p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
29,342 Commits 28 Branches 411 Tags 641 MiB
Commit Graph

3920 Commits

Author SHA1 Message Date
Mariusz Felisiak 0b5a66b0d9 [3.2.x] Fixed docs header underlines in security archive. 
Backport of d9cee3f5f2 from main
 2021-06-02 12:24:26 +02:00
Carlton Gibson 66cc97c6b3 [3.2.x] Added stub release notes for Django 3.2.5. 
Backport of ba10772bf6 from main
 2021-06-02 11:26:00 +02:00
Carlton Gibson 1aa7bcf482 [3.2.x] Added CVE-2021-33203 and CVE-2021-33571 to security archive. 
Backport of a39f235ca4 from main
 2021-06-02 11:16:43 +02:00
Mariusz Felisiak 9f75e2e562 [3.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses. 
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.

[1] https://bugs.python.org/issue36384
 2021-06-02 10:44:39 +02:00
Florian Apolloner dfaba12cda [3.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView. 2021-06-02 10:44:39 +02:00
Carlton Gibson aed1409558 [3.2.x] Confirmed release date for Django 3.2.4, 3.1.12, and 2.2.24. 
Backport of f66ae7a2d5 from main
 2021-06-02 10:20:17 +02:00
Mariusz Felisiak 94675a7633 [3.2.x] Fixed #32793 -- Fixed loss of precision for temporal operations with DecimalFields on MySQL. 
Regression in 1e38f1191d.

Thanks Mohsen Tamiz for the report.
Backport of e703b152c6 from main
 2021-06-01 15:13:10 +02:00
Mariusz Felisiak 246a31a843 [3.2.x] Fixed #32783 -- Fixed crash of autoreloader when __main__ module doesn't have __spec__ attribute. 
Regression in ec6d2531c5.

Thanks JonathanNickelson for the report.
Backport of 12b19a1d76 from main
 2021-05-26 11:20:05 +02:00
Carlton Gibson 4ba4c07e4e [3.2.x] Added stub release notes and date for Django 3.2.4, 3.1.12, and 2.2.24. 
Backport of b46dbd4e3e from main
 2021-05-26 10:17:27 +02:00
Hasan Ramezani c0d506f5ef [3.2.x] Fixed #32744 -- Normalized to pathlib.Path in autoreloader check for template changes. 
Backport of 68357b2ca9 from main
 2021-05-26 10:08:58 +02:00
Mariusz Felisiak 143d2a4bbf [3.2.x] Changed IRC references to Libera.Chat. 
Backport of 66491f08fe from main.
 2021-05-20 12:25:07 +02:00
Carlton Gibson a173202dd4 [3.2.x] Fixed #32740 -- Caught possible exception when initializing colorama. 
Backport of c2e6047c72 from main
 2021-05-19 11:16:13 +02:00
Mariusz Felisiak 41e2aa7eb2 [3.2.x] Fixed #32747 -- Prevented initialization of unused caches. 
Thanks Alexander Ebral for the report.

Regression in 98e05ccde4.

Backport of 958cdf65ae from main
 2021-05-18 20:23:26 +02:00
Rust Saiargaliev 349bb58b8a [3.2.x] Fixed #32733 -- Skipped system check for specifying type of auto-created primary keys on abstract models. 
Regression in b5e12d490a.

Backport of a24fed399c from main
 2021-05-18 13:20:55 +02:00
Slava Skvortsov ce78bc9808 [3.2.x] Fixed #32754 -- Made AdminSite.catch_all_view() respect SCRIPT_NAME. 
Regression in ba31b01034.

Backport of f7691d4812 from main
 2021-05-18 09:58:49 +02:00
Nick Pope cb91b2d9e3 [3.2.x] Refs #32720 -- Updated various links in docs to avoid redirects and use HTTPS. 
Backport of c156e36955 from main
 2021-05-17 12:16:09 +02:00
Nick Pope 55b89e8cac [3.2.x] Refs #32720 -- Fixed some broken links in docs. 
Backport of 7c4ee487c7 from main
 2021-05-17 12:14:20 +02:00
Nick Pope 0c19b075b2 [3.2.x] Refs #32720 -- Used full hashes in security archive. 
Backport of 1c3bbcf802 from main
 2021-05-17 12:13:57 +02:00
Mariusz Felisiak f844c0c33a [3.2.x] Corrected commit hashes for security patches. 
Backport of df5c96299a from main
 2021-05-17 12:13:44 +02:00
Nick Pope 80cf193d32 [3.2.x] Refs #32720 -- Used :commit: and :source: role in old release notes. 
Backport of 8c4caee76a from main
 2021-05-17 12:13:31 +02:00
Mariusz Felisiak 1037825eed [3.2.x] Added stub release notes for Django 3.2.4. 
Backport of 820408d842 from main
 2021-05-13 09:45:39 +02:00
Mariusz Felisiak 224b8e5a5a [3.2.x] Fixed #32718 -- Relaxed file name validation in FileField. 
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb3691.
Backport of b55699968f from main
 2021-05-13 08:55:00 +02:00
Simon Charette 386caa5445 [3.2.x] Fixed #32717 -- Fixed filtering of querysets combined with the | operator. 
Address a long standing bug in a Where.add optimization to discard
equal nodes that was surfaced by implementing equality for Lookup
instances in bbf141bcdc.

Thanks Shaheed Haque for the report.

Backport of b81c7562fc from main
 2021-05-13 07:53:56 +02:00
Nick Pope 4318e60a80 [3.2.x] Fixed #32732 -- Removed usage of deprecated 'db' and 'passwd' connection options in MySQL backend. 
The 'db' and 'passwd' connection options have been deprecated, use
'database' and 'password' instead (available since mysqlclient >= 1.3.8).

This also allows the 'database' option in DATABASES['OPTIONS'] on MySQL.

Backport of 1061f52436 from main
 2021-05-12 13:35:13 +02:00
Mariusz Felisiak dc7b495dae [3.2.x] Refs #32718 -- Corrected CVE-2021-31542 release notes. 
Backport of d1f1417cae from main
 2021-05-12 10:42:32 +02:00
Mariusz Felisiak 8afb677ce7 [3.2.x] Added stub release notes for Django 3.2.3. 
Backport of 29779075d7 from main
 2021-05-06 10:11:32 +02:00
Mariusz Felisiak 0262579f2e [3.2.x] Added CVE-2021-32052 to security archive. 
Backport of efebcc429f from main
 2021-05-06 10:03:45 +02:00
Mariusz Felisiak 2d2c1d0c97 [3.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+. 
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.

[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603

Backport of e1e81aa1c4 from main.
 2021-05-06 08:48:22 +02:00
Simon Charette 364098fdac [3.2.x] Fixed #32714 -- Prevented recreation of migration for Meta.ordering with OrderBy expressions. 
Regression in c8b6594305.

Thanks Kevin Marsh for the report.

Backport of 96f55ccf79 from main
 2021-05-05 08:44:37 +02:00
Carlton Gibson df801dde33 [3.2.x] Added CVE-2021-31542 to security archive. 
Backport of 607ebbfba9 and
62b2e8b37e from main
 2021-05-04 11:10:50 +02:00
Carlton Gibson 04d8ed3660 [3.2.x] Added stub release notes for Django 3.2.2. 
Backport of 5a43cfe245 from main
 2021-05-04 11:02:11 +02:00
Florian Apolloner c98f446c18 [3.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-05-04 08:43:52 +02:00
Carlton Gibson bac416972d [3.2.x] Refs #32674 -- Noted that auto-created through table PKs cannot be automatically migrated. 
Backport of 907d3a7ff4 from main
 2021-04-29 15:14:15 +02:00
Simon Charette d5add5d3a2 [3.2.x] Fixed #32632, Fixed #32657 -- Removed flawed support for Subquery deconstruction. 
Subquery deconstruction support required implementing complex and
expensive equality rules for sql.Query objects for little benefit as
the latter cannot themselves be made deconstructible to their reference
to model classes.

Making Expression @deconstructible and not BaseExpression allows
interested parties to conform to the "expression" API even if they are
not deconstructible as it's only a requirement for expressions allowed
in Model fields and meta options (e.g. constraints, indexes).

Thanks Phillip Cutter for the report.

This also fixes a performance regression in bbf141bcdc.

Backport of c8b6594305 from main
 2021-04-28 20:27:42 +02:00
Konstantin Alekseev 55cb3c8ac1 [3.2.x] Fixed #32687 -- Restored passing process’ environment to underlying tool in dbshell on PostgreSQL. 
Regression in bbe6fbb876.

Backport of 6e742dabc9 from main.
 2021-04-27 12:02:06 +02:00
Mariusz Felisiak 34981f399a [3.2.x] Fixed #32682 -- Made admin changelist use Exists() instead of distinct() for preventing duplicates. 
Thanks Zain Patel for the report and Simon Charette for reviews.

The exception introduced in 6307c3f1a1
revealed a possible data loss issue in the admin.

Backport of 1871182031 from main
 2021-04-27 10:39:55 +02:00
Zain Patel 0dfe88eaba [3.2.x] Fixed #32681 -- Fixed VariableDoesNotExist when rendering some admin template. 
Regression in 84609b3205.

Backport of 4e5bbb6ef2 from main.
 2021-04-26 12:52:33 +02:00
Simon Charette 48e19bae49 [3.2.x] Fixed #32650 -- Fixed handling subquery aliasing on queryset combination. 
This issue started manifesting itself when nesting a combined subquery
relying on exclude() since 8593e162c9 but
sql.Query.combine never properly handled subqueries outer refs in the
first place, see QuerySetBitwiseOperationTests.test_subquery_aliases()
(refs #27149).

Thanks Raffaele Salmaso for the report.

Backport of 6d0cbe42c3 from main
 2021-04-21 10:32:39 +02:00
Mariusz Felisiak 1cc2eaf02d [3.2.x] Fixed #32665 -- Fixed caches system check crash when STATICFILES_DIRS is a list of 2-tuples. 
Thanks Jared Lockhart for the report.

Regression in c36075ac1d.
Backport of 34d1905712 from main
 2021-04-21 09:42:43 +02:00
Carlton Gibson 54d5bfa9c5 [3.2.x] Fixed #32647 -- Restored multi-row select with shift-modifier in admin changelist. 
Regression in 30e59705fc.

Backport of 5c73fbb6a9 from main
 2021-04-21 09:08:34 +02:00
Florian Apolloner 539d005aa5 [3.2.x] Fixed #32643 -- Fixed decoding of messages in the pre-Django 3.2 format. 
Thanks Jan Pieter Waagmeester for the report.

Regression in 2d6179c819.

Backport of 4511d14598 from main.
 2021-04-15 07:58:48 +02:00
Mariusz Felisiak 208e72276a [3.2.x] Fixed #32645 -- Fixed QuerySet.update() crash when ordered by joined fields on MySQL/MariaDB. 
Thanks Matt Westcott for the report.

Regression in 779e615e36.
Backport of ca98729055 from main
 2021-04-14 21:13:27 +02:00
Jonathan Richards d0267690f8 [3.2.x] Fixed #32548 -- Fixed crash when combining Q() objects with boolean expressions. 
Backport of 00b0786de5 from main.

Regression in 466920f6d7.
 2021-04-14 19:46:45 +02:00
Arthur Jovart 65dfb06a1a [3.2.x] Fixed #32648 -- Fixed VariableDoesNotExist rendering sitemaps template. 
Backport of 08c60cce3b from main
 2021-04-14 19:44:10 +02:00
Mariusz Felisiak 59cce8237c [3.2.x] Fixed #32649 -- Fixed ModelAdmin.search_fields crash when searching against phrases with unbalanced quotes. 
Thanks Dlis for the report.

Regression in 26a413507a.
Backport of 23fa29f6a6 from main
 2021-04-14 12:24:11 +02:00
Hasan Ramezani 700356f93b [3.2.x] Fixed #32635 -- Fixed system check crash for reverse o2o relations in CheckConstraint.check and UniqueConstraint.condition. 
Regression in b7b7df5fbc.

Thanks Szymon Zmilczak for the report.

Backport of a77c9a4229 from main
 2021-04-14 10:32:07 +02:00
Mariusz Felisiak d6314c4c2e [3.2.x] Fixed #32637 -- Restored exception message on technical 404 debug page. 
Thanks Atul Varma for the report.
Backport of 3b8527e32b from main
 2021-04-13 09:15:25 +02:00
Iuri de Silvio b245845575 [3.2.x] Fixed #32627 -- Fixed QuerySet.values()/values_list() crash on combined querysets ordered by unannotated columns. 
Backport of 9760e262f8 from main
 2021-04-13 06:16:19 +02:00
Adam Johnson 49e618f4af [3.2.x] Fixed #32620 -- Allowed subclasses of Big/SmallAutoField for DEFAULT_AUTO_FIELD. 
Backport of 45a58c31e6 from main
 2021-04-08 13:44:21 +02:00
Carlton Gibson 55da04488e [3.2.x] Corrected release number format in 3.2.1 release notes. 
Backport of 3f2920ae1d from main
 2021-04-07 19:45:29 +02:00