Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scheduled weekly dependency update for week 31 #1558

Merged
merged 4 commits into from
Aug 8, 2019
Merged

Scheduled weekly dependency update for week 31 #1558

merged 4 commits into from
Aug 8, 2019

Conversation

pyup-bot
Copy link
Contributor

@pyup-bot pyup-bot commented Aug 5, 2019

Update wagtail from 2.5.1 to 2.6.1.

Changelog

2.6.1

~~~~~~~~~~~~~~~~~~

* Fix: Prevent Javascript errors caused by unescaped quote characters in translation strings (Matt Westcott)

2.6

~~~~~~~~~~~~~~~~

* Removed support for Python 3.4
* Added support for `short_description` for field labels in modeladmin's `InspectView` (Wesley van Lee)
* Rearranged SCSS folder structure to the client folder and split them approximately according to ITCSS. (Naomi Morduch Toubman, Jonny Scholes, Janneke Janssen, Hugo van den Berg)
* Added support for specifying cell alignment on TableBlock (Samuel Mendes)
* Added more informative error when a non-image object is passed to the `image` template tag (Deniz Dogan)
* Added more ARIA landmarks across the admin interface and welcome page for screen reader users to navigate the CMS more easily (Beth Menzies)
* Added ButtonHelper examples in the modelAdmin primer page within documentation (Kalob Taulien)
* Multiple clarifications, grammar and typo fixes throughout documentation (Dan Swain)
* Use correct URL in API example in documentation (Michael Bunsen)
* Move datetime widget initialiser JS into the widget's form media instead of page editor media (Matt Westcott)
* Add form field prefixes for input forms in chooser modals (Matt Westcott)
* Increase font-size across the whole admin (Beth Menzies, Katie Locke)
* Improved text color contrast across the whole admin (Beth Menzies, Katie Locke)
* Added consistent focus outline styles across the whole admin (Thibaud Colas)
* Removed version number from the logo link’s title. The version can now be found under the Settings menu (Thibaud Colas)
* Added "don't delete" option to confirmation screen when deleting images, documents and modeladmin models (Kevin Howbrook)
* Added `branding_title` template block for the admin title prefix (Dillen Meijboom)
* Add image dimensions in image gallery and image choosers for screen reader users (Helen Chapman)
* Added support for custom search handler classes to modeladmin's IndexView, and added a class that uses the default Wagtail search backend for searching (Seb Brown, Andy Babic)
* Improved heading structure for screen reader users navigating the CMS admin (Beth Menzies, Helen Chapman)
* Updated group edit view to expose the Permission object for each checkbox (George Hickman)
* Improve performance of Pages for Moderation panel (Fidel Ramos)
* Add more contextual information for screen readers in the explorer menu’s links (Helen Chapman)
* Added `process_child_object` and `exclude_fields` arguments to ``Page.copy()`` to make it easier for third-party apps to customise copy behavior (Karl Hobley)
* Added `Page.with_content_json()`, allowing revision content loading behaviour to be customised on a per-model basis (Karl Hobley)
* Improved screen-reader labels for action links in page listing (Helen Chapman, Katie Locke)
* Added screen-reader labels for table headings in page listing (Helen Chapman, Katie Locke)
* Added screen reader labels for page privacy toggle, edit lock, status tag in page explorer & edit views (Helen Chapman, Katie Locke)
* Added screen-reader labels for dashboard summary cards (Helen Chapman, Katie Locke)
* Added screen-reader labels for privacy toggle of collections (Helen Chapman, Katie Locke)
* Added `construct_settings_menu` hook (Jordan Bauer, Quadric)
* Fixed compatibility of date / time choosers with wagtail-react-streamfield (Mike Hearn)
* Performance optimization of several admin functions, including breadcrumbs, home and index pages (Fidel Ramos)
* Fix: ModelAdmin no longer fails when filtering over a foreign key relation (Jason Dilworth, Matt Westcott)
* Fix: The Wagtail version number is now visible within the Settings menu (Kevin Howbrook)
* Fix: Scaling images now rounds values to an integer so that images render without errors (Adrian Brunyate)
* Fix: Revised test decorator to ensure TestPageEditHandlers test cases run correctly (Alex Tomkins)
* Fix: Wagtail bird animation in admin now ends correctly on all browsers (Deniz Dogan)
* Fix: Explorer menu no longer shows sibling pages for which the user does not have access (Mike Hearn)
* Fix: Fixed occurences of invalid HTML across the CMS admin (Thibaud Colas)
* Fix: Admin HTML now includes the correct `dir` attribute for the active language (Andreas Bernacca)
* Fix: Fix type error when using `--chunk_size` argument on `./manage.py update_index` (Seb Brown)
* Fix: Avoid rendering entire form in EditHandler's `repr` method (Alex Tomkins)
* Fix: Add empty alt attributes to HTML output of Embedly and oEmbed embed finders (Andreas Bernacca)
* Fix: Add empty alt attributes to all images in the CMS admin (Andreas Bernacca)
* Fix: Make URL generator preview image alt translateable (Thibaud Colas)
* Fix: Clear pending AJAX request if error occurs on page chooser (Matt Westcott)
* Fix: Prevent text from overlapping in focal point editing UI (Beth Menzies)
* Fix: Screen readers now announce "Dashboard" for the main nav’s logo link instead of Wagtail’s version number (Thibaud Colas)
* Fix: Screen readers now treat page-level action dropdowns as navigation instead of menus (Helen Chapman)
* Fix: Make icon font implementation more screen-reader-friendly (Thibaud Colas)
* Fix: Remove duplicate labels in image gallery and image choosers for screen reader users (Helen Chapman)
* Fix: Restore custom "Date" icon for scheduled publishing panel in Edit page’s Settings tab (Helen Chapman)
* Fix: Added missing form media to user edit form template (Matt Westcott)
* Fix: Add a label to the modals’ “close” button for screen reader users (Helen Chapman, Katie Locke)
* Fix: Ensure the 'add child page' button displays when focused (Helen Chapman, Katie Locke)
* Fix: Remove tab order customisations in CMS admin (Jordan Bauer)
* Fix: Add labels to permission checkboxes for screen reader users (Helen Chapman, Katie Locke)
* Fix: Page.copy() no longer copies child objects when the accesssor name is included in `exclude_fields_in_copy` (Karl Hobley)
* Fix: Move focus to the pages explorer menu when open (Helen Chapman)
* Fix: Clicking the privacy toggle while the page is still loading no longer loads the wrong data in the page (Helen Chapman)
* Fix: Added missing `is_stored_locally` method to `AbstractDocument` (jonny5532)
* Fix: Query model no longer removes punctuation as part of string normalisation (William Blackie)
* Fix: Make login test helper work with user models with non-default username fields (Andrew Miller)
* Fix: Delay dirty form check to prevent "unsaved changes" warning from being wrongly triggered (Thibaud Colas)

2.5.2

~~~~~~~~~~~~~~~~~~

* Fix: Delay dirty form check to prevent "unsaved changes" warning from being wrongly triggered (Thibaud Colas)
Links

Update Django from 2.2.3 to 2.2.4.

Changelog

2.2.4

==========================

*August 1, 2019*

Django 2.2.4 fixes security issues and several bugs in 2.2.3.

CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
================================================================================

If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
were passed the ``html=True`` argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
filters, which were thus vulnerable.

The regular expressions used by ``Truncator`` have been simplified in order to
avoid potential backtracking issues. As a consequence, trailing punctuation may
now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``
=================================================================

Due to the behavior of the underlying ``HTMLParser``,
:func:`django.utils.html.strip_tags` would be extremely slow to evaluate
certain inputs containing large sequences of nested incomplete HTML entities.
The ``strip_tags()`` method is used to implement the corresponding
:tfilter:`striptags` template filter, which was thus also vulnerable.

``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress
removing tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
``strip_tags()`` call without escaping it first, for example with
:func:`django.utils.html.escape`.

CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``
====================================================================================================

:lookup:`Key and index lookups <jsonfield.key>` for
:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
were subject to SQL injection, using a suitably crafted dictionary, with
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.

CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``
=====================================================================================

If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
to significant memory usage due to excessive recursion when re-percent-encoding
invalid UTF-8 octet sequences.

``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
octet sequences.

Bugfixes
========

* Fixed a regression in Django 2.2 when ordering a ``QuerySet.union()``,
``intersection()``, or ``difference()`` by a field type present more than
once results in the wrong ordering being used (:ticket:`30628`).

* Fixed a migration crash on PostgreSQL when adding a check constraint
with a ``contains`` lookup on
:class:`~django.contrib.postgres.fields.DateRangeField` or
:class:`~django.contrib.postgres.fields.DateTimeRangeField`, if the right
hand side of an expression is the same type (:ticket:`30621`).

* Fixed a regression in Django 2.2 where auto-reloader crashes if a file path
contains nulls characters (``'\x00'``) (:ticket:`30506`).

* Fixed a regression in Django 2.2 where auto-reloader crashes if a translation
directory cannot be resolved (:ticket:`30647`).


==========================
Links

Update django-autoslug from 1.9.5 to 1.9.6.

Changelog

1.9.6

------------------

Handle timezones for datetime fields
Links

Update flake8-docstrings from 1.3.0 to 1.3.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

@fuzzylogic2000 fuzzylogic2000 merged commit 42ad92f into master Aug 8, 2019
@fuzzylogic2000 fuzzylogic2000 deleted the pyup-scheduled-update-2019-08-05 branch August 8, 2019 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@pyup-bot @fuzzylogic2000