Commit Graph

13897 Commits

Author SHA1 Message Date
Russell Keith-Magee 75c0aa43d3 [1.5.x] Fixed #21121: Added archive of security issues.
Backport of 9d3e60a, 8e134c2, 8b3bae9, c65ae7c, bbabc53,
and a2e25e8 from master.
2013-09-19 15:07:29 +08:00
Florian Apolloner 87c8de2a06 Revert "[1.5.x] Silenced last sporadic failure on 1.5."
This reverts commit 6a708cd654.

Reverted since it only moved the failures to some other tests and it apperently
only worked by accident. Patched selenium for now to include:
https://github.com/SeleniumHQ/selenium/pull/118
which seems to be the root cause for sporadic extra requests to the live server,
which then cause all sorts of issues.
2013-09-18 16:54:30 +02:00
Tim Graham 72f7932cfb [1.5.x] Fixed #21118 -- Isolated a test that uses the database.
Thanks rmboggs for the report.

Backport of 4f40b97d97 from master
2013-09-18 09:43:34 -04:00
Florian Apolloner 6a708cd654 [1.5.x] Silenced last sporadic failure on 1.5.
This commit is a last resort; technically the test is correct but our testsuite
has some threading issues when LiveServer is used. Since this will never get
fixed in 1.5 and apperently doesn't get triggered on 1.6 we just make sure the
test doesn't error out. I am not 100% sure why this actually fixes the issue,
but this is still better than having failing builds wheneever we do a security
release for 1.5.

(Tested on jenkins itself, should work (tm)).
2013-09-17 22:33:11 +02:00
Florian Apolloner 3c3b3fc10b [1.5.x] Final attempt to solve sporadic test failures.
tearDownClass is not called if setUpClass throws an exception, in our case
this means that LiveServerTestCase leaks LiveServerThread sockets if the
test happens to be skipped later on, and AdminSeleniumWebDriverTestCase
doesn't close it's already open browser window. To prevent this leakage
we catch errors where needed and manually call _tearDownClassInternal.
_tearDownClassInternal should be written as defensively as possible since
it is not allowed to make any assumptions on how far setUpClass got.

This patch should fix the sporadic "Address already in use"-errors on jenkins
and also the "This code isn't under transaction management"-error for sqlite
(also just on jenkins).

After discussion with koniiiik, jezdez, kmtracey, tos9, lifeless, nedbat and
voidspace it was decided that this is the safest approach (thanks to everyone
for their comments and help). Manually calling tearDownClass was shut down
cause we don't know how our users override our classes.

This is a private and very specialized API on purpose and should not be used
without a strong reason!

This patch partially reverts the earlier attempts to fix those issues,
namely:
	2fa0dd73b1 and
	3c5775d36f

Final note: If this patch breaks in a later version of Django, please be
very careful on how you fix it, you might not see test failures locally.
That said, this patch hopefully doesn't produce even more failures.

Backport of 73a610d2a8 from master.
2013-09-17 18:42:19 +02:00
Ramiro Morales efcf4d2bd9 [1.5.x] Reworded a paragraph in the logging docs.
9d12f68a53 from master.
2013-09-16 17:53:02 -03:00
Tim Graham 12a30e9221 [1.5.x] Cleaned up 1.5.4/1.4.8 release notes
Backport of 8d29005524 from master
2013-09-15 14:25:34 -04:00
Tim Graham ae5f4a04b4 [1.5.x] Bump version post-release. 2013-09-15 12:59:53 -04:00
Florian Apolloner 4770fc1c62 [1.5.x] (Hopefully) fixed a failure in a selenium test.
No forward port to 1.6 since it has new transactionmanagement. The
wait_page_loaded should ensure that the liveserver has time to tear
down properly after the submit.
2013-09-15 10:44:29 +02:00
James Bennett 4607c7325d [1.5.x] Add release notes and bump version numbers for 1.5.4 security release. 2013-09-15 00:29:31 -06:00
Russell Keith-Magee 22b74fa09d [1.5.x] Ensure that passwords are never long enough for a DoS.
* Limit the password length to 4096 bytes
  * Password hashers will raise a ValueError
  * django.contrib.auth forms will fail validation
 * Document in release notes that this is a backwards incompatible change

Thanks to Josh Wright for the report, and Donald Stufft for the patch.

This is a security fix; disclosure to follow shortly.

Backport of aae5a96d57 from master.
2013-09-15 13:48:15 +08:00
Minjong Chung e66fe357b2 Fixed #21102 -- pickling a QuerySet with prefetches twice
Fixed the bug that a QuerySet that prefetches related objects cannot be
pickled and unpickled more than once (The second pickling attempt
raises an exception).

Added a new test for the queryset pickling idempotency.

The bug was introduced by
bac187c0d8.
2013-09-14 10:03:03 +03:00
Goetz dbc2e8eb73 [1.5.x] Fixed #21101 -- Updated urlize documentation to mention email addresses
Backport of 39b49fd339 from master
2013-09-13 12:42:47 -04:00
Tim Graham 61de57260b [1.5.x] Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth
Thanks Collin Anderson for the report.

Backport of 425d076d0c from master
2013-09-13 09:40:15 -04:00
Tim Graham 7cfb5243f1 [1.5.x] Fixed #21094 -- Updated reuseable apps tutorial to use pip for installation.
Thanks ylb415 at gmail.com for the suggestion.

Backport of e4aab1bb8d from master
2013-09-13 09:30:20 -04:00
Kevin Christopher Henry 61867e226d [1.5.x] Documentation -- added instructions on working with pull requests
Since non-core contributors are asked to review patches, instructions
on working with pull requests were added to the Working with Git and
GitHub page (based on the existing instructions in the core
committers page).

Backport of 990ce9aab9 from master
2013-09-13 08:27:28 -04:00
Tim Graham 169594f5ae [1.5.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.
Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7dba from master
2013-09-11 08:18:52 -04:00
Kevin Christopher Henry 2a7d3030f9 [1.5.x] Documentation -- Improved description of cache arguments
- Fixed some grammar and formatting mistakes
- Added the type and default for CULL_FREQUENCY
- Made the note on culling the entire cache more precise. (It's actually
  slower on the filesystem backend.)

Backport of 5eca021d48 from master
2013-09-11 07:43:29 -04:00
Tim Graham 91a073a337 [1.5.x] Bump version post-release. 2013-09-11 07:04:04 -04:00
James Bennett 0a34f39759 [1.5.x] Bump version numbers for 1.5.3 security release. 2013-09-10 20:25:27 -05:00
Tim Graham 42e8fabb59 [1.5.x] Added 1.4.7/1.5.3 release notes
Backport of baec6a26dd from master
2013-09-10 21:08:34 -04:00
Tim Graham 988b61c550 [1.5.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.
Thanks Rainer Koirikivi for the report and draft patch.

This is a security fix; disclosure to follow shortly.

Backport of 7fe5b656c9 from master
2013-09-10 21:05:03 -04:00
oz123 693ebff1a4 [1.5.x] Fixed #21075 - Improved doc for calling call_command with arguments.
Backport of fca4c4826e from master
2013-09-10 09:18:20 -04:00
Садовский Николай aa50b7e837 [1.5.x] Fixed #20707 -- Added explicit quota assignment to Oracle test user
To enable testing on Oracle 12c
2013-09-09 13:07:39 +03:00
Tim Graham 9d3a66aa9f [1.5.x] Fixed #20005 -- Documented that Oracle databases need execute permission on SYS.DBMS_LOB.
Thanks jafula for the suggestion.

Backport of a86ecc80a2 from master
2013-09-07 14:01:10 -04:00
Keith Edmiston 37587624bf [1.5.x] Fixed #16992 -- Added InnoDB warning regarding reuse of AUTO_INCREMENT values.
Thanks kent at nsc.liu.se for the report.

Backport of c54fa1a7bc from master
2013-09-07 12:17:01 -04:00
Keith Edmiston afc624cab0 [1.5.x] Fixed #19295 -- Documented that CachedStaticFilesStorage isn't compatible with runserver --insecure.
Backport of 028db97503 from master
2013-09-06 17:31:04 -04:00
Tim Graham 5d029f2222 [1.5.x] Fixed #20646 -- Clarified the use of AbstractBaseUser.REQUIRED_FIELDS
Thanks craigbruce.

Backport of db3de52807 from master
2013-09-06 16:06:51 -04:00
micahhausler e62f391022 [1.5.x] Fixed #21047 -- Added CLA mesage on the new contributor advice doc
Backport of 93dd31cadf from master
2013-09-05 17:55:09 -04:00
Tim Graham d6b11b0abb [1.5.x] Fixed #20900 -- Documented RemoteUserBackend.authenticate
Backport of 7b62b80693 from master
2013-09-05 06:32:55 -04:00
Claude Paroz 406fd9f97f Fixed #19211 -- Adapted tutorial for Python 3
Backport of 7cc3acbb7 from master.
2013-09-05 08:53:24 +02:00
Tim Graham 8f4552adf1 [1.5.x] Fixed #20958 -- Documented that GenericForeignKey fields can't be accessed in forms.
Thanks marky1991.

Backport of 533d1ab334 from master
2013-09-04 13:19:46 -04:00
Tim Graham bc78ffa270 [1.5.x] Fixed #21002 -- Documented JSON session serialization requires string keys
Thanks jeroen.pulles at redslider.net for the report.

Backport of 3baf1d1042 from master.
2013-09-04 10:55:33 -04:00
Loic Bistuer c9a021b042 [1.5.x] Made the doc about translating string literals in templates more prominent.
Backport of 9885f07757 from master
2013-08-31 09:52:49 -04:00
Jorge C. Leitão 6f44ef16cb [1.5.x] Added links to file docs.
Backport of d72f83c410 from master
2013-08-29 12:49:32 -04:00
Phaneendra Chiruvella 50d9bed1d5 [1.5.x] Minor spelling correction in ModelForms docs
Backport of 2fbf949760 from master
2013-08-28 07:12:43 -04:00
Krzysztof Jurewicz d3b7b6a7a4 [1.5.x] Fixed #20981 -- Noted the default value of disable_existing_loggers.
Backport of 095643e691 from master
2013-08-27 10:27:49 -04:00
Jan Böcker 98635f2a0e [1.5.x] Fixed typo in docs/topics/conditional-view-processing.txt
Backport of 5fd2c979cb from master
2013-08-27 09:22:51 -04:00
Ramiro Morales 5547ba743c [1.5.x] Typos introduced in 57c82f909b. 2013-08-22 22:35:10 -03:00
Tim Graham 616a4d385a [1.5.x] Fixed #20922 -- Allowed customizing the serializer used by contrib.sessions
Added settings.SESSION_SERIALIZER which is the import path of a serializer
to use for sessions.

Thanks apollo13, carljm, shaib, akaariai, charettes, and dstufft for reviews.

Backport of b0ce6fe656 from master
2013-08-22 17:49:11 -04:00
Kevin Christopher Henry 1b236048b9 [1.5.x] Documentation -- Clarified use of 'view' in test client introduction.
Backport of 2e926b041c from master
2013-08-22 09:39:21 -04:00
Marc Tamlyn 3b32b1544f [1.5.x] Fixed #20944 -- Removed inaccurate statement about View.dispatch().
Backport of bac4d03ce6 from master
2013-08-22 09:21:41 -04:00
Ramiro Morales 9a7d59e8c7 [1.5.x] Made description of LANGUAGE_CODE setting more clear.
297f5af222 from master.
2013-08-22 08:34:19 -03:00
Kevin Christopher Henry bbe2ad3e38 [1.5.x] Documentation - Noted that OneToOneField doesn't respect unique.
Added OneToOneField to the list of model fields for which the unique
argument isn't valid. (OneToOneFields are inherently unique, and if
the user supplies a value for unique it is ignored / overwritten.)
2013-08-20 21:21:40 -07:00
Aymeric Augustin adf70506b9 [1.5.x] Fixed a rest mistake I introduced in d5ce2ff.
Backport of 753edfa4b5 from master
2013-08-15 13:09:28 -04:00
Erik Romijn 2b750fff56 [1.5.x] Fixed #20444 -- Cookie-based sessions does not include a remote code execution-warning
Backport of d5ce2ff5e4 from master
2013-08-15 12:21:14 -04:00
Tim Graham cb2fee567f [1.5.x] Fixed link in 1.5.2 release notes 2013-08-14 13:11:58 -04:00
Tim Graham 3a829bf75a [1.5.x] Added some doc links for django.contrib.messages
Backport of b6178fa24b from master
2013-08-14 13:05:30 -04:00
Jacob Kaplan-Moss f24ae3373b Bump version post-release. 2013-08-13 12:17:27 -05:00
Tim Graham 5fdd6af1eb Added 1.4.6/1.5.2 release notes. 2013-08-13 11:17:17 -05:00