Pope for review.
Co-authored-by: CHI Cheng <cloudream@gmail.com>
2019-06-07 12:44:39 +02:00
Tobias Bengfort
581a0f4545
Refs #30226 -- Added User.get_user_permissions() method.
...
Added to mirror the existing User.get_group_permissions().
2019-06-05 13:56:37 +02:00
Tobias Bengfort
75337a6050
Fixed #30226 -- Added BaseBackend for authentication.
2019-06-05 13:39:46 +02:00
Étienne Beaulé
4b6dfe1622
Fixed #30542 -- Fixed crash of numerical aggregations with filter.
...
Filters in annotations crashed when used with numerical-type
aggregations (i.e. Avg, StdDev, and Variance). This was caused as the
source expressions no not necessarily have an output_field (such as the
filter field), which lead to an AttributeError: 'WhereNode' object has
no attribute output_field.
Thanks to Chuan-Zheng Lee for the report.
Regression in c690afb873
and two following
commits.
2019-06-05 08:06:26 +02:00
Mariusz Felisiak
1f81e2df69
Added stub release notes for 2.2.3.
2019-06-05 06:57:44 +02:00
Nick Pope
21b1d23912
Added CVE-2019-12308 to the security release archive.
2019-06-03 21:44:55 +02:00
Nick Pope
8fb0ea5583
Added CVE-2019-11358 to the security release archive.
2019-06-03 21:44:55 +02:00
Mariusz Felisiak
100ec901ae
Fixed typos in 1.11.21, 2.1.9, 2.2.2 release notes.
2019-06-03 14:08:51 +02:00
Carlton Gibson
34ec52269a
Applied jQuery patch for CVE-2019-11358.
2019-06-03 11:36:12 +02:00
Carlton Gibson
deeba6d920
Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link.
2019-06-03 11:36:12 +02:00
Carlton Gibson
98c0fe19ee
Added stub release notes for security releases.
2019-06-03 10:48:52 +02:00
Hasan Ramezani
e2de49ec2e
Fixed #28520 -- Added --start-at/--start-after options to runtests.py.
2019-05-31 07:01:12 +02:00
Tom Forbes
480492fe70
Fixed #30523 -- Fixed updating file modification times on seen files in auto-reloader when using StatReloader.
...
Previously we updated the file mtimes if the file has not been seen
before - i.e on the first iteration of the loop.
If the mtime has been changed we triggered the notify_file_changed()
method which in all cases except the translations will result in the
process being terminated. To be strictly correct we need to update the
mtime for either branch of the conditional.
Regression in 6754bffa2b
.
2019-05-29 09:41:24 +02:00
Tom Forbes
0344565179
Fixed #30516 -- Fixed crash of autoreloader when re-raising exceptions with custom signature.
...
Regression in c8720e7696
.
2019-05-29 08:08:50 +02:00
Caio Ariede
a3f91891d2
Fixed #30315 -- Fixed crash of ArrayAgg and StringAgg with ordering when used in Subquery.
2019-05-28 10:05:50 +02:00
Tom Forbes
b2790f74d4
Fixed #30479 -- Fixed detecting changes in manage.py by autoreloader when using StatReloader.
...
Regression in c8720e7696
.
2019-05-28 08:31:33 +02:00
Mariusz Felisiak
b6c4766f53
Refs #29548 -- Updated docs for MariaDB support.
2019-05-27 19:59:49 +02:00
Johan Lübcke
0670b1b403
Fixed #30485 -- Adjusted django.utils.http.urlencode for doseq=False case.
2019-05-24 17:15:34 +02:00
Rob
58df8aa40f
Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs.
...
Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com>
2019-05-24 08:40:25 +02:00
Hasan Ramezani
9d6f981a66
Fixed #28763 -- Allowed overriding the session cookie age with SessionStore.get_session_cookie_age().
2019-05-21 08:50:09 +02:00
Mariusz Felisiak
df28ebd6c8
Fixed typo in docs/releases/3.0.txt.
2019-05-21 08:21:35 +02:00
Thomasina Lee
c38e7a79f4
Fixed #30488 -- Removed redundant Coalesce call in SQL generated by SearchVector.
...
Regression in 405c836336
.
2019-05-20 08:34:06 +02:00
ruchit2801
04042b2b44
Fixed #30463 -- Fixed crash of deprecation message when Meta.ordering contains expressions.
...
Regression in 1b1f64ee5a
.
2019-05-18 19:29:00 +02:00
Johannes Hoppe
8d010f3986
Fixed #30220 -- Added support for headless mode in selenium tests.
2019-05-17 08:14:54 +02:00
Claude Paroz
e286987a27
Fixed #30459 -- Delegated hide/show JS toggle to parent div.
...
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2019-05-17 07:46:45 +02:00
Troon
a3a4f5c144
Fixed #30310 -- Added support for looking up HttpHeaders.headers using underscores.
2019-05-09 16:26:52 +02:00
Jon Dufresne
48235ba807
Refs #30399 -- Made assertHTMLEqual normalize character and entity references.
2019-05-09 15:55:32 +02:00
Mariusz Felisiak
30dd43884e
Added stub release notes for 2.2.2.
2019-05-08 14:41:16 +02:00
Hasan Ramezani
f038214d91
Fixed #29056 -- Fixed HTML5 validation of required SelectDateWidget.
...
placeholder is required for "select" with "required" attribute.
2019-05-08 12:46:30 +02:00
Jon Dufresne
b915b9f10f
Refs #27753 -- Deprecated django.utils.text.unescape_entities().
...
The function was undocumented and only required for compatibility with
Python 2.
Code should use Python's html.unescape() that was added in Python 3.4.
2019-05-08 08:00:59 +02:00
Tobias Kunze
3166880301
Fixed #29352 -- Allowed specifying a Feed language.
2019-05-06 15:10:54 +02:00
Daniel Hahler
29601bca9b
Ignored pywatchman.SocketTimeout in Watchman autoreloader.
...
Bumped minimum supported pywatchman version to 1.2.0.
These exceptions don't require checking a server status.
2019-05-03 13:56:49 +02:00
Mykola Kokalko
ef082ebb84
Fixed #29529 -- Allowed models.fields.FilePathField to accept a callable path.
2019-05-02 11:11:56 +02:00
Mariusz Felisiak
2106b983c4
Added release date for 2.2.1.
2019-05-01 07:05:47 +02:00
François Freitag
568eed9e79
Fixed #30245 -- Added -k option to DiscoverRunner.
2019-04-30 16:20:51 +02:00
can
719b746620
Fixed #30412 -- Fixed crash when adding check constraints with OR'ed condition on Oracle and SQLite.
2019-04-30 12:32:27 +02:00
Jon Dufresne
6866c91b63
Fixed #30418 -- Added --skip-checks management command option.
2019-04-30 10:48:30 +02:00
Simon Charette
a8b3f96f6a
Fixed #30408 -- Fixed crash when adding check constraints with LIKE operator on Oracle and PostgreSQL.
...
The LIKE operator wildcard generated for contains, startswith, endswith and
their case-insensitive variant lookups was conflicting with parameter
interpolation on CREATE constraint statement execution.
Ideally we'd delegate parameters interpolation in DDL statements on backends
that support it but that would require backward incompatible changes to the
Index and Constraint SQL generating methods.
Thanks David Sanders for the report.
2019-04-30 07:38:22 +02:00
kingbuzzman
673fe2e3ec
Fixed #30148 -- Logged COPY ... TO statements in connection.queries on PostgreSQL.
2019-04-29 14:20:17 +02:00
Tom Forbes
6754bffa2b
Fixed #30323 -- Fixed detecting changes by autoreloader when using StatReloader.
2019-04-29 11:41:00 +02:00
Tom Forbes
0636d4d2aa
Refs #30323 -- Prevented crash of autoreloader when get_resolver().urlconf_module raising an exception.
2019-04-29 11:41:00 +02:00
Carlton Gibson
98296f86b3
Fixed #30351 -- Handled pre-existing permissions in proxy model permissions data migration.
...
Regression in 181fb60159
.
2019-04-27 20:18:22 +02:00
Jacob Green
ed3c59097a
Fixed #30361 -- Increased the default timeout of watchman client to 5 seconds and made it customizable.
...
Made the default timeout of watchman client customizable via
DJANGO_WATCHMAN_TIMEOUT environment variable.
2019-04-26 12:55:49 +02:00
Aarni Koskela
efeceba589
Fixed #30312 -- Relaxed admin check from django.contrib.sessions to SessionMiddleware subclasses.
2019-04-26 11:31:06 +02:00
Mariusz Felisiak
85676979a4
Refs #30388 -- Added release note for 0f22671ecb
.
2019-04-25 15:45:00 +02:00
Jon Dufresne
8d76443aba
Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use html.escape()/unescape().
2019-04-25 15:09:07 +02:00
Alasdair Nicol
a5accc0368
Fixed #30318 -- Added check for importability of arguments of custom error handler views.
...
Thanks to Jon on Stack Overflow for reporting the issue.
2019-04-25 11:08:22 +02:00
Simon Charette
405c836336
Fixed #30385 -- Restored SearchVector(config) immutability.
...
Regression in 1a28dc3887
.
The usage of CONCAT to allow SearchVector to deal with non-text fields
made the generated expression non-IMMUTABLE which prevents a functional
index to be created for it.
Using a combination of COALESCE and ::text makes sure the expression
preserves its immutability.
Refs #29582 . Thanks Andrew Brown for the report, Nick Pope for the
review.
2019-04-23 08:11:33 +02:00
Dustin Neighly
49fb3f5f3e
Fixed #30341 -- Added support for the furlong unit in Distance.
2019-04-19 08:54:23 +02:00
Mariusz Felisiak
753580ecd1
Made cosmetic edits in docs/releases/2.2.1.txt.
2019-04-19 08:27:06 +02:00
Scott Fitsimones
a14c0fda15
Fixed #30328 -- Fixed crash of IntegerField.validators when limit_value in a custom validator is callable.
2019-04-19 07:58:27 +02:00
Ramiro Morales
aed89adad5
Fixed #30367 -- Changed "pip install" to "python -m pip install" in docs, comments and hints.
2019-04-18 14:41:15 +02:00
Ville Skyttä
03db5fddfd
Fixed typos in docs, comments, and exception messages.
2019-04-18 09:33:53 +02:00
Oleh Mykytiuk
177fa08339
Fixed #30370 -- Added dbshell support for client TLS certificates on PostgreSQL.
2019-04-18 08:10:31 +02:00
can
d87bd29c4f
Fixed #30335 , #29139 -- Fixed crash when ordering or aggregating over a nested JSONField key transform.
2019-04-18 07:16:50 +02:00
Hasan Ramezani
917fd9d03f
Fixed #27755 -- Added ModelAdmin.get_inlines() hook.
2019-04-17 07:16:04 +02:00
Mariusz Felisiak
5f7991c42c
Fixed #30325 -- Reverted "Fixed #29725 -- Removed unnecessary join in QuerySet.count() and exists() on a many-to-many relation."
...
This reverts commit 1299421cad
due to
a regression with custom managers.
2019-04-15 12:02:26 +02:00
Florian Apolloner
2e38f2015a
Fixed #30350 -- Prevented recreation of migration for operations with a range object.
...
Thanks to Mariusz Felisiak for helping with the patch.
2019-04-14 12:04:48 +02:00
Florian Apolloner
afc708cf6d
Fixed #30330 -- Fixed setting of primary key to None during fast-delete.
...
Regression in bc7dd8490b
.
2019-04-08 21:14:00 +02:00
Ran Benita
19fc6376ce
Fixed #30304 -- Added support for the HttpOnly, SameSite, and Secure flags on language cookies.
2019-04-08 11:26:06 +02:00
Tim Graham
c84b91b760
Refs #27807 -- Removed docs for User.username_validator.
...
The new override functionality claimed in refs #21379 doesn't work.
Forwardport of 714fdbaa70
from stable/1.10.x.
2019-04-07 20:02:20 -04:00
Simone Pellizzari
d0315584b5
Fixed #30332 -- Fixed crash of ordering by expressions with params in ArrayAgg and StringAgg.
2019-04-06 14:23:29 +02:00
Nick Pope
efb257a017
Fixed #30324 -- Forced utf-8 encoding when loading the template for the technical 500 debug page.
...
Regression in 50b8493
.
Related to ea542a9
.
2019-04-05 16:35:01 +02:00
Mariusz Felisiak
5efaf078f7
Fixed #30331 -- Added support for psycopg2 2.8.
2019-04-05 11:05:53 +02:00
msg
755673e1bc
Fixed #30307 -- Fixed incorrect quoting of database user password when using dbshell on Oracle.
...
Regression in acfc650f2a
.
2019-04-04 08:33:28 +02:00
Mariusz Felisiak
e6588aa4e7
Added stub release notes for 2.2.1.
2019-04-03 08:26:05 +02:00
Alex Gaynor
851d9eac23
Fixed typo in docs/releases/2.2.txt.
2019-04-02 09:18:06 +02:00