test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
15,914 Commits 25 Branches 361 Tags 501 MiB
Commit Graph

4446 Commits

Author SHA1 Message Date
Tim Graham d7a06ee7e5 [1.6.x] Fixed DoS possibility in ModelMultipleChoiceField. 
This is a security fix. Disclosure following shortly.

Thanks Keryn Knight for the report and initial patch.
 2015-01-13 13:10:11 -05:00
Tim Graham 553779c405 [1.6.x] Prevented views.static.serve() from using large memory on large files. 
This is a security fix. Disclosure following shortly.
 2015-01-13 13:10:11 -05:00
Tim Graham 72e0b03366 [1.6.x] Fixed is_safe_url() to handle leading whitespace. 
This is a security fix. Disclosure following shortly.
 2015-01-13 13:10:11 -05:00
Carl Meyer d7597b31d5 [1.6.x] Stripped headers containing underscores to prevent spoofing in WSGI environ. 
This is a security fix. Disclosure following shortly.

Thanks to Jedediah Smith for the report.
 2015-01-13 13:10:11 -05:00
Simon Charette 2fd16232b1 [1.6.x] Fixed #23754 -- Always allowed reference to the primary key in the admin 
This change allows dynamically created inlines "Add related" button to work
correcly as long as their associated foreign key is pointing to the primary
key of the related model.

Thanks to amorce for the report, Julien Phalip for the initial patch,
and Collin Anderson for the review.

Backport of f9c4e14aec from master
 2014-11-25 13:48:50 -05:00
Emmanuelle Delescolle c5c4bfa12a [1.6.x] Fixed #23604 -- Allowed related m2m fields to be references in the admin. 
Thanks Simon Charette for review.

Backport of a24cf21722 from master
 2014-10-06 08:50:48 -04:00
Tim Graham 011541d948 [1.6.x] Required numpy < 1.9 for tests; refs #23489. 
Backport of 4743a94429 from stable/1.7.x
 2014-09-29 19:58:00 -04:00
Simon Charette a7af6ad96a [1.6.x] Fixed #23431 -- Allowed inline and hidden references to admin fields. 
This fixes a regression introduced by the 53ff096982 security fix.

Thanks to @a1tus for the report and Tim for the review.

refs #23329.

Backport of 342ccbd from master
 2014-09-08 14:05:26 -04:00
Akis Kesoglou b877697472 [1.6.x] Fixed #23370 -- defer() + select_related() crashed with inherited models. 
Backport of 6613ea6e3f from master
 2014-08-30 07:16:47 -04:00
Simon Charette e3453b61c6 [1.6.x] Fixed #23329 -- Allowed inherited and m2m fields to be referenced in the admin. 
Thanks to Trac alias Markush2010 and ross for the detailed reports.

Backport of 3cbb759 from master
 2014-08-27 21:50:29 -04:00
Simon Charette f7c494f250 [1.6.x] Prevented data leakage in contrib.admin via query string manipulation. 
This is a security fix. Disclosure following shortly.
 2014-08-20 11:43:43 -04:00
Tim Graham dd0c3f4ee1 [1.6.x] Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names. 
This is a security fix. Disclosure following shortly.
 2014-08-20 11:43:43 -04:00
Florian Apolloner da051da8df [1.6.x] Prevented reverse() from generating URLs pointing to other hosts. 
This is a security fix. Disclosure following shortly.
 2014-08-20 11:43:43 -04:00
Claude Paroz 9f9fdc4b0a [1.6.x] Fixed #22996 -- Prevented crash with unencoded query string 
Thanks Jorge Carleitao for the report and Aymeric Augustin, Tim Graham
for the reviews.
Backport of fa02120d36 from master.
 2014-08-19 22:55:35 +02:00
Tim Graham f07e9f8796 [1.6.x] Added a missing skipUnlessDBFeature for the previous commit. 2014-07-29 09:37:49 -04:00
Shai Berger 838b7f8220 [1.6.x] Fixed #20292: Pass datetime objects (not formatted dates) as params to Oracle 
This seems worthwhile in its own right, but also works around an Oracle
bug (in versions 10 -- 11.1) where the use of Unicode would reset the
date/time formats, causing ORA-01843 errors.

Thanks Trac users CarstenF for the report, jtiai for the initial patch,
and everyone who contributed to the discussion on the ticket.

Backport of 6983201 from master.
 2014-07-29 07:00:26 -04:00
Aymeric Augustin 83098dccdf [1.6.x] Fixed #23089 -- Fixed transaction handling in two management commands. 
Previously, when createcachetable and flush operated on non-default
databases, they weren't atomic.

Also avoided transactional DDL and transactional truncates on databases
that don't support them (refs #22308).

Backport of 753a22a635, 0757e0f30d, and 6877a9d415 from master
 2014-07-24 19:27:15 -04:00
Tim Graham 04d827a710 [1.6.x] Added Chrome/IE support for a selenium test. 
Backport of 5954aa6db0 from master plus additional changes...
 2014-07-16 11:01:53 -04:00
Anssi Kääriäinen 9be56ec62c [1.6.x] PEP8 cleanup 
Backport of f8df55050c from master
 2014-07-16 12:53:52 +03:00
Gavin Wahl 227a0f27a6 [1.6.x] Fixed #22998 -- Updated the fast_delete logic for GFKs 
Backport of 6e2b82fdf6 from master
 2014-07-16 12:53:48 +03:00
Tim Graham 685582940b [1.6.x] Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet. 
Thanks sebastien at clarisys.fr for the report and gautier
for the patch.

Backport of 5e2c4a4bd1 from master
 2014-07-14 12:39:19 -03:00
Claude Paroz c38e47bec0 [1.6.x] Created import-time test temp dirs in known location 
Refs #17215. In the same spirit as 5de31cb8cb.
Backport of 809362518d from master.
 2014-06-23 14:59:39 +02:00
Vlastimil Zíma ef3ae3d1c9 [1.6.x] Fixed #22514 -- Prevented indexes on virtual fields [postgres]. 
Backport of 78c32f1caa from master
 2014-06-20 19:01:49 -04:00
Erik Romijn 50a289d05f [1.6.x] Fixed #22579 -- Corrected validation for email to reject trailing slash 
Backport of 424fe76349 from master.
 2014-05-16 15:40:52 +02:00
Erik Romijn 6011075245 [1.6.x] Added additional checks in is_safe_url to account for flexible parsing. 
This is a security fix. Disclosure following shortly.
 2014-05-14 10:15:06 +02:00
Aymeric Augustin 1abcf3a808 [1.6.x] Dropped fix_IE_for_vary/attach. 
This is a security fix. Disclosure following shortly.
 2014-05-14 10:15:06 +02:00
Aymeric Augustin b6d3212190 [1.6.x] Fixed #22508 -- Avoided overwriting select_related. 
Previously, known related objects overwrote related objects loaded
though select_related. This could cancel the effect of select_related
when it was used over more than one level.

Thanks boxm for the bug report and timo for bisecting the regression.

Conflicts:
	tests/select_related_regress/tests.py

Backport of f574220f from master
 2014-05-10 17:05:09 +02:00
Anssi Kääriäinen 0e37049636 [1.6.x] Fixed #22429 -- Incorrect SQL when using ~Q and F 
Backpatch of 5e1f4656b9 from master.

Conflicts:
	django/db/models/sql/query.py
	tests/queries/models.py
	tests/queries/tests.py
 2014-05-05 13:27:54 +03:00
Claude Paroz 034866204b [1.6.x] Fixed #22565 -- Prevented pgettext_lazy crash with bytestring input 
Thanks ygbo for the report.
Backport of 142c27218 from master.
 2014-05-02 19:38:46 +02:00
Tim Graham 6915220ff9 [1.6.x] Fixed #22486 -- Restored the ability to reverse views created using functools.partial. 
Regression in 8b93b31487.

Thanks rcoup for the report.

Backport of 3c06b2f2a3 from master
 2014-04-23 08:56:13 -04:00
Erik Romijn 5f0829a27e [1.6.x] Fixed queries that may return unexpected results on MySQL due to typecasting. 
This is a security fix. Disclosure will follow shortly.

Backport of 75c0d4ea3a from master
 2014-04-21 18:30:27 -04:00
Aymeric Augustin d63e20942f [1.6.x] Prevented leaking the CSRF token through caching. 
This is a security fix. Disclosure will follow shortly.

Backport of c083e3815a from master
 2014-04-21 18:30:27 -04:00
Tim Graham 4352a50871 [1.6.x] Fixed a remote code execution vulnerabilty in URL reversing. 
Thanks Benjamin Bach for the report and initial patch.

This is a security fix; disclosure to follow shortly.

Backport of 8b93b31487 from master
 2014-04-21 18:30:27 -04:00
valtron 1252b77824 [1.6.x] Fixed #21760 -- prefetch_related used an inefficient query for reverse FK. 
Regression introduced by commit 9777442. Refs #21410.

Conflicts:
	tests/prefetch_related/tests.py

Backport of d3b71b976d from master
 2014-04-13 01:06:03 +07:00
Aymeric Augustin 1d3d2b9a24 [1.6.x] Fixed #21202 -- Maintained atomicity when the server disconnects. 
Thanks intgr for the report.

This commit doesn't include a test because I don't know how to emulate a
database disconnection in a cross-database compatible way.

Also simplified a 'backends' test that was constrained by this problem.

Backport of 81761508 from master
 2014-04-10 23:22:13 +02:00
Aymeric Augustin 4ea02bdb0d [1.6.x] Fixed #21239 -- Maintained atomicity when closing the connection. 
Refs #15802 -- Reverted #7c657b24 as BaseDatabaseWrapper.close() now
has a proper "finally" clause that may need to preserve self.connection.

Backport of 25860096 from master.
 2014-04-10 23:22:13 +02:00
Aymeric Augustin 9afedbef42 [1.6.x] Fixed #22291 -- Avoided shadowing deadlock exceptions on MySQL. 
Thanks err for the report.

Backport of 58161e4e from master.
 2014-04-10 23:05:09 +02:00
Aymeric Augustin e68c084ed1 Fixed a broken test introduced in 6fa7d7c5. Refs #21553. 
Thanks Shai.
 2014-04-10 07:51:04 +02:00
Shai Berger 690a5984a3 [1.6.x] Fixed #22343 -- Disallowed select_for_update in autocommit mode 
The ticket was originally about two failing tests, which are
fixed by putting their queries in transactions.

Thanks Tim Graham for the report, Aymeric Augustin for the fix,
and Simon Charette, Tim Graham & Loïc Bistuer for review.

Backport of b990df1d63 from master
 2014-04-10 02:15:14 +03:00
Aymeric Augustin 6fa7d7c594 [1.6.x] Fixed #21553 -- Ensured unusable database connections get closed. 
Backport of 5f2f47f from master
 2014-04-09 22:54:39 +02:00
Patrick Michaud 73474df954 Fixed #22256 -- Replaced bad fallback for missing PATH 
Thanks Baptiste Mispelon for the review.
Backport of acee46fc9 from master.
 2014-04-01 20:45:12 +02:00
Loic Bistuer 07e2a56814 [1.6.x] Fixed #22360 -- Fixed two non-deterministic tests in Python 3.4. 
The order of admin's changelist filters in the querystring relied on
dict ordering.

Backport of 4d996b8e69 from master
 2014-03-31 08:24:12 -04:00
Loic Bistuer a5297c1ef4 [1.6.x] Fixed #21795 -- Made add_preserved_filters account for url prefixes. 
Thanks to trac username honyczek for the report. Refs #6903.

Backport of 4339e9a92d from master
 2014-03-31 07:29:08 -04:00
Tim Graham 059bc7eb60 [1.6.x] Fixed #22338 -- Fixed a test dependent on dictionary key iteration order. 
Backport of 69a4f383f6 from master
 2014-03-30 14:27:11 -04:00
Claude Paroz c9b2feffee [1.6.x] Tweaked strip_tags tests to pass on Python 3.3 
Backport of 6a0291bda from master.
 2014-03-22 15:05:28 +01:00
Claude Paroz f05f5c231a [1.6.x] Removed a strip_tags test for older Python versions 
Django's custom HTMLParser for older Python versions cannot
parse convoluted syntax.
 2014-03-22 14:21:35 +01:00
Claude Paroz d1503afd66 [1.6.x] Improved strip_tags and clarified documentation 
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
Backport of 6ca6c36f8 from master.
 2014-03-22 11:07:27 +01:00
Claude Paroz 1a2939bc26 [1.6.x] Fixed #22245 -- Avoided widget overwrite in forms.IntegerField subclasses 
Thanks Jeroen Pulles for the report and Simon Charette for the review.
Backport of 5a976b4bec from master.
 2014-03-13 16:59:23 +01:00
Alexey Voronov 5cda1d2702 [1.6.x] Fixed #21643 -- repeated execution of qs with F() + timedelta 
Thanks Tim Graham for review and Tai Lee for the additional test to prove
this was a regression in 1.6.

Backport of 7f2485b4d1 and 8137215973 from master
 2014-02-28 20:49:13 -05:00
Baptiste Mispelon 12da6902e9 [1.6.x] Fixed #22107 -- Fixed django.core.files.File object iteration. 
Due to a mixup between text and bytes, iteration over
a File instance was broken under Python 3.

Thanks to trac user pdewacht for the report and patch.

Backport of 3841feee86 from master.
 2014-02-20 23:59:51 +01:00