d7094bbce8
[1.3.x] Added a default limit to the maximum number of forms in a formset.
...
This is a security fix. Disclosure and advisory coming shortly.
2013-02-12 12:13:42 +01:00
d3a45e10c8
[1.3.x] Checked object permissions on admin history view.
...
This is a security fix. Disclosure and advisory coming shortly.
Patch by Russell Keith-Magee.
2013-02-12 12:13:42 +01:00
d19a27066b
[1.3.x] Restrict the XML deserializer to prevent network and entity-expansion DoS attacks.
...
This is a security fix. Disclosure and advisory coming shortly.
2013-02-12 12:13:42 +01:00
27cd872e6e
[1.3.x] Added ALLOWED_HOSTS setting for HTTP host header validation.
...
This is a security fix; disclosure and advisory coming shortly.
2013-02-12 11:41:43 +01:00
6e70f67470
[1.3.X] Fixed a test failure in the comment tests.
...
Backport of 1eb0da1c5b
2012-12-10 23:37:47 +01:00
2da4ace0bc
[1.3.X] Fixed a security issue in get_host.
...
Full disclosure and new release forthcoming.
2012-12-03 13:11:34 +01:00
1515eb46da
[1.3.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.
2012-11-17 23:03:15 +01:00
6383d2358c
Added missed poisoned host header test material
2012-10-18 11:21:54 -07:00
4dea4883e6
[1.3.x] Fixed a security issue in http redirects. Disclosure and new release forthcoming.
...
Backport of 4129201c3e
2012-07-30 22:03:46 +02:00
7ca10b1dac
Reverted "[1.3.x] Fixed #18135 -- Close connection used for db version checking"
...
This reverts commit a15d3b58d8
2012-05-28 20:41:39 +03:00
a15d3b58d8
[1.3.x] Fixed #18135 -- Close connection used for db version checking
...
On MySQL when checking the server version, a new connection could be
created but never closed. This could result in open connections on
server startup.
Backport of 4423757c0c
2012-05-27 22:09:49 +03:00
e293d82c36
[1.3.X] Fixed #17972 -- Ensured that admin filters on a foreign key respect the to_field attribute. This fixes a regression introduced in [14674] and Django 1.3. Thanks to graveyboat and Karen Tracey for the report.
...
Backport of r17854 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17857 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-31 18:42:38 +00:00
0bbe7379ee
[1.3.X] Fixed #17634 -- Optimized the performance of MultiValueDict by using append instead of copy and by minimizing the number of dict lookups. Backport of r17464 from trunk.
...
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17807 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-25 06:53:47 +00:00
15fb61c62c
[1.3.X] Avoided a test failure if the settings module used to run the test suite is called "test_settings".
...
The globbing feature and this test were removed in 1.4.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17806 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-24 13:56:48 +00:00
fd2efb35fb
[1.3.X] Fixed #16677 -- Fixed the future version of the ssi template tag to work with template file names that contain spaces. Backport of r16687 from trunk.
...
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17804 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-24 07:43:24 +00:00
92929d5ef4
[1.3.X] Fixed #17488 -- This test passed in 2011 only because 2012-01-01 is a Sunday. Thanks Florian Apolloner for the report and patch.
...
Fixes #17912 . Thanks Julien for the report.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17759 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-17 12:58:16 +00:00
838adb2312
[1.3.X] Ensured that some staticfiles tests get properly cleaned up on teardown. Thanks to Claude Paroz for the patch.
...
Backport of r17747 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17748 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-16 00:32:42 +00:00
523d6167d6
[1.3.X] Fixed #17737 -- Stopped the collectstatic management command from copying the wrong file in repeated runs. Thanks, pigletto.
...
Backport from trunk (r17612).
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17613 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-01 23:03:46 +00:00
b45fbc6667
[1.3.X] Don't let ALLOWED_INCLUDE_ROOTS be accidentally set to a string rather than a tuple.
...
Backport of r17571 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17572 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-22 00:52:19 +00:00
813dc01cd8
[1.3.x] Fixed #15496 -- Corrected handling of base64 file upload encoding. Backport of r16176 from trunk.
...
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17546 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-18 10:11:17 +00:00
9e12492616
[1.3.X] Fixed #17100 -- Typo in the regex for EmailValidator. Backport of r17349 from trunk.
...
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17350 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-07 18:48:12 +00:00
b5853cf043
[1.3.X] Fixed #16632 -- Crash on responses without Content-Type with IE. Backport of r17196.
...
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17198 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-11 10:09:15 +00:00
68f37a9081
[1.3.X] Backported the fix for #15852 -- Modified cookie parsing so it can handle duplicate invalid cookie names. Thanks goes to Fredrik Stålnacke for the report and to vung for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@17168 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-03 21:17:41 +00:00
e3bc259081
[1.3.X] Reverting r16878 (improved admin error message) per advice from jezdez. refs #16837
...
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16891 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-22 22:55:47 +00:00
2a4aa8bcf7
[1.3.X] Fixed #16837 -- Improved error messages for admin login. Thanks Wim Feijen for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16878 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-22 05:36:57 +00:00
1a76dbefdf
[1.3.X] Altered the behavior of URLField to avoid a potential DOS vector, and to avoid potential leakage of local filesystem data. A security announcement will be made shortly.
...
Backport of r16760 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16763 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 01:08:24 +00:00
2f7fadc38e
[1.3.X] Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly.
...
Backport of r16758 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16761 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 01:07:50 +00:00
8b42dfa47e
[1.3.X] Corrected the setup and teardown of the refactored invalid_models test so that it guarantees that stdout is restored, and purges all the temporary models from the app cache after running the test.
...
Backport of r16670 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16677 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23 15:57:19 +00:00
e2d7a784c8
[1.3.X] Fixed #16201 -- Ensure that requests with Content-Length=0 don't break the multipart parser. Thanks to albsen for the report and patch
...
Backport of r16353 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16676 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23 15:57:01 +00:00
f317bd20d7
[1.3.X] Fixed #16299 -- Ensure that unicode strings can be used to identify classes in ForeignKey and ManyToManyFields. Unicode strings aren't actually legal as class names, but this is an issue if you use from __future__ import unicode_literals in your models.py file. Thanks to Martijn Bastiaan for the report, and Anthony Briggs for the final patch.
...
Backport of r16663 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16675 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23 15:56:40 +00:00
38530700bf
[1.3.X] Fixed #16681 -- Refactored the invalid_models unit test so that it can be invoked manually. Thanks to Anthony Briggs for the report and patch.
...
Backport of r16661 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16674 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23 15:56:18 +00:00
3e7d79b6ac
[1.3.X] Fixed #15499 -- Ensure that cache control headers don't try to set public and private as a result of multiple calls to patch_cache_control with different arguments. Thanks to AndiDog for the report and patch.
...
Backport of r16657 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23 15:55:48 +00:00
e9a1c03dba
[1.3.X] Fixed #10571 -- Factored out the payload encoding code to make sure it is used for PUT requests. Thanks to kennu for the report, pterk for the patch, and wildfire for the review comments.
...
Backport of r16651 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16672 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23 15:55:22 +00:00
671483f37b
[1.3.X] Fixed #14876 -- Ensure that join promotion works correctly when there are nullable related fields. Thanks to simonpercivall for the report, oinopion and Aleksandra Sendecka for the original patch, and to Malcolm for helping me wrestle the edge cases to the ground.
...
Backport of r16648 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16671 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-23 15:54:45 +00:00
a925b3780e
[1.3.X] Reverted [14563] because it introduced a dependency from core on a contrib app (contenttypes). Fixes #16283 , Refs #3055 . Thanks TheRoSS for the report and Aymeric Augustin for finding the problem.
...
This caused models shipped with some contrib apps to pollute the namespace when user's apps had the same name (e.g. auth, sites), even when these contrib apps weren't installed.
This undesired loading of contrib apps happened when model validation was executed, for example when running management commands that set or inherit `requires_model_validation=True`:
cleanup, dumpdata, flush, loaddata, reset, runfcgi, sql, sqlall, sqlclear, sqlcustom, sqlflush, sqlindexes, sqlinitialdata, sqlreset, sqlsequencereset, syncdb, createsuperusers, ping_google, collectstatic, findstatic.
This could also cause hard to diagnose problems e.g. when performing reverse URL resolving.
Backport of [16493] from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16541 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-14 00:27:55 +00:00
6e87dacf62
[1.3.X] Fixed #15776 - delete regression in Django 1.3 involving nullable foreign keys
...
Many thanks to aaron.l.madison for the detailed report and to emulbreh for
the fix.
Backport of [16295] from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16296 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-30 16:19:53 +00:00
7f3eda2f76
[1.3.X] Fixed #16004 - csrf_protect does not send cookie if view returns TemplateResponse
...
The root bug was in decorator_from_middleware, and the fix also corrects
bugs with gzip_page and other decorators.
Backport of [16276] from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16279 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-25 17:31:47 +00:00
afa092853f
[1.3.X] Changed utils/decorators.py tests to use RequestFactory
...
Backport of [16272] from trunk. Backported to make the backport of a
bugfix (regression) easier.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16278 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-25 17:31:36 +00:00
5c08cda611
[1.3.X] Fixed #13648 - '%s' escaping support for sqlite3 regression.
...
Thanks to master for the report and initial patch, and salgado and others
for work on the patch.
Backport of [16209] from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16210 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-10 12:28:29 +00:00
d06531d3f0
[1.3.X] Fixes #15975 -- Test failure in model validation tests due to us now having https://www.djangoproject.com
...
Backport of r16163 from trunk
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16164 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-05 23:12:55 +00:00
6a3d91828f
[1.3.X] Fixed #15819 - Fixed 1.3 regression from r15526 causing duplicate search results in admin with search_fields traversing to non-M2M related models. Thanks to Adam Kochanowski for the report and Ryan Kaskel for the patch.
...
Backport of r16093 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16094 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-23 04:40:06 +00:00
9269b606ba
[1.3.X] Fixes regression #15721 -- {% include %} and RequestContext not working together. Refs #15814 .
...
Backport of r16031, plus the utility from r16030.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16089 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-22 21:05:29 +00:00
e87c9da437
[1.3.X] Fixed #15672 -- Refined changes made in r15918. Thanks, vung.
...
Backport from trunk (r16082).
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16083 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-22 12:21:58 +00:00
4d62386cad
[1.3.X] Fixed #15698 -- Fixed inconsistant handling of context_object_name in paginated MultipleObjectMixin views. Thanks, Dave Hall.
...
Backport from trunk (r16079).
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16080 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-22 12:06:11 +00:00
1d499d50d0
[1.3.X] Fixed #15848 -- Fixed regression introduced in [15882] in makemessages management command when processing multi-line comments that contain non-ASCCI characters in templates. Thanks for the report Denis Drescher.
...
Backport of r16038/r16039 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16040 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-18 21:10:42 +00:00
686ef6c759
[1.3.X] Fixed #15739 -- Added support to RedirectView for HEAD, OPTIONS, POST, PUT and DELETE requests
...
Backport of r15992 from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@15995 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-02 08:50:05 +00:00
ce9b216882
[1.3.X] Fixed #15679 - regression in HttpRequest.POST and raw_post_data access.
...
Thanks to vkryachko for the report.
This also fixes a slight inconsistency with raw_post_data after parsing of a
multipart request, and adds a test for that. (Previously accessing
raw_post_data would have returned the empty string rather than raising an
Exception).
Backport of [15938] from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@15939 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28 16:15:43 +00:00
775a6e694f
Fixed #15632 -- Ignore unrelated content in template multi-line comment blocks when looking for tokens that identify comments for translators. Thanks andrew AT ie-grad DOT ru for the report and Claude Paroz for spotting the problem and helping to fix it.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15882 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-19 12:56:38 +00:00
1a6d98dab9
Fixed #13686 -- Ensure that memcache handling of unicode values in add() and set_many() is consistent with the handling provided by get() and set(). Thanks to nedbatchelder for the report, and to jbalogh, accuser and Jacob Burch for their work ont the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15880 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-19 02:42:40 +00:00
bd0daa04f5
Fixed staticfiles test that was broken on Windows due to the result of the stdout not being correctly handled as Unicode.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15879 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-18 18:47:14 +00:00
Aymeric Augustin
Carl Meyer
Florian Apolloner
Preston Holmes
Anssi Kääriäinen
Michael Newman
Julien Phalip
Ramiro Morales
Jannis Leidel
Chris Beaven
Paul McMillan
Russell Keith-Magee
Luke Plant