Django/django
11
0
Fork 0
Code Pull Requests Projects Releases Activity
24,408 Commits 26 Branches 382 Tags
Commit Graph

8727 Commits

Author SHA1 Message Date
alan
11bb365c7b Apply all patches up to CVE-2023-36053 2023-07-13 14:15:15 -07:00
Mariusz Felisiak
c669cf279a [1.11.x] Fixed GeoQuerySetTest.test_unionagg_tolerance() test on Oracle 18c. 
Backport of 5ca76baa729bbbe62f5c4a0fc4f89747dc999029 from master
 2020-03-05 08:57:26 +01:00
Mariusz Felisiak
02d97f3c9a [1.11.x] Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. 
Thanks to Norbert Szetei for the report.
 2020-03-04 09:47:05 +01:00
Mariusz Felisiak
e643833562 [1.11.x] Pinned PyYAML < 5.3 in test requirements. 
PyYAML 5.3+ doesn't support Python 3.4.
 2020-02-04 10:06:07 +01:00
Carlton Gibson
001b0634cd [1.11.x] Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter. 2020-01-26 19:02:04 +01:00
Mariusz Felisiak
7fd1ca3ef6 [1.11.x] Fixed timezones tests for PyYAML 5.3+. 
Backport of 8be477be5c1a4afc9ad00bb58a324f637e018c0f from master
 2020-01-07 09:56:12 +01:00
Simon Charette
f4cff43bf9 [1.11.x] Fixed CVE-2019-19844 -- Used verified user email for password reset requests. 
Backport of 5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70 from master.

Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
 2019-12-18 09:17:28 +01:00
Peter Andersen
e8fdf00cc2 [1.11.x] Fixed #31073 -- Prevented CheckboxInput.get_context() from mutating attrs. 
Backport of 02eff7ef60466da108b1a33f1e4dc01eec45c99d from master.
 2019-12-11 09:43:36 +01:00
Louise Grandjonc
a843a9ba8d [1.11.x] Fixed #30826 -- Fixed crash of many JSONField lookups when one hand side is key transform. 
Regression in 6c3dfba89215fc56fc27ef61829a6fff88be4abb.

Backport of 7d1bf29977bb368d7c28e7c6eb146db3b3009ae7 from master.
 2019-10-11 12:01:42 +02:00
Simon Charette
fd393907c9 [1.11.x] Fixed #30769 -- Fixed a crash when filtering against a subquery JSON/HStoreField annotation. 
This was a regression introduced by 7deeabc7c7526786df6894429ce89a9c4b614086
to address CVE-2019-14234.

Thanks Tim Kleinschmidt for the report and Mariusz for the tests.

Backport of 6c3dfba89215fc56fc27ef61829a6fff88be4abb from master.
 2019-09-16 09:05:48 +02:00
Mariusz Felisiak
473c526b1b [1.11.x] Fixed #30672 -- Fixed crash of JSONField/HStoreField key transforms on expressions with params. 
Regression in 4f5b58f5cd3c57fee9972ab074f8dc6895d8f387.

Thanks Florian Apolloner for the report and helping with tests.

Backport of 1f8382d34d54061eddc41df6994e20ee38c60907 from master.
 2019-08-14 15:58:10 +02:00
Florian Apolloner
869b34e9b3 [1.11.x] Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri(). 
Thanks to Guido Vranken for initial report.
 2019-07-31 21:29:17 +02:00
Mariusz Felisiak
ed682a24fc [1.11.x] Fixed CVE-2019-14234 -- Protected JSONField/HStoreField key and index lookups against SQL injection. 
Thanks to Sage M. Abdullah for the report and initial patch.
Thanks Florian Apolloner for reviews.
 2019-07-31 21:29:17 +02:00
Florian Apolloner
52479acce7 [1.11.x] Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities. 
Thanks to Guido Vranken for initial report.
 2019-07-29 11:20:43 +02:00
Florian Apolloner
42a66e9690 [1.11.X] Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML. 
Thanks to Guido Vranken for initial report.
 2019-07-29 11:18:34 +02:00
Carlton Gibson
32124fc41e [1.11.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_PROXY_SSL_HEADER if set. 
An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.

HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.

Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.

Backport of 54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 from master.
 2019-07-01 08:40:19 +02:00
Mariusz Felisiak
bc5febec4e [1.11.x] Fixed GeoIPTest.test04_city() failure with the latest GeoIP2 database. 
Backport of 4305fbe8b11f44ab5d6759346488026c1e9677b2 from master.
 2019-06-30 20:21:27 +02:00
Carlton Gibson
c238701859 [1.11.x] Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link. 
Backport of deeba6d92006999fee9adfbd8be79bf0a59e8008 from master.
 2019-06-03 11:38:19 +02:00
Mariusz Felisiak
d13490c18a
[1.11.x] Refs #30331 -- Doc'd that psycopg2 < 2.8 is required. 
Backport of 0a8617a5b1cac7063f30e4d8ff4ea4c30748f7b8 from stable/2.1.x.
 2019-04-05 12:13:05 +02:00
Tim Graham
9530fac978 [1.11.x] Fixed serializers test crash if PyYAML isn't installed. 
Follow up to a57c783dd4e6dc73847081221827a1902eede88b.

Backport of 55490ac7469a3647ce163bee323f7fe4a06fcaa6 from master
 2019-03-20 16:11:02 +01:00
Mariusz Felisiak
f8ce3cd162 [1.11.x] Fixed serializers tests for PyYAML 5.1+. 
Backport of a57c783dd4e6dc73847081221827a1902eede88b from master
 2019-03-14 18:45:14 +01:00
Mariusz Felisiak
f13bfdeb55
[1.11.x] Reverted "Fixed relative paths imports per isort 4.3.5." 
This reverts commit 463fe11bc8b2d068e447c5df677e7a31c2af7e03 due to
restore of relative paths sorting from isort < 4.3.5 in isort 4.3.10.

Backport of b435f82939edf70674856e0e1cd63973c2e0a1d1 from master.
 2019-03-03 19:47:17 +01:00
Mariusz Felisiak
b9beb6a52e
[1.11.x] Fixed relative paths imports per isort 4.3.5. 
Backport of 463fe11bc8b2d068e447c5df677e7a31c2af7e03 from master.
 2019-02-25 20:02:56 +01:00
Tim Graham
1b8a26efa2 [1.11.x] Fixed E117 flake8 warnings. 2019-02-14 09:35:54 -05:00
Carlton Gibson
0bbb560183 [1.11.x] Fixed CVE-2019-6975 -- Fixed memory exhaustion in utils.numberformat.format(). 
Thanks Sjoerd Job Postmus for the report and initial patch.
Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review.

Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master.
 2019-02-11 11:15:45 +01:00
Tom Hacohen
1cd00fcf52 [1.11.x] Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page. 
Co-Authored-By: Tim Graham <timograham@gmail.com>
Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.
 2019-01-03 22:09:25 -05:00
Tim Graham
b683bb0c9f [1.11.x] Pinned Pillow != 5.4.0 in test requirements. 
There's a bug that causes a test failure in forms_tests:
https://github.com/python-pillow/Pillow/pull/3501/files#r244651761.

Backport of e4a714b259125423059b9f65f5e0ab70d78521ba from master.
 2019-01-02 17:43:25 -05:00
CHI Cheng
190aa59447 [1.11.x] Fixed broken links to PyYAML page. 
Backport of b7dbd5ff68bb9d2235ca081c0bd0b8baa65f8c77 from master.
 2018-12-27 10:56:19 +01:00
Tim Graham
2ea1e0e58d [1.11.x] Refs #30013 -- Doc'd that mysqlclient 1.3.14 and later isn't supported. 2018-12-05 15:51:04 -05:00
Tim Graham
b9e248975f [1.11.x] Refs #28814 -- Fixed test_runner failure on Python 3.7. 
Due to https://bugs.python.org/issue30399.

Backport of 9d1d3b2d2fe0bef995b024368088eeabbdf73629 from master
 2018-11-17 14:46:04 -05:00
Tom Forbes
0ecc4f8d49 [1.11.x] Removed obsolete and flaky GeoIP tests. 
Backport of 8f90593e6f8197148c8f86e598bfef6792f3f4bf from master.
 2018-11-10 16:34:03 -05:00
Mariusz Felisiak
006ca978b9
[1.11.x] Refs #29759 -- Doc'd that cx_Oracle < 7 is required. 
Backport of 7085247e2fd1ad8b08103173a23ca730784765a3 from stable/2.0.x
 2018-09-18 10:42:04 +02:00
Tim Graham
8a0b905187 [1.11.x] Refs #29499 -- Skipped QuerySet.update_or_create() test that fails on MySQL. 2018-08-03 12:13:06 -04:00
Michael Sanders
2668418d99 [1.11.x] Fixed #29499 -- Fixed race condition in QuerySet.update_or_create(). 
A race condition happened when the object didn't already exist and
another process/thread created the object before update_or_create()
did and then attempted to update the object, also before update_or_create()
saved the object. The update by the other process/thread could be lost.

Backport of 271542dad1686c438f658aa6220982495db09797 from master
 2018-08-02 17:28:23 -04:00
Andreas Hug
d6eaee0927 [1.11.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware. 2018-07-25 12:13:03 -04:00
Adam Donaghy
56c5c1599a [1.11.x] Fixed #28462 -- Decreased memory usage with ModelAdmin.list_editable. 
Regression in 917cc288a38f3c114a5440f0749b7e5e1086eb36.

Backport of b18650a2634890aa758abae2f33875daa13a9ba3 from master
 2018-06-07 10:15:56 -04:00
Tim Graham
b548180605 [1.11.x] Fixed #29461 -- Fixed ogrinspect test_time_field failure on SpatiaLite. 
Backport of 666be7b9942611d5c0f5e485c448f219cd5a1ad5 from master
 2018-06-02 07:33:32 -04:00
Tim Graham
d60d7d6d71 [1.11.x] Fixed #29462 -- Fixed ogrinspect test failures with GDAL 2.2. 
Backport of 55f4eee75d41499995bfdb611ac89e80c87404eb from master
 2018-06-01 22:38:49 -04:00
Claude Paroz
6f171c285e [1.11.x] Refs #28257 -- Updated a test for GDAL 2.2 
Partial backport of 28627608945ddc3f59fb6a011a4eb363d8020e83 from master
 2018-05-31 17:45:49 -04:00
Tim Graham
800778f7ad [1.11.x] Fixed a test failure with the latest GeoIP databases. 
Backport of 7a22d9f75125e3cfbea0979a876efe4634f6fe05 from master
 2018-04-17 21:35:44 -04:00
Tim Graham
4a20aae468 [1.11.x] Added isolated_local_models support to schema tests. 
Follow up to 46496a542c2ff9f273e090073e9c8071acb1a4a4, which otherwise
has no effect.

Partial backport of 9f7772e098439f9edea3d25ab127539fc514eeb2 from master
 2018-04-14 07:18:33 -04:00
Mariusz Felisiak
f89b11b879
[1.11.x] Fixed #29286 -- Fixed column mismatch crash with QuerySet.values() or values_list() after combining an annotated and unannotated queryset with union(), difference(), or intersection(). 
Regression in a0c03c62a8ac586e5be5b21393c925afa581efaf.

Thanks Tim Graham and Carlton Gibson for reviews.

Backport of 0b66c3b442875627fa6daef4ac1e90900d74290b from master.
 2018-04-13 12:54:32 +02:00
Tim Graham
46496a542c [1.11.x] Fixed schema test failure when running tests in reverse. 
Follow up to 003334f8af29e2023cf7ad7d080aa9ab26a7c528.

Backport of 78f8b80f9b215e50618375adce4c97795dabbb84 from master
 2018-04-12 20:29:30 -04:00
Paul Donohue
979253fce9 [1.11.x] Fixed #29296 -- Fixed crashes in admindocs when a view is a callable object. 
Backport of 33a0b7ac815588ed92dca215e153390af8bdbdda from master
 2018-04-12 13:28:29 -04:00
Jeremy Bowman
8f76939f54 [1.11.x] Fixed #29193 -- Prevented unnecessary foreign key drops when altering a unique field. 
Stopped dropping and recreating foreign key constraints on other fields
in the same table as the one which is actually being altered in an
AlterField operation.

Regression in c3e0adcad8d8ba94b33cabd137056166ed36dae0.

Backport of ee17bb8a67a9e7e688da6e6f4b3be1b3a69c09b0 from master
 2018-04-11 23:24:42 -04:00
Jeremy Bowman
a1f4e14f99 [1.11.x] Tested altering a unique field when a reverse M2M relation exists. 
Backport of 003334f8af29e2023cf7ad7d080aa9ab26a7c528 from master
 2018-04-11 23:23:44 -04:00
Claude Paroz
b25433a225 [1.11.x] Fixed #29273 -- Prevented initial selection of empty choice in multiple choice widgets. 
Regression in b52c73008a9d67e9ddbb841872dc15cdd3d6ee01.

Backport of f3b69f9757ec03057441ebbd52b7cdbfed31fb32 from master.
 2018-04-02 09:27:01 -04:00
Amr Anwar
c5bb472095 [1.11.x] Fixed #29229 -- Fixed column mismatch crash when combining two annotated values_list() querysets with union(), difference(), or intersection(). 
Regression in 7316720603821ebb64dfe8fa592ba6edcef5f3e.

Backport of a0c03c62a8ac586e5be5b21393c925afa581efaf from master
 2018-03-19 21:06:40 -04:00
Tim Graham
a91436360b [1.11.x] Fixed CVE-2018-7537 -- Fixed catastrophic backtracking in django.utils.text.Truncator. 
Thanks James Davis for suggesting the fix.
 2018-02-27 13:56:26 -05:00
Tim Graham
abf89d729f [1.11.x] Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters. 
Thanks Florian Apolloner for assisting with the patch.
 2018-02-27 13:54:19 -05:00