Commit Graph

32891 Commits

Author SHA1 Message Date
Natalia aa52930687 Added CVE-2024-45230 and CVE-2024-45231 to security archive. 2024-09-03 11:19:02 -03:00
Natalia 60073a3e6b Added stub release notes for 5.1.2. 2024-09-03 10:01:46 -03:00
Natalia 8c35a0a903 Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails.
On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.

Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
2024-09-03 09:22:32 -03:00
Sarah Boyce 320dd27412 Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-09-03 09:22:32 -03:00
Adam Johnson f5ddd54986 Fixed #35704 -- Fixed reduction for AddIndex subclasses. 2024-09-03 12:51:06 +02:00
github-user-en ad7f8129f3 Added EMAIL_USE_SSL to the 'Core Settings Topical Index' docs. 2024-09-03 10:16:20 +02:00
sanjeevholla26 4470d1f156 Refs #35706 -- Replaced template _('...') usages with translate tag. 2024-09-03 10:16:05 +02:00
Tim Graham 6f9c6678bf Added assertion for the results of migrating an integer pk to SmallAutoField.
Follow up to 7ca42974ee which did the same for
similar tests.
2024-09-03 08:22:39 +02:00
Jacob Walls 4082a8886e Fixed #35724 -- Tested migration commands handling of distributed namespace packages.
Also increased coverage of module_loading.py.
2024-09-03 08:07:53 +02:00
Alex Fischer c6a4f853c7 Fixed #35712 -- Prevented Q.check() from leaving the connection in an unusable state.
Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-09-02 17:00:55 +02:00
sanjeevholla26 387475c5b2 Refs #35706 -- Prefixed 'Error:' to titles of admin pages with form errors.
This improves the screen reader experience.
2024-09-02 15:19:33 +02:00
John Parton e4a2e22ddb Fixed #35690 -- Errored nicely when using in_bulk() with a values() or values_list() queryset. 2024-09-02 15:04:52 +02:00
Sarah Boyce fd1dd76778 Fixed #35716 -- Fixed VariableDoesNotExist when rendering admin fieldsets.
Regression in 01ed59f753.

Thank you to Fábio Domingues and Marijke Luttekes for the report,
and thank you to Natalia Bidart for the review.
2024-08-30 20:49:27 +02:00
Adam Johnson 20d44abb41 Fixed #35700 -- Added AlterModelTable and AlterModelTableComment reductions. 2024-08-30 18:50:12 +02:00
Vaarun Sinha 884ce37479 Fixed #35083 -- Updated method_decorator to handle async methods.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2024-08-30 08:54:49 -03:00
Claude Paroz 2c1f27d0d0 Dropped safeguards against very old versions of gettext.
gettext 0.19 was released in 2014.
2024-08-30 13:39:04 +02:00
SaJH 2ff00251f9 Fixed #35669 -- Improved max post-process passes exceeded error message in HashedFilesMixin.
Signed-off-by: SaJH <wogur981208@gmail.com>
2024-08-30 10:00:51 +02:00
Hisham Mahmood 2b2a2c0e26 Fixed #35702 -- Removed connection pooling note for mysql drivers. 2024-08-30 09:08:32 +02:00
Sarah Boyce 7380ac5734 Fixed #35688 -- Restored timezone and role setters to be PostgreSQL DatabaseWrapper methods.
Following the addition of PostgreSQL connection pool support in
Refs #33497, the methods for configuring the database role and timezone
were moved to module-level functions. This change prevented subclasses
of DatabaseWrapper from overriding these methods as needed, for example,
when creating wrappers for other PostgreSQL-based backends.

Thank you Christian Hardenberg for the report and to
Florian Apolloner and Natalia Bidart for the review.

Regression in fad334e1a9.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-08-28 19:25:07 -03:00
Adam Johnson 26a67943ac
Removed outdated note about lack of subquery support in MySQL. 2024-08-28 15:55:30 -03:00
Jacob Walls 920efe503f
Fixed typos in docs/howto/initial-data.txt. 2024-08-28 15:24:07 -03:00
Simon Charette 57307bbc7d Fixed #35666 -- Documented stacklevel usage and testing, and adjusted test suite accordingly.
Over the years we've had multiple instances of hit and misses when
emitting warnings: either setting the wrong stacklevel or not setting
it at all.

This work adds assertions for the existing warnings that were declaring
the correct stacklevel, but were lacking tests for it.
2024-08-28 11:44:05 -03:00
Simon Charette 39abd56a7f Refs #35405 -- Adjusted deprecation warning stacklevel in FieldCacheMixin.get_cache_name(). 2024-08-28 11:44:05 -03:00
Simon Charette 47f18a7226 Refs #35326 -- Adjusted deprecation warning stacklevel in FileSystemStorage.OS_OPEN_FLAGS. 2024-08-28 11:44:05 -03:00
Simon Charette 52ed2b645e Refs #35060 -- Adjusted deprecation warning stacklevel in Model.save()/asave(). 2024-08-28 11:44:05 -03:00
Simon Charette a69f895d7d Refs #34547 -- Adjusted deprecation warning stacklevel in DatabaseOperations.field_cast_sql(). 2024-08-28 11:44:05 -03:00
Simon Charette c042fe3a74 Refs #33735 -- Adjusted warning stacklevel in StreamingHttpResponse.__iter__()/__aiter__(). 2024-08-28 11:44:05 -03:00
Simon Charette 7e6e1c8383 Refs #32339 -- Adjusted deprecation warning stacklevel in transitional form renderers. 2024-08-28 11:44:05 -03:00
Simon Charette 6bd5d4f705 Refs #22712 -- Adjusted deprecation warning stacklevel in staticfiles finders. 2024-08-28 11:44:05 -03:00
Simon Charette 8ee17037ae Refs #16055 -- Adjusted deprecation warning stacklevel in get_joining_columns()/get_reverse_joining_columns(). 2024-08-28 11:44:05 -03:00
Simon Charette 5e81a4e790 Refs #12581 -- Adjusted warning stacklevel in queries ring buffer. 2024-08-28 11:44:05 -03:00
Mariusz Felisiak 2b9f0b79bc Fixed typo in docs/ref/models/expressions.txt. 2024-08-28 09:08:16 -03:00
Mariusz Felisiak fed11ba461 Fixed typo in docs/ref/models/expressions.txt. 2024-08-28 09:08:16 -03:00
Mariusz Felisiak 07a4d23283
Refs #34900 -- Updated requirements for Python 3.13. 2024-08-28 09:02:47 -03:00
Adam Johnson 2b71b2c8dc
Refs #34609 -- Fixed deprecation warning stack level in format_html().
Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-27 15:14:50 -03:00
Natalia b941de340d Fixed grammatical error in stub release notes for upcoming security release. 2024-08-27 09:46:12 -03:00
Natalia 67efd42517 Added stub release notes and release date for 5.1.1, 5.0.9, and 4.2.16. 2024-08-27 09:24:15 -03:00
Tim Graham bc9b6251e0 Added supports_sequence_reset skip in backends tests. 2024-08-26 12:53:08 -03:00
Tim Graham 6a85c888bf Added supports_select_union skips in queries and aggregation tests. 2024-08-26 12:53:08 -03:00
Maarten Breddels cdcd604ef8 Fixed #35703 -- Made technical_404_response() respect SCRIPT_NAME to return default_urlconf(). 2024-08-23 18:07:47 +02:00
Giovanni Fabbretti f72bbd4480 Fixed #35689 -- Handled custom labels in LabelCommand.missing_args_message. 2024-08-23 17:26:28 +02:00
Natalia 47b921391f Removed unnecessary trailing slashes in Sphinx intersphinx_mapping URLs. 2024-08-23 11:15:16 -03:00
David Smith 0304f677ca Updated Sphinx source_suffix setting to use a mapping.
Since Sphinx 1.8 this setting should be a mapping of file extensions to
file types. Before this change, Sphinx 8+ would show the following  when
building docs:

Converting `source_suffix = '.txt'` to `source_suffix = {'.txt': 'restructuredtext'}`
2024-08-23 11:15:16 -03:00
nessita 046a354217
Added helper and refactored PasswordResetFormTest to unify email sending tests. 2024-08-23 11:13:31 -03:00
nessita 7adb6dd98d
Sorted alphabetically forms list in docs/topics/auth/default.txt. 2024-08-22 09:14:11 -03:00
Hisham Mahmood 519087819e
Fixed #35695 -- Ensured FileFields use a storage pointing to a temp directory in model_fields tests. 2024-08-21 08:51:25 -03:00
Marijke Luttekes ba46b09f31 Updated GitHub PR template headings to level 4.
GitHub pull request descriptions are rendered as a comment. Comment
titles, which include the PR author, render in a h3. Hence, titles
within the comment body should be header level 4. This makes pull
request descriptions more accessible to screen readers.
2024-08-20 12:51:25 +02:00
Sarah Boyce d9ae7f5b58 Fixed #35686 -- Added table headers to app list tables for screen readers. 2024-08-20 09:05:16 +02:00
nabil-rady 231c0d8593 Fixed #35668 -- Added mapping support to format_html_join. 2024-08-20 08:20:34 +02:00
Clifford Gama ca1318988c Fixed #35671 -- Clarified string-based fields behavior when null=False. 2024-08-20 08:09:39 +02:00