Stable/2.2.x #1
Open
Stable/2.2.x #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sp576
commented
Mar 12, 2021
sp576
commented
- Version 2.2.20 upgrade
Backport of 7fc07b9 from master
…ning with xgettext 0.21+. "format string with unnamed arguments cannot be properly localized" warning is not raised in xgettext 0.21+. This patch uses a message that causes an xgettext warning regardless of the version. Backport of 07a30f5 from master
Backport of 656b331 from master
…database. Backport of 135c800 from master
…a archive.extract(). Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews. Thanks Wang Baohua for the report. Backport of 05413af from master.
Backport of f749148 from master
Backport of d02d60e from master
…utils.http.limited_parse_qsl().
Backport of ab58f07 from master
…ia uploaded files. Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report. Backport of d4d800c from main.
Backport of 1eac846 from main
… in file uploads.
The validate_file_name() sanitation introduced in 0b79eb3 correctly rejects the example file name as containing path elements on Windows. This breaks the test introduced in 914c72b to allow path components for storages that may allow them. Test is skipped pending a discussed storage refactoring to support this use-case. Backport of a708f39 from main
…tabs from being accepted in URLValidator on Python 3.9.5+. In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] python/cpython@76cd81d Backport of e1e81aa from main.
Backport of efebcc4 from main
Backport of d1f1417 from main.
- Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb3. Backport of b556999 from main.
See sphinx-doc/sphinx@dd2ff3e. Backport of f0480dd from main
Backport of ae4077e from main.
Backport of 0cf2d48 from stable/3.2.x.
Backport of 8747052 from main
…SimilarityValidator. Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
…e in dictsort template filter. Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
…rage subsystem. Thanks to Dennis Brinkrolf for the report.
…ecurity archive. Backport of 63869ab from main
Backport of eeca934 from main.
…mplate tag. Thanks Keryn Knight for the report. Backport of 394517f from main. Co-authored-by: Adam Johnson <me@adamj.eu>
Thanks Alan Ryan for the report and initial patch. Backport of fc18f36 from main.
Backport of 9e0df0d from main
Backport of 770d3e6 from main.
See pallets/jinja#1621. Backport of 1d9d082 from main
Backport of 78277fa from main
…ate(), and extra() against SQL injection in column aliases. Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report. Backport of 93cae5c from main.
… against SQL injection on PostgreSQL. Backport of 6723a26 from main.
Backport of 78eeff8 from main
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.