mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-12-23 09:19:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
33010 commits 5 branches 493 tags 710 MiB
Commit graph

33010 commits

This branch
This branch
All branches
Author SHA1 Message Date
Natalia
da443c4d54 [5.1.x] Bumped version for 5.1.14 release. 2025-11-05 09:46:34 -03:00
Jacob Walls
4624ed769c [5.1.x] Refs CVE-2025-64459 -- Avoided propagating invalid arguments to Q on dictionary expansion. 
Backport of 3c3f463577 from main.
 2025-11-05 09:44:35 -03:00
Jacob Walls
72d2c87431 [5.1.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg. 
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.

Backport of c880530ddd from main.
 2025-11-05 09:44:22 -03:00
Jacob Walls
3790593781 [5.1.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. 
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.

Follow-up to CVE-2025-27556 and 39e2297210.

Backport of c880530ddd from main.
 2025-11-05 09:43:51 -03:00
Jacob Walls
ec3420edfa [5.1.x] Added stub release notes and release date for 5.1.14 and 4.2.26. 
Backport of ab108bf94d from main.
 2025-10-29 15:01:46 -03:00
Mariusz Felisiak
c361494cbb [5.1.x] Made RemoteTestResultTest.test_pickle_errors_detection() compatible with tblib 3.2+. 
tblib 3.2+ makes exception subclasses with __init__() and the default
__reduce__() picklable. This broke the test for
RemoteTestResult._confirm_picklable(), which expects a specific
exception to fail unpickling.

https://github.com/ionelmc/python-tblib/blob/master/CHANGELOG.rst#320-2025-10-21

This fix defines ExceptionThatFailsUnpickling.__reduce__() in a way
that pickle.dumps(obj) succeeds, but pickle.loads(pickle.dumps(obj))
raises TypeError.

Refs #27301. This preserves the intent of the regression test from
52188a5ca6 without skipping it.

Backport of 548209e620 from main.
 2025-10-22 15:21:29 -03:00
Mariusz Felisiak
a6294d7d26 [5.1.x] Fixed RelatedGeoModelTest.test_related_union_aggregate() test on Oracle and GEOS 3.12+. 
Backport of 344ae16e1e from main
 2025-10-20 16:06:52 +02:00
Mariusz Felisiak
99e033694c
[5.1.x] Refs #36646 -- Doc'd that oracledb < 3.3.0 is required. 2025-10-10 23:08:19 +02:00
David Smith
475f61f78b [5.1.x] Fixed OGRInspectTest.test_time_field with memory Spatialite database. 
Backport of 82b3b84a78 from main
 2025-10-10 16:05:35 +02:00
Michiel W. Beijen
7da2bf97d6 [5.1.x] Fixed #35961 -- Migrated license metadata in pyproject.toml to conform PEP 639. 
See https://peps.python.org/pep-0639/ and
https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license-and-license-files.

Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>

Backport of 96a7a65216 from main.
 2025-10-08 16:44:11 -03:00
Mariusz Felisiak
360400f616 [5.1.x] Rewrapped security archive at 79 chars. 
Backport of 1499c95d99 from main.
 2025-10-01 16:25:37 -04:00
Jacob Walls
9f6067f873 [5.1.x] Added CVE-2025-59681 and CVE-2025-59682 to security archive. 
Backport of 43d84aef04 from main.
 2025-10-01 10:39:52 -04:00
Jacob Walls
8a3ec7cd68 [5.1.x] Post-release version bump. 2025-10-01 09:04:21 -04:00
Jacob Walls
467aeeb569 [5.1.x] Bumped version for 5.1.13 release. 2025-10-01 09:01:21 -04:00
Sarah Boyce
74fa85c688 [5.1.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract(). 
Thanks stackered for the report.

Follow up to 05413afa8c.

Backport of 924a0c092e from main.
 2025-10-01 08:53:50 -04:00
Mariusz Felisiak
01d2d770e2 [5.1.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. 
Thanks sw0rd1ight for the report.

Follow up to 93cae5cb2f.

Backport of 41b43c74bd from main.
 2025-10-01 08:53:17 -04:00
Mariusz Felisiak
cbe5042d85 [5.1.x] Added stub release notes and release date for 5.1.13 and 4.2.25. 
Backport of 00174507f8 from main.
 2025-09-24 11:47:22 -04:00
Mariusz Felisiak
27e230ff25 [5.1.x] Added missing backticks in docs/releases/security.txt. 
Backport of 686a8a62ae from main
 2025-09-04 11:11:09 +02:00
Sarah Boyce
26fc64332c [5.1.x] Added CVE-2025-57833 to security archive. 
Backport of f0c05a40d2 from main.
 2025-09-03 15:29:23 +02:00
Sarah Boyce
dc002e5d2d [5.1.x] Post-release version bump. 2025-09-03 13:37:20 +02:00
Sarah Boyce
f71d9c35e4 [5.1.x] Bumped version for 5.1.12 release. 2025-09-03 13:32:35 +02:00
Jake Howard
102965ea93 [5.1.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in column aliases. 
Thanks Eyal Gabay (EyalSec) for the report.

Backport of 5171171709 from main.
 2025-09-03 13:31:32 +02:00
Sarah Boyce
44cd014a0a [5.1.x] Added stub release notes and release date for 5.1.12 and 4.2.24. 
Backport of 4c71e33440 from main.
 2025-08-27 16:10:48 +02:00
Natalia
09801786df [5.1.x] Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior. 
Python fixed a quadratic complexity processing for HTMLParser in:
6eb6c5db.

Backport of 2980627502 from main.
 2025-08-13 17:49:04 -03:00
Natalia
19e7b95552 [5.1.x] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors following Python's HTMLParser fixed parsing. 
Further details about Python changes can be found in:
0243f97cba.

Refs #36499. Thank you Clifford Gama for the thorough review!

Backport of e4515dad7a from main.
 2025-08-13 17:49:04 -03:00
Natalia
9d9b3bc717 [5.1.x] Refs #36535 -- Doc'd that docutils < 0.22 is required. 2025-08-04 21:55:27 -03:00
nessita
37f6474380 [5.1.x] Fixed GitHub Action that checks commit prefixes to fetch PR head correctly. 
Backport of 8499fba0e1 from main.
 2025-07-16 15:37:35 -03:00
nessita
31045931aa [5.1.x] Added GitHub Action to enforce stable branch commit message prefix. 
Backport of 10386fac00 from main.
 2025-07-16 08:39:34 -03:00
Sarah Boyce
97c753741a [5.1.x] Added follow-up to CVE-2025-48432 to security archive. 
Backport of 2714bc3f2c from main.
 2025-06-10 15:15:14 +02:00
Sarah Boyce
353a6af6d9 [5.1.x] Post-release version bump. 2025-06-10 11:50:05 +02:00
Sarah Boyce
2285698fc1 [5.1.x] Bumped version for 5.1.11 release. 2025-06-10 11:47:54 +02:00
Jake Howard
31f4bd31fa [5.1.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response logging. 
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 9579517552 from main.
 2025-06-06 09:09:06 -03:00
Natalia
363d256685 [5.1.x] Refs CVE-2025-48432 -- Made SuspiciousOperation logging use log_response() for consistency. 
Backport of ff835f439c from main.
 2025-06-06 09:07:54 -03:00
Natalia
15e4df1d33 [5.1.x] Refactored logging_tests to reuse assertions for log records. 
Backport of 9d72e7daf7 from main.
 2025-06-06 09:07:48 -03:00
Natalia
976e34a2a5 [5.1.x] Added CVE-2025-48432 to security archive. 
Backport of 51923c576a from main.
 2025-06-04 10:58:49 -03:00
Natalia
400170b69e [5.1.x] Post-release version bump. 2025-06-04 08:49:22 -03:00
Natalia
23a853821b [5.1.x] Bumped version for 5.1.10 release. 2025-06-04 08:46:54 -03:00
Natalia
596542ddb4 [5.1.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in log_response(). 
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.

To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.

Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.

Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>

Backport of a07ebec559 from main.
 2025-06-04 08:46:07 -03:00
Natalia
a70841bc03 [5.1.x] Added stub release notes and release date for 5.1.10 and 4.2.22. 
Backport of 1a74434399 from main.
 2025-05-28 10:19:23 -03:00
Jason Judkins
129750a807 [5.1.x] Fixed #36402, Refs #35980 -- Updated built package name in reusable apps tutorial for PEP 625. 
Backport of 1307b8a1cb from main.
 2025-05-26 12:37:29 -03:00
Natalia
32a9cb2179 [5.1.x] Added helpers in csrf_tests and logging_tests to assert logs from log_response(). 
Backport of ad6f998898 from main.
 2025-05-22 15:42:30 -03:00
Natalia
bb92acacac [5.1.x] Refs #26688 -- Added tests for log_response() internal helper. 
Backport of 8970468159 from main.
 2025-05-22 15:42:28 -03:00
Natalia
85bdeb31e2 [5.1.x] Refs #35980 -- Added release note about changes in release artifacts filenames. 
Backport of 42ab99309d from main.
 2025-05-09 13:31:53 -03:00
Natalia
503128a7d1 [5.1.x] Removed "Expected" from release date for 5.1.9 and 4.2.21. 
Backport of c86156378d from main.
 2025-05-09 13:30:58 -03:00
Natalia
73f70b5cc8 [5.1.x] Cleaned up CVE-2025-32873 security archive description. 
Backport of 37f2a77c72 from main.
 2025-05-07 11:37:34 -03:00
Natalia
05fab4e394 [5.1.x] Added CVE-2025-32873 to security archive. 
Backport of fdabda4e05 from main.
 2025-05-07 11:09:35 -03:00
Natalia
2eb42068c2 [5.1.x] Post-release version bump. 2025-05-06 22:35:14 -03:00
Natalia
db5c8a97bb [5.1.x] Bumped version for 5.1.9 release. 2025-05-06 22:32:13 -03:00
Sarah Boyce
0b42f6a528 [5.1.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags(). 
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 9f3419b519 from main.
 2025-05-06 22:31:16 -03:00
Natalia
1520d18e9c [5.1.x] Added upcoming security release to release notes. 
Backport of 0f5dd0dff3 from main.
 2025-04-30 14:56:53 -03:00