0
0
mirror of https://github.com/django/django.git synced 2024-12-01 15:42:04 +01:00
Commit Graph

22311 Commits

Author SHA1 Message Date
Florian Apolloner
67b46ba701 Fixed CVE-2016-2513 -- Fixed user enumeration timing attack during login.
This is a security fix.
2016-03-01 11:25:28 -05:00
Mark Striemer
c5544d2892 Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
2016-03-01 11:25:28 -05:00
Tim Graham
f43291639b Added stub release notes for security issues. 2016-03-01 11:25:28 -05:00
Michal Petrucha
fe8ea3ba3b Fixed #26217 -- Added a warning about format strings to WeekArchiveView docs. 2016-03-01 10:29:52 -05:00
acemaster
a1b1688c7d Fixed #26165 -- Added some FAQs about CSRF protection.
Thanks Florian Apolloner and Shai Berger for review.
2016-03-01 08:45:05 -05:00
Taranjeet
11a8207d42 Fixed typos in docs/ref/models/meta.txt. 2016-03-01 08:33:27 -05:00
Alasdair Nicol
65bd053f11 Fixed #26229 -- Improved check for model admin check admin.E124
Refs #22792
2016-03-01 08:20:14 -05:00
Simon Charette
0223e213dd Fixed #26186 -- Documented how app relative relationships of abstract models behave.
This partially reverts commit bc7d201bdb.

Thanks Tim for the review.

Refs #25858.
2016-02-29 22:07:05 -05:00
Jon Dufresne
eac1423f9e Removed obsolete test CreatesuperuserManagementCommandTestCase.test_nolocale.
Test was added in 4c934f3921 to verify that
the commend works when locale.getdefaultlocale() doesn't return a locale.
getdefaultlocale() no longer runs at runtime, so the test isn't needed.
2016-02-29 08:46:37 -05:00
Adam Chainz
6a383f773a Removed unused 'Between' lookup.
It was added in 20bab2cf9d and stopped being
used for `Range` in 00aa562884 when
`bilateral` was added to `Transform`.
2016-02-29 08:00:04 -05:00
Shai Berger
72e5778b23 Minor fixes for release-process doc fix
As suggested by Tim Graham
2016-02-28 19:30:18 +02:00
Shai Berger
3dd4e9203a Fixed docs: release-process, Supported Versions section, concrete example
Security & data loss fixes are applied to the two last feature releases,
not just one.

Thanks Loic Bistuer for review
2016-02-28 18:44:47 +02:00
chenesan
b84f5ab4ec Fixed #26230 -- Made default_related_name affect related_query_name. 2016-02-27 08:48:32 -05:00
inondle
5fb9756eba Fixed #26275 -- Noted difference between o and Y date format chars. 2016-02-27 08:05:12 -05:00
Attila Tovt
5e2c4d7afb Fixed #26264 -- Fixed prefetch_related() crashes with values_list(flat=True) 2016-02-26 19:26:15 -05:00
Tore Lundqvist
3389c5ea22 Fixed #21608 -- Prevented logged out sessions being resurrected by concurrent requests.
Thanks Simon Charette for the review.
2016-02-26 18:56:56 -05:00
Simon Charette
3938b3ccaa Fixed #26286 -- Prevented content type managers from sharing their cache.
This should prevent managers methods from returning content type instances
registered to foreign apps now that these managers are also attached to models
created during migration phases.

Thanks Tim for the review.

Refs #23822.
2016-02-26 16:18:16 -05:00
Tim Graham
b9519b2730 Added 'prefetches to docs/spelling_wordlist. 2016-02-26 16:06:34 -05:00
Adam Chainz
ef33bc2d4d Fixed #25279 -- Made prefetch_related_objects() public. 2016-02-26 14:55:01 -05:00
Yoong Kang Lim
d5f89ff6e8 Fixed #24974 -- Fixed inheritance of formfield_callback for modelform_factory forms. 2016-02-26 12:27:27 -05:00
Simon Charette
766afc22a1 Fixed #24793 -- Unified temporal difference support. 2016-02-26 12:25:12 -05:00
Simon Charette
31098e3288 Used setUpTestData for the timedelta expression tests. 2016-02-26 12:25:12 -05:00
zshimanchik
65aa94200b Fixed #24653 -- Fixed MySQL database introspection when using read_default_file. 2016-02-26 12:02:13 -05:00
Simon Charette
62ea86448e Cleaned up session backends tests.
Made SessionTestsMixin backend agnostic and removed code obsoleted by the test
discovery refactor.
2016-02-26 11:22:33 -05:00
Ivan Tsouvarev
8890c533e0 Fixed #26280 -- Fixed cached template loader crash when loading nonexistent template. 2016-02-26 08:02:10 -05:00
Edwar Baron
eb44172760 Fixed #25811 -- Added a helpful error when making _in queries across different databases. 2016-02-26 07:31:56 -05:00
Tim Graham
7fec264e46 Removed try/fail antipattern from model_options tests. 2016-02-25 20:04:51 -05:00
Sjoerd Job Postmus
bbe136e1a2 Fixed #26231 -- Used .get_username in admin login template. 2016-02-25 19:29:53 -05:00
Nick Malakhov
ee69789f45 Fixed #26269 -- Prohibited spaces in is_valid_ipv6_address(). 2016-02-25 18:52:50 -05:00
Tim Graham
22d2a5b00a Corrected a run on sentence in doc/topics/db/models.txt. 2016-02-25 14:22:41 -05:00
Yoong Kang Lim
4b1529e2cb Fixed #26151 -- Refactored MigrationWriter.serialize()
Thanks Markus Holtermann for review.
2016-02-25 14:01:06 -05:00
Scott Sexton
fc584f0685 Fixed #26117 -- Consulted database routers in initial migration detection.
Thanks Simon Charette for help.
2016-02-25 09:56:00 -05:00
Tim Graham
1f8cfcf3b4 Fixed #26278 -- Clarified apps.ready docs. 2016-02-25 08:55:10 -05:00
Tim Graham
7a7e403325 Refs #26270 -- Reorganized TestCase docs. 2016-02-25 07:58:22 -05:00
Olivier Le Thanh Duong
10781b4c6f Fixed #12233 -- Allowed redirecting authenticated users away from the login view.
contrib.auth.views.login() has a new parameter `redirect_authenticated_user`
to automatically redirect authenticated users visiting the login page.

Thanks to dmathieu and Alex Buchanan for the original code and to Carl Meyer
for the help and review.
2016-02-25 07:18:33 -05:00
Claude Paroz
4c18a8a378 Fixed #14098 -- Prevented crash for introspection errors in inspectdb
Thanks Tim Graham for the review.
2016-02-25 08:43:56 +01:00
Tim Graham
441c537b66 Fixed a function signature in docs/topics/auth/default.txt. 2016-02-24 16:24:33 -05:00
Tim Graham
8ad7b8118c Used addCleanup() to call recorder.flush() in migration loader tests. 2016-02-24 11:22:09 -05:00
Claude Paroz
c5517b9e74 Fixed #26266 -- Output the primary key in the GeoJSON serializer properties
Thanks Tim Graham for the review.
2016-02-24 16:10:46 +01:00
Tim Graham
6637cd0ef2 Removed docs of deprecated SimpleTestCase warnings behavior.
Removed in Django 1.7 (4f6be9a0c4).
2016-02-24 09:57:39 -05:00
Jon Dufresne
b412681359 Fixed #26267 -- Fixed BoundField to reallow slices of subwidgets. 2016-02-24 07:02:51 -05:00
James Aylett
1ff6e37de4 Fixed #23832 -- Added timezone aware Storage API.
New Storage.get_{accessed,created,modified}_time() methods convert the
naive time from now-deprecated {accessed,created_modified}_time()
methods into aware objects in UTC if USE_TZ=True.
2016-02-23 18:51:43 -05:00
Claude Paroz
eda306f1ce Fixed #26232 -- Fixed Popen mocking environment in i18n tests
Refs #25925. Thanks Jeroen Pulles for the report.
2016-02-23 20:06:18 +01:00
Simon Charette
c30086159d Used setupTestData in prefetch_related tests. 2016-02-23 13:53:58 -05:00
Aymeric Augustin
7f6fbc906a Prevented static file corruption when URL fragment contains '..'.
When running collectstatic with a hashing static file storage backend,
URLs referencing other files were normalized with posixpath.normpath.
This could corrupt URLs: for example 'a.css#b/../c' became just 'c'.

Normalization seems to be an artifact of the historical implementation.
It contained a home-grown implementation of posixpath.join which relied
on counting occurrences of .. and /, so multiple / had to be collapsed.

The new implementation introduced in the previous commit doesn't suffer
from this issue. So it seems safe to remove the normalization.

There was a test for this normalization behavior but I don't think it's
a good test. Django shouldn't modify CSS that way. If a developer has
rendundant /s, it's mostly an aesthetic issue and it isn't Django's job
to fix it. Conversely, if the user wants a series of /s, perhaps in the
URL fragment, Django shouldn't destroy it.

Refs #26249.
2016-02-23 19:35:16 +01:00
Aymeric Augustin
706b33fef8 Fixed #26249 -- Fixed collectstatic crash for files in STATIC_ROOT referenced by absolute URL.
collectstatic crashed when:

* a hashing static file storage backend was used
* a static file referenced another static file located directly in
  STATIC_ROOT (not a subdirectory) with an absolute URL (which must
  start with STATIC_URL, which cannot be empty)

It seems to me that the current code reimplements relative path joining
and doesn't handle edge cases correctly. I suspect it assumes that
STATIC_URL is of the form r'/[^/]+/'.

Throwing out that code in favor of the posixpath module makes the logic
easier to follow. Handling absolute paths correctly also becomes easier.
2016-02-23 19:34:21 +01:00
Tim Graham
c62807968d Fixed a stray __unicode__() method in auth_tests. 2016-02-23 13:20:50 -05:00
Andrew Kuchev
e81d1c995c Fixed #25670 -- Allowed dictsort to sort a list of lists.
Thanks Tim Graham for the review.
2016-02-23 12:15:08 -05:00
Tim Graham
cdbd8745f6 Fixed #26263 -- Deprecated Context.has_key() 2016-02-23 08:08:55 -05:00
Claude Paroz
269b5f262c Used call_command return value in staticfiles tests
Refs #26190.
2016-02-23 09:12:12 +01:00