Claude Paroz
552f03869e
Added safety to URL decoding in is_safe_url() on Python 2
...
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218
and ada7a4aef
.
2016-03-04 23:33:35 +01:00
Claude Paroz
ada7a4aefb
Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
...
This fixes a regression introduced by c5544d2892
.
Thanks John Eskew for the reporti and Tim Graham for the review.
2016-03-04 21:14:14 +01:00
Moritz Sichert
87994b40b3
Refs #25653 -- Corrected help text for runtests.py --selenium option.
2016-03-03 18:21:07 -05:00
Jon Dufresne
4e2da368db
Cleaned up TestStaticFilePermissions to use call_command().
2016-03-03 21:58:23 +01:00
Simon Charette
d0451e4cad
Fixed #26295 -- Allowed using i18n_patterns() in any root URLconf.
...
Thanks Tim for the review.
2016-03-03 12:08:49 -05:00
Simon Charette
c92123cc1d
Fixed #26226 -- Made related managers honor the queryset used for prefetching their results.
...
Thanks Loïc for the suggested improvements and Tim for the review.
2016-03-02 16:10:18 -05:00
Simon Charette
5d240b070d
Refs #17001 -- Added a test for custom prefetch related queryset on generic relations.
2016-03-02 16:08:37 -05:00
Marc Tamlyn
8ddc79a799
Fixed #26285 -- Deprecated the MySQL-specific __search lookup.
2016-03-02 14:41:56 -05:00
acrefoot
04240b2365
Refs #19527 -- Allowed QuerySet.bulk_create() to set the primary key of its objects.
...
PostgreSQL support only.
Thanks Vladislav Manchev and alesasnouski for working on the patch.
2016-03-02 14:29:09 -05:00
Matthew Schinckel
60633ef3de
Fixed #26304 -- Ignored unmanaged through model in table introspection.
2016-03-02 13:54:27 -05:00
Alasdair Nicol
8c42cf0cbd
Fixed #26303 -- Updated links to mod_wsgi docs.
2016-03-01 19:22:32 -05:00
Florian Apolloner
67b46ba701
Fixed CVE-2016-2513 -- Fixed user enumeration timing attack during login.
...
This is a security fix.
2016-03-01 11:25:28 -05:00
Mark Striemer
c5544d2892
Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
...
This is a security fix.
2016-03-01 11:25:28 -05:00
Alasdair Nicol
65bd053f11
Fixed #26229 -- Improved check for model admin check admin.E124
...
Refs #22792
2016-03-01 08:20:14 -05:00
Simon Charette
0223e213dd
Fixed #26186 -- Documented how app relative relationships of abstract models behave.
...
This partially reverts commit bc7d201bdb
.
Thanks Tim for the review.
Refs #25858 .
2016-02-29 22:07:05 -05:00
Jon Dufresne
eac1423f9e
Removed obsolete test CreatesuperuserManagementCommandTestCase.test_nolocale.
...
Test was added in 4c934f3921
to verify that
the commend works when locale.getdefaultlocale() doesn't return a locale.
getdefaultlocale() no longer runs at runtime, so the test isn't needed.
2016-02-29 08:46:37 -05:00
chenesan
b84f5ab4ec
Fixed #26230 -- Made default_related_name affect related_query_name.
2016-02-27 08:48:32 -05:00
Attila Tovt
5e2c4d7afb
Fixed #26264 -- Fixed prefetch_related() crashes with values_list(flat=True)
2016-02-26 19:26:15 -05:00
Tore Lundqvist
3389c5ea22
Fixed #21608 -- Prevented logged out sessions being resurrected by concurrent requests.
...
Thanks Simon Charette for the review.
2016-02-26 18:56:56 -05:00
Simon Charette
3938b3ccaa
Fixed #26286 -- Prevented content type managers from sharing their cache.
...
This should prevent managers methods from returning content type instances
registered to foreign apps now that these managers are also attached to models
created during migration phases.
Thanks Tim for the review.
Refs #23822 .
2016-02-26 16:18:16 -05:00
Adam Chainz
ef33bc2d4d
Fixed #25279 -- Made prefetch_related_objects() public.
2016-02-26 14:55:01 -05:00
Yoong Kang Lim
d5f89ff6e8
Fixed #24974 -- Fixed inheritance of formfield_callback for modelform_factory forms.
2016-02-26 12:27:27 -05:00
Simon Charette
766afc22a1
Fixed #24793 -- Unified temporal difference support.
2016-02-26 12:25:12 -05:00
Simon Charette
31098e3288
Used setUpTestData for the timedelta expression tests.
2016-02-26 12:25:12 -05:00
Simon Charette
62ea86448e
Cleaned up session backends tests.
...
Made SessionTestsMixin backend agnostic and removed code obsoleted by the test
discovery refactor.
2016-02-26 11:22:33 -05:00
Ivan Tsouvarev
8890c533e0
Fixed #26280 -- Fixed cached template loader crash when loading nonexistent template.
2016-02-26 08:02:10 -05:00
Edwar Baron
eb44172760
Fixed #25811 -- Added a helpful error when making _in queries across different databases.
2016-02-26 07:31:56 -05:00
Tim Graham
7fec264e46
Removed try/fail antipattern from model_options tests.
2016-02-25 20:04:51 -05:00
Nick Malakhov
ee69789f45
Fixed #26269 -- Prohibited spaces in is_valid_ipv6_address().
2016-02-25 18:52:50 -05:00
Scott Sexton
fc584f0685
Fixed #26117 -- Consulted database routers in initial migration detection.
...
Thanks Simon Charette for help.
2016-02-25 09:56:00 -05:00
Olivier Le Thanh Duong
10781b4c6f
Fixed #12233 -- Allowed redirecting authenticated users away from the login view.
...
contrib.auth.views.login() has a new parameter `redirect_authenticated_user`
to automatically redirect authenticated users visiting the login page.
Thanks to dmathieu and Alex Buchanan for the original code and to Carl Meyer
for the help and review.
2016-02-25 07:18:33 -05:00
Claude Paroz
4c18a8a378
Fixed #14098 -- Prevented crash for introspection errors in inspectdb
...
Thanks Tim Graham for the review.
2016-02-25 08:43:56 +01:00
Tim Graham
8ad7b8118c
Used addCleanup() to call recorder.flush() in migration loader tests.
2016-02-24 11:22:09 -05:00
Claude Paroz
c5517b9e74
Fixed #26266 -- Output the primary key in the GeoJSON serializer properties
...
Thanks Tim Graham for the review.
2016-02-24 16:10:46 +01:00
Jon Dufresne
b412681359
Fixed #26267 -- Fixed BoundField to reallow slices of subwidgets.
2016-02-24 07:02:51 -05:00
James Aylett
1ff6e37de4
Fixed #23832 -- Added timezone aware Storage API.
...
New Storage.get_{accessed,created,modified}_time() methods convert the
naive time from now-deprecated {accessed,created_modified}_time()
methods into aware objects in UTC if USE_TZ=True.
2016-02-23 18:51:43 -05:00
Claude Paroz
eda306f1ce
Fixed #26232 -- Fixed Popen mocking environment in i18n tests
...
Refs #25925 . Thanks Jeroen Pulles for the report.
2016-02-23 20:06:18 +01:00
Simon Charette
c30086159d
Used setupTestData in prefetch_related tests.
2016-02-23 13:53:58 -05:00
Aymeric Augustin
7f6fbc906a
Prevented static file corruption when URL fragment contains '..'.
...
When running collectstatic with a hashing static file storage backend,
URLs referencing other files were normalized with posixpath.normpath.
This could corrupt URLs: for example 'a.css#b/../c' became just 'c'.
Normalization seems to be an artifact of the historical implementation.
It contained a home-grown implementation of posixpath.join which relied
on counting occurrences of .. and /, so multiple / had to be collapsed.
The new implementation introduced in the previous commit doesn't suffer
from this issue. So it seems safe to remove the normalization.
There was a test for this normalization behavior but I don't think it's
a good test. Django shouldn't modify CSS that way. If a developer has
rendundant /s, it's mostly an aesthetic issue and it isn't Django's job
to fix it. Conversely, if the user wants a series of /s, perhaps in the
URL fragment, Django shouldn't destroy it.
Refs #26249 .
2016-02-23 19:35:16 +01:00
Aymeric Augustin
706b33fef8
Fixed #26249 -- Fixed collectstatic crash for files in STATIC_ROOT referenced by absolute URL.
...
collectstatic crashed when:
* a hashing static file storage backend was used
* a static file referenced another static file located directly in
STATIC_ROOT (not a subdirectory) with an absolute URL (which must
start with STATIC_URL, which cannot be empty)
It seems to me that the current code reimplements relative path joining
and doesn't handle edge cases correctly. I suspect it assumes that
STATIC_URL is of the form r'/[^/]+/'.
Throwing out that code in favor of the posixpath module makes the logic
easier to follow. Handling absolute paths correctly also becomes easier.
2016-02-23 19:34:21 +01:00
Tim Graham
c62807968d
Fixed a stray __unicode__() method in auth_tests.
2016-02-23 13:20:50 -05:00
Andrew Kuchev
e81d1c995c
Fixed #25670 -- Allowed dictsort to sort a list of lists.
...
Thanks Tim Graham for the review.
2016-02-23 12:15:08 -05:00
Tim Graham
cdbd8745f6
Fixed #26263 -- Deprecated Context.has_key()
2016-02-23 08:08:55 -05:00
Claude Paroz
269b5f262c
Used call_command return value in staticfiles tests
...
Refs #26190 .
2016-02-23 09:12:12 +01:00
Claude Paroz
b46c0ea6c8
Fixed #26190 -- Returned handle() result from call_command
...
Thanks Tim Graham for the review.
2016-02-23 09:12:12 +01:00
Tim Graham
47b5a6a43c
Fixed #26187 -- Removed weak password hashers from PASSWORD_HASHERS.
2016-02-22 18:59:23 -05:00
Claude Paroz
d43156e1e9
Fixed #26238 -- Raised explicit error for non-editable field in ModelForm
...
Thanks Luke Crouch for the report and Simon Charette for the review.
2016-02-21 00:24:20 +01:00
Akshesh
6670da75ff
Fixed #25653 -- Made --selenium run only the selenium tests.
2016-02-19 14:21:00 -05:00
Tim Graham
032f5a7896
Refs #25735 -- Made @tag decorator importable from django.test.
2016-02-19 14:21:00 -05:00
haxoza
375e1cfe2b
Fixed #25349 -- Allowed a ModelForm to unset a fields with blank=True, required=False.
2016-02-19 14:18:53 -05:00