[Python-modules-commits] [python-django] 03/06: New upstream version 1.8.18
Raphaël Hertzog
hertzog at moszumanska.debian.org
Sat May 20 14:02:53 UTC 2017
This is an automated email from the git hooks/post-receive script.
hertzog pushed a commit to branch debian/jessie-backports
in repository python-django.
commit 4a298439d6fa6a39eec51e4eee0cc79120f985f3
Author: Raphaël Hertzog <hertzog at debian.org>
Date: Sat May 20 15:33:59 2017 +0200
New upstream version 1.8.18
---
.gitattributes | 5 --
.gitignore | 13 -----
.hgignore | 15 -----
.tx/config | 73 -------------------------
CONTRIBUTING.rst | 26 ---------
Django.egg-info/PKG-INFO | 2 +-
Django.egg-info/SOURCES.txt | 9 +--
PKG-INFO | 2 +-
django/__init__.py | 2 +-
django/contrib/admin/bin/compress.py | 53 ------------------
django/contrib/sitemaps/tests/test_flatpages.py | 62 ---------------------
django/db/backends/oracle/creation.py | 4 +-
django/utils/http.py | 66 +++++++++++++++++++++-
django/views/static.py | 22 ++------
docs/_ext/djangodocs.py | 3 +
docs/_ext/ticket_role.py | 1 +
docs/conf.py | 3 -
docs/ref/databases.txt | 7 ++-
docs/ref/request-response.txt | 2 +-
docs/releases/1.8.17.txt | 14 +++++
docs/releases/1.8.18.txt | 30 ++++++++++
docs/releases/index.txt | 2 +
docs/releases/security.txt | 26 +++++++++
setup.cfg | 3 +-
tests/backends/tests.py | 4 +-
tests/gis_tests/test_geoip.py | 2 +-
tests/requirements/base.txt | 2 +-
tests/requirements/oracle.txt | 2 +-
tests/utils_tests/test_http.py | 5 +-
29 files changed, 168 insertions(+), 292 deletions(-)
diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index cd42cc5..0000000
--- a/.gitattributes
+++ /dev/null
@@ -1,5 +0,0 @@
-# Normalize line endings to avoid spurious failures in the core test suite on Windows.
-*html text eol=lf
-*css text eol=lf
-tests/staticfiles_tests/apps/test/static/test/*txt text eol=lf
-tests/staticfiles_tests/project/documents/test/*txt text eol=lf
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 504361b..0000000
--- a/.gitignore
+++ /dev/null
@@ -1,13 +0,0 @@
-*.egg-info
-*.pot
-*.py[co]
-__pycache__
-MANIFEST
-dist/
-docs/_build/
-docs/locale/
-node_modules/
-tests/coverage_html/
-tests/.coverage
-build/
-tests/report/
diff --git a/.hgignore b/.hgignore
deleted file mode 100644
index 8c900d5..0000000
--- a/.hgignore
+++ /dev/null
@@ -1,15 +0,0 @@
-syntax:glob
-
-*.egg-info
-*.pot
-*.py[co]
-__pycache__
-MANIFEST
-dist/
-docs/_build/
-docs/locale/
-node_modules/
-tests/coverage_html/
-tests/.coverage
-build/
-tests/report/
diff --git a/.tx/config b/.tx/config
deleted file mode 100644
index 44f8a7e..0000000
--- a/.tx/config
+++ /dev/null
@@ -1,73 +0,0 @@
-[main]
-host = https://www.transifex.com
-lang_map = sr at latin:sr_Latn, zh_CN:zh_Hans, zh_TW:zh_Hant
-
-[django.core]
-file_filter = django/conf/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/conf/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-admin]
-file_filter = django/contrib/admin/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/admin/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-admin-js]
-file_filter = django/contrib/admin/locale/<lang>/LC_MESSAGES/djangojs.po
-source_file = django/contrib/admin/locale/en/LC_MESSAGES/djangojs.po
-source_lang = en
-
-[django.contrib-admindocs]
-file_filter = django/contrib/admindocs/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/admindocs/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-auth]
-file_filter = django/contrib/auth/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/auth/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-contenttypes]
-file_filter = django/contrib/contenttypes/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/contenttypes/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-flatpages]
-file_filter = django/contrib/flatpages/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/flatpages/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-gis]
-file_filter = django/contrib/gis/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/gis/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-humanize]
-file_filter = django/contrib/humanize/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/humanize/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-messages]
-file_filter = django/contrib/messages/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/messages/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-postgres]
-file_filter = django/contrib/postgres/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/postgres/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-redirects]
-file_filter = django/contrib/redirects/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/redirects/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-sessions]
-file_filter = django/contrib/sessions/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/sessions/locale/en/LC_MESSAGES/django.po
-source_lang = en
-
-[django.contrib-sites]
-file_filter = django/contrib/sites/locale/<lang>/LC_MESSAGES/django.po
-source_file = django/contrib/sites/locale/en/LC_MESSAGES/django.po
-source_lang = en
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
deleted file mode 100644
index 4a5887b..0000000
--- a/CONTRIBUTING.rst
+++ /dev/null
@@ -1,26 +0,0 @@
-======================
-Contributing to Django
-======================
-
-As an open source project, Django welcomes contributions of many forms.
-
-Examples of contributions include:
-
-* Code patches
-* Documentation improvements
-* Bug reports and patch reviews
-
-Extensive contribution guidelines are available in the repository at
-``docs/internals/contributing/``, or online at:
-
-https://docs.djangoproject.com/en/dev/internals/contributing/
-
-**Warning: non-trivial pull requests (anything more than fixing a typo) without
-Trac tickets will be closed!** `Please file a ticket`__ to suggest changes.
-
-__ https://code.djangoproject.com/newticket
-
-Django uses Trac to keep track of bugs, feature requests, and associated
-patches because GitHub doesn't provide adequate tooling for its community.
-Patches can be submitted as pull requests, but if you don't file a ticket,
-it's unlikely that we'll notice your contribution.
diff --git a/Django.egg-info/PKG-INFO b/Django.egg-info/PKG-INFO
index 3325eae..e60a504 100644
--- a/Django.egg-info/PKG-INFO
+++ b/Django.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Django
-Version: 1.8.16
+Version: 1.8.18
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Home-page: http://www.djangoproject.com/
Author: Django Software Foundation
diff --git a/Django.egg-info/SOURCES.txt b/Django.egg-info/SOURCES.txt
index b989880..ccd4764 100644
--- a/Django.egg-info/SOURCES.txt
+++ b/Django.egg-info/SOURCES.txt
@@ -1,15 +1,10 @@
-.gitattributes
-.gitignore
-.hgignore
AUTHORS
-CONTRIBUTING.rst
INSTALL
LICENSE
MANIFEST.in
README.rst
setup.cfg
setup.py
-.tx/config
Django.egg-info/PKG-INFO
Django.egg-info/SOURCES.txt
Django.egg-info/dependency_links.txt
@@ -368,7 +363,6 @@ django/contrib/admin/util.py
django/contrib/admin/utils.py
django/contrib/admin/validation.py
django/contrib/admin/widgets.py
-django/contrib/admin/bin/compress.py
django/contrib/admin/locale/af/LC_MESSAGES/django.mo
django/contrib/admin/locale/af/LC_MESSAGES/django.po
django/contrib/admin/locale/af/LC_MESSAGES/djangojs.mo
@@ -2534,7 +2528,6 @@ django/contrib/sitemaps/management/commands/__init__.py
django/contrib/sitemaps/management/commands/ping_google.py
django/contrib/sitemaps/templates/sitemap.xml
django/contrib/sitemaps/templates/sitemap_index.xml
-django/contrib/sitemaps/tests/test_flatpages.py
django/contrib/sites/__init__.py
django/contrib/sites/admin.py
django/contrib/sites/apps.py
@@ -3416,6 +3409,8 @@ docs/releases/1.8.13.txt
docs/releases/1.8.14.txt
docs/releases/1.8.15.txt
docs/releases/1.8.16.txt
+docs/releases/1.8.17.txt
+docs/releases/1.8.18.txt
docs/releases/1.8.2.txt
docs/releases/1.8.3.txt
docs/releases/1.8.4.txt
diff --git a/PKG-INFO b/PKG-INFO
index 3325eae..e60a504 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Django
-Version: 1.8.16
+Version: 1.8.18
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Home-page: http://www.djangoproject.com/
Author: Django Software Foundation
diff --git a/django/__init__.py b/django/__init__.py
index f877179..32f979d 100644
--- a/django/__init__.py
+++ b/django/__init__.py
@@ -1,6 +1,6 @@
from django.utils.version import get_version
-VERSION = (1, 8, 16, 'final', 0)
+VERSION = (1, 8, 18, 'final', 0)
__version__ = get_version(VERSION)
diff --git a/django/contrib/admin/bin/compress.py b/django/contrib/admin/bin/compress.py
deleted file mode 100644
index 7ae7ed8..0000000
--- a/django/contrib/admin/bin/compress.py
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/env python
-import argparse
-import os
-import subprocess
-import sys
-
-js_path = os.path.join(os.path.dirname(os.path.dirname(__file__)), 'static', 'admin', 'js')
-
-
-def main():
- description = """With no file paths given this script will automatically
-compress all jQuery-based files of the admin app. Requires the Google Closure
-Compiler library and Java version 6 or later."""
- parser = argparse.ArgumentParser(description=description)
- parser.add_argument('file', nargs='*')
- parser.add_argument("-c", dest="compiler", default="~/bin/compiler.jar",
- help="path to Closure Compiler jar file")
- parser.add_argument("-v", "--verbose",
- action="store_true", dest="verbose")
- parser.add_argument("-q", "--quiet",
- action="store_false", dest="verbose")
- options = parser.parse_args()
-
- compiler = os.path.expanduser(options.compiler)
- if not os.path.exists(compiler):
- sys.exit(
- "Google Closure compiler jar file %s not found. Please use the -c "
- "option to specify the path." % compiler
- )
-
- if not options.file:
- if options.verbose:
- sys.stdout.write("No filenames given; defaulting to admin scripts\n")
- files = [os.path.join(js_path, f) for f in [
- "actions.js", "collapse.js", "inlines.js", "prepopulate.js"]]
- else:
- files = options.file
-
- for file_name in files:
- if not file_name.endswith(".js"):
- file_name = file_name + ".js"
- to_compress = os.path.expanduser(file_name)
- if os.path.exists(to_compress):
- to_compress_min = "%s.min.js" % "".join(file_name.rsplit(".js"))
- cmd = "java -jar %s --js %s --js_output_file %s" % (compiler, to_compress, to_compress_min)
- if options.verbose:
- sys.stdout.write("Running: %s\n" % cmd)
- subprocess.call(cmd.split())
- else:
- sys.stdout.write("File %s not found. Sure it exists?\n" % to_compress)
-
-if __name__ == '__main__':
- main()
diff --git a/django/contrib/sitemaps/tests/test_flatpages.py b/django/contrib/sitemaps/tests/test_flatpages.py
deleted file mode 100644
index 36bdcf3..0000000
--- a/django/contrib/sitemaps/tests/test_flatpages.py
+++ /dev/null
@@ -1,62 +0,0 @@
-from __future__ import unicode_literals
-
-import warnings
-from unittest import skipUnless
-
-from django.apps import apps
-from django.conf import settings
-from django.contrib.sitemaps import FlatPageSitemap
-from django.test import SimpleTestCase, ignore_warnings
-from django.utils.deprecation import RemovedInDjango19Warning
-
-from .base import SitemapTestsBase
-
-
-class FlatpagesSitemapTests(SitemapTestsBase):
-
- @ignore_warnings(category=RemovedInDjango19Warning)
- @skipUnless(apps.is_installed('django.contrib.flatpages'),
- "django.contrib.flatpages app not installed.")
- def test_flatpage_sitemap(self):
- "Basic FlatPage sitemap test"
-
- # Import FlatPage inside the test so that when django.contrib.flatpages
- # is not installed we don't get problems trying to delete Site
- # objects (FlatPage has an M2M to Site, Site.delete() tries to
- # delete related objects, but the M2M table doesn't exist.
- from django.contrib.flatpages.models import FlatPage
-
- public = FlatPage.objects.create(
- url='/public/',
- title='Public Page',
- enable_comments=True,
- registration_required=False,
- )
- public.sites.add(settings.SITE_ID)
- private = FlatPage.objects.create(
- url='/private/',
- title='Private Page',
- enable_comments=True,
- registration_required=True
- )
- private.sites.add(settings.SITE_ID)
- response = self.client.get('/flatpages/sitemap.xml')
- # Public flatpage should be in the sitemap
- self.assertContains(response, '<loc>%s%s</loc>' % (self.base_url, public.url))
- # Private flatpage should not be in the sitemap
- self.assertNotContains(response, '<loc>%s%s</loc>' % (self.base_url, private.url))
-
-
-class FlatpagesSitemapDeprecationTests(SimpleTestCase):
-
- def test_deprecation(self):
- with warnings.catch_warnings(record=True) as warns:
- warnings.simplefilter('always')
- FlatPageSitemap()
-
- self.assertEqual(len(warns), 1)
- self.assertEqual(
- str(warns[0].message),
- "'django.contrib.sitemaps.FlatPageSitemap' is deprecated. "
- "Use 'django.contrib.flatpages.sitemaps.FlatPageSitemap' instead.",
- )
diff --git a/django/db/backends/oracle/creation.py b/django/db/backends/oracle/creation.py
index 28475a6..255a770 100644
--- a/django/db/backends/oracle/creation.py
+++ b/django/db/backends/oracle/creation.py
@@ -174,7 +174,7 @@ class DatabaseCreation(BaseDatabaseCreation):
print("_create_test_user(): username = %s" % parameters['user'])
statements = [
"""CREATE USER %(user)s
- IDENTIFIED BY %(password)s
+ IDENTIFIED BY "%(password)s"
DEFAULT TABLESPACE %(tblspace)s
TEMPORARY TABLESPACE %(tblspace_temp)s
QUOTA UNLIMITED ON %(tblspace)s
@@ -191,7 +191,7 @@ class DatabaseCreation(BaseDatabaseCreation):
success = self._execute_allow_fail_statements(cursor, statements, parameters, verbosity, acceptable_ora_err)
# If the password was randomly generated, change the user accordingly.
if not success and self._test_settings_get('PASSWORD') is None:
- set_password = "ALTER USER %(user)s IDENTIFIED BY %(password)s"
+ set_password = 'ALTER USER %(user)s IDENTIFIED BY "%(password)s"'
self._execute_statements(cursor, [set_password], parameters, verbosity)
# Most test-suites can be run without the create-view privilege. But some need it.
extra = "GRANT CREATE VIEW TO %(user)s"
diff --git a/django/utils/http.py b/django/utils/http.py
index b70720d..01671f3 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -18,6 +18,18 @@ from django.utils.six.moves.urllib.parse import (
urlparse,
)
+if six.PY2:
+ from urlparse import (
+ ParseResult, SplitResult, _splitnetloc, _splitparams, scheme_chars,
+ uses_params,
+ )
+ _coerce_args = None
+else:
+ from urllib.parse import (
+ ParseResult, SplitResult, _coerce_args, _splitnetloc, _splitparams,
+ scheme_chars, uses_params,
+ )
+
ETAG_MATCH = re.compile(r'(?:W/)?"((?:\\.|[^"])*)"')
MONTHS = 'jan feb mar apr may jun jul aug sep oct nov dec'.split()
@@ -287,12 +299,64 @@ def is_safe_url(url, host=None):
return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
+# Copied from urllib.parse.urlparse() but uses fixed urlsplit() function.
+def _urlparse(url, scheme='', allow_fragments=True):
+ """Parse a URL into 6 components:
+ <scheme>://<netloc>/<path>;<params>?<query>#<fragment>
+ Return a 6-tuple: (scheme, netloc, path, params, query, fragment).
+ Note that we don't break the components up in smaller bits
+ (e.g. netloc is a single string) and we don't expand % escapes."""
+ if _coerce_args:
+ url, scheme, _coerce_result = _coerce_args(url, scheme)
+ splitresult = _urlsplit(url, scheme, allow_fragments)
+ scheme, netloc, url, query, fragment = splitresult
+ if scheme in uses_params and ';' in url:
+ url, params = _splitparams(url)
+ else:
+ params = ''
+ result = ParseResult(scheme, netloc, url, params, query, fragment)
+ return _coerce_result(result) if _coerce_args else result
+
+
+# Copied from urllib.parse.urlsplit() with
+# https://github.com/python/cpython/pull/661 applied.
+def _urlsplit(url, scheme='', allow_fragments=True):
+ """Parse a URL into 5 components:
+ <scheme>://<netloc>/<path>?<query>#<fragment>
+ Return a 5-tuple: (scheme, netloc, path, query, fragment).
+ Note that we don't break the components up in smaller bits
+ (e.g. netloc is a single string) and we don't expand % escapes."""
+ if _coerce_args:
+ url, scheme, _coerce_result = _coerce_args(url, scheme)
+ allow_fragments = bool(allow_fragments)
+ netloc = query = fragment = ''
+ i = url.find(':')
+ if i > 0:
+ for c in url[:i]:
+ if c not in scheme_chars:
+ break
+ else:
+ scheme, url = url[:i].lower(), url[i + 1:]
+
+ if url[:2] == '//':
+ netloc, url = _splitnetloc(url, 2)
+ if (('[' in netloc and ']' not in netloc) or
+ (']' in netloc and '[' not in netloc)):
+ raise ValueError("Invalid IPv6 URL")
+ if allow_fragments and '#' in url:
+ url, fragment = url.split('#', 1)
+ if '?' in url:
+ url, query = url.split('?', 1)
+ v = SplitResult(scheme, netloc, url, query, fragment)
+ return _coerce_result(v) if _coerce_args else v
+
+
def _is_safe_url(url, host):
# Chrome considers any URL with more than two slashes to be absolute, but
# urlparse is not so flexible. Treat any url with three slashes as unsafe.
if url.startswith('///'):
return False
- url_info = urlparse(url)
+ url_info = _urlparse(url)
# Forbid URLs like http:///example.com - with a scheme, but without a hostname.
# In that URL, example.com is not the hostname but, a path component. However,
# Chrome will still consider example.com to be the hostname, so we must not
diff --git a/django/views/static.py b/django/views/static.py
index 9959b96..9e4e916 100644
--- a/django/views/static.py
+++ b/django/views/static.py
@@ -12,9 +12,9 @@ import stat
from django.http import (
FileResponse, Http404, HttpResponse, HttpResponseNotModified,
- HttpResponseRedirect,
)
from django.template import Context, Engine, TemplateDoesNotExist, loader
+from django.utils._os import safe_join
from django.utils.http import http_date, parse_http_date
from django.utils.six.moves.urllib.parse import unquote
from django.utils.translation import ugettext as _, ugettext_lazy
@@ -36,25 +36,11 @@ def serve(request, path, document_root=None, show_indexes=False):
but if you'd like to override it, you can create a template called
``static/directory_index.html``.
"""
- path = posixpath.normpath(unquote(path))
- path = path.lstrip('/')
- newpath = ''
- for part in path.split('/'):
- if not part:
- # Strip empty path components.
- continue
- drive, part = os.path.splitdrive(part)
- head, part = os.path.split(part)
- if part in (os.curdir, os.pardir):
- # Strip '.' and '..' in path.
- continue
- newpath = os.path.join(newpath, part).replace('\\', '/')
- if newpath and path != newpath:
- return HttpResponseRedirect(newpath)
- fullpath = os.path.join(document_root, newpath)
+ path = posixpath.normpath(unquote(path)).lstrip('/')
+ fullpath = safe_join(document_root, path)
if os.path.isdir(fullpath):
if show_indexes:
- return directory_index(newpath, fullpath)
+ return directory_index(path, fullpath)
raise Http404(_("Directory indexes are not allowed here."))
if not os.path.exists(fullpath):
raise Http404(_('"%(path)s" does not exist') % {'path': fullpath})
diff --git a/docs/_ext/djangodocs.py b/docs/_ext/djangodocs.py
index fd93194..9f2ca20 100644
--- a/docs/_ext/djangodocs.py
+++ b/docs/_ext/djangodocs.py
@@ -67,6 +67,9 @@ def setup(app):
man=(visit_snippet_literal, depart_snippet_literal),
text=(visit_snippet_literal, depart_snippet_literal),
texinfo=(visit_snippet_literal, depart_snippet_literal))
+ app.set_translator('djangohtml', DjangoHTMLTranslator)
+ app.set_translator('json', DjangoHTMLTranslator)
+ return {'parallel_read_safe': True}
class snippet_with_filename(nodes.literal_block):
diff --git a/docs/_ext/ticket_role.py b/docs/_ext/ticket_role.py
index b537785..809b423 100644
--- a/docs/_ext/ticket_role.py
+++ b/docs/_ext/ticket_role.py
@@ -36,3 +36,4 @@ def ticket_role(name, rawtext, text, lineno, inliner, options=None, content=None
def setup(app):
app.add_config_value('ticket_url', None, 'env')
app.add_role('ticket', ticket_role)
+ return {'parallel_read_safe': True}
diff --git a/docs/conf.py b/docs/conf.py
index 1bdefc0..29c876b 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -192,9 +192,6 @@ html_last_updated_fmt = '%b %d, %Y'
# typographically correct entities.
html_use_smartypants = True
-# HTML translator class for the builder
-html_translator_class = "djangodocs.DjangoHTMLTranslator"
-
# Content template for the index page.
# html_index = ''
diff --git a/docs/ref/databases.txt b/docs/ref/databases.txt
index ed15390..b9e1558 100644
--- a/docs/ref/databases.txt
+++ b/docs/ref/databases.txt
@@ -701,9 +701,9 @@ you add quotes where necessary before copying a query into an SQLite shell.
Oracle notes
============
-Django supports `Oracle Database Server`_ versions 11.1 and higher. Version
-4.3.1 or higher of the `cx_Oracle`_ Python driver is required, although we
-recommend version 5.1.3 or later as these versions support Python 3.
+Django supports `Oracle Database Server`_ versions 11.1 and higher. Versions
+4.3.1 through 5.2.1 of the `cx_Oracle`_ Python driver are supported, although
+5.1.3 or later is recommended as these versions support Python 3.
Note that due to a Unicode-corruption bug in ``cx_Oracle`` 5.0, that
version of the driver should **not** be used with Django;
@@ -729,6 +729,7 @@ To run a project's test suite, the user usually needs these *additional*
privileges:
* CREATE USER
+* ALTER USER
* DROP USER
* CREATE TABLESPACE
* DROP TABLESPACE
diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt
index 30b2346..6f6502b 100644
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@@ -341,7 +341,7 @@ Methods
If a response varies on whether or not it's requested via AJAX and you are
using some form of caching like Django's :mod:`cache middleware
<django.middleware.cache>`, you should decorate the view with
- :func:`vary_on_headers('HTTP_X_REQUESTED_WITH')
+ :func:`vary_on_headers('X-Requested-With')
<django.views.decorators.vary.vary_on_headers>` so that the responses are
properly cached.
diff --git a/docs/releases/1.8.17.txt b/docs/releases/1.8.17.txt
new file mode 100644
index 0000000..fc45b8a
--- /dev/null
+++ b/docs/releases/1.8.17.txt
@@ -0,0 +1,14 @@
+===========================
+Django 1.8.17 release notes
+===========================
+
+*December 1, 2016*
+
+Django 1.8.17 fixes a regression in 1.8.16.
+
+Bugfixes
+========
+
+* Quoted the Oracle test user's password in queries to fix the "ORA-00922:
+ missing or invalid option" error when the password starts with a number or
+ special character (:ticket:`27420`).
diff --git a/docs/releases/1.8.18.txt b/docs/releases/1.8.18.txt
new file mode 100644
index 0000000..f41c7d0
--- /dev/null
+++ b/docs/releases/1.8.18.txt
@@ -0,0 +1,30 @@
+===========================
+Django 1.8.18 release notes
+===========================
+
+*April 4, 2017*
+
+Django 1.8.18 fixes two security issues in 1.8.17.
+
+CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
+============================================================================================
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
+URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
+CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
+=============================================================================
+
+A maliciously crafted URL to a Django site using the
+:func:`~django.views.static.serve` view could redirect to any other domain. The
+view no longer does any redirects as they don't provide any known, useful
+functionality.
+
+Note, however, that this view has always carried a warning that it is not
+hardened for production use and should be used only as a development aid.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 134da0f..533d1f0 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -25,6 +25,8 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.8.18
+ 1.8.17
1.8.16
1.8.15
1.8.14
diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index 898b7f3..171e19d 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -781,3 +781,29 @@ Versions affected
* Django 1.9 `(patch) <https://github.com/django/django/commit/d1bc980db1c0fffd6d60677e62f70beadb9fe64a>`__
* Django 1.8 `(patch) <https://github.com/django/django/commit/6118ab7d0676f0d622278e5be215f14fb5410b6a>`__
+
+November 1, 2016 - :cve:`2016-9013`
+-----------------------------------
+
+User with hardcoded password created when running tests on Oracle. `Full
+description <https://www.djangoproject.com/weblog/2016/nov/01/security-releases/>`__
+
+Versions affected
+~~~~~~~~~~~~~~~~~
+
+* Django 1.10 `(patch) <https://github.com/django/django/commit/34e10720d81b8d407aa14d763b6a7fe8f13b4f2e>`__
+* Django 1.9 `(patch) <https://github.com/django/django/commit/4844d86c7728c1a5a3bbce4ad336a8d32304072b>`__
+* Django 1.8 `(patch) <https://github.com/django/django/commit/70f99952965a430daf69eeb9947079aae535d2d0>`__
+
+November 1, 2016 - :cve:`2016-9014`
+-----------------------------------
+
+DNS rebinding vulnerability when ``DEBUG=True``. `Full description
+<https://www.djangoproject.com/weblog/2016/nov/01/security-releases/>`__
+
+Versions affected
+~~~~~~~~~~~~~~~~~
+
+* Django 1.10 `(patch) <https://github.com/django/django/commit/884e113838e5a72b4b0ec9e5e87aa480f6aa4472>`__
+* Django 1.9 `(patch) <https://github.com/django/django/commit/45acd6d836895a4c36575f48b3fb36a3dae98d19>`__
+* Django 1.8 `(patch) <https://github.com/django/django/commit/c401ae9a7dfb1a94a8a61927ed541d6f93089587>`__
diff --git a/setup.cfg b/setup.cfg
index fac4f6b..c0eee31 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -4,7 +4,7 @@ install-script = scripts/rpm-install.sh
[flake8]
exclude = build,.git,./django/utils/dictconfig.py,./django/utils/unittest.py,./django/utils/lru_cache.py,./django/utils/six.py,./django/conf/app_template/*,./django/dispatch/weakref_backports.py,./tests/.env,./xmlrunner
-ignore = E123,E128,E402,E501,W503,E731,W601
+ignore = E123,E128,E305,E402,E501,W503,E731,E741,E743,W601
max-line-length = 119
[isort]
@@ -23,5 +23,4 @@ universal = 1
[egg_info]
tag_build =
tag_date = 0
-tag_svn_revision = 0
diff --git a/tests/backends/tests.py b/tests/backends/tests.py
index a645d9f..52bcdcb 100644
--- a/tests/backends/tests.py
+++ b/tests/backends/tests.py
@@ -293,6 +293,7 @@ class PostgreSQLTests(TestCase):
"""
Regression test for #18130 and #24318.
"""
+ import psycopg2
from psycopg2.extensions import (
ISOLATION_LEVEL_READ_COMMITTED as read_committed,
ISOLATION_LEVEL_SERIALIZABLE as serializable,
@@ -303,7 +304,8 @@ class PostgreSQLTests(TestCase):
# PostgreSQL is configured with the default isolation level.
# Check the level on the psycopg2 connection, not the Django wrapper.
- self.assertEqual(connection.connection.isolation_level, read_committed)
+ default_level = read_committed if psycopg2.__version__ < '2.7' else None
+ self.assertEqual(connection.connection.isolation_level, default_level)
databases = copy.deepcopy(settings.DATABASES)
databases[DEFAULT_DB_ALIAS]['OPTIONS']['isolation_level'] = serializable
diff --git a/tests/gis_tests/test_geoip.py b/tests/gis_tests/test_geoip.py
index b7bb24c..0fe6ca6 100644
--- a/tests/gis_tests/test_geoip.py
+++ b/tests/gis_tests/test_geoip.py
@@ -113,7 +113,7 @@ class GeoIPTest(unittest.TestCase):
def test05_unicode_response(self):
"Testing that GeoIP strings are properly encoded, see #16553."
g = GeoIP()
- d = g.city("hs-duesseldorf.de")
+ d = g.city("messe-duesseldorf.com")
self.assertEqual('Düsseldorf', d['city'])
d = g.country('200.26.205.1')
# Some databases have only unaccented countries
diff --git a/tests/requirements/base.txt b/tests/requirements/base.txt
index e063506..5967bf2 100644
--- a/tests/requirements/base.txt
+++ b/tests/requirements/base.txt
@@ -3,7 +3,7 @@ docutils
jinja2 >= 2.7
# move to py2.txt when dropping Python 3.2
mock
-numpy
+numpy < 1.12
Pillow
PyYAML
pytz > dev
diff --git a/tests/requirements/oracle.txt b/tests/requirements/oracle.txt
index ae5b734..7fc059e 100644
--- a/tests/requirements/oracle.txt
+++ b/tests/requirements/oracle.txt
@@ -1 +1 @@
-cx_oracle
+cx_oracle < 5.3
diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index c487d80..a04d74a 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -123,6 +123,8 @@ class TestUtilsHttp(unittest.TestCase):
r'http://testserver\me:pass@example.com',
r'http://testserver\@example.com',
r'http:\\testserver\confirm\me at example.com',
+ 'http:999999999',
+ 'ftp:9999999999',
'\n'):
self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
for good_url in ('/view/?param=http://example.com',
@@ -133,7 +135,8 @@ class TestUtilsHttp(unittest.TestCase):
'HTTPS://testserver/',
'//testserver/',
'http://testserver/confirm?email=me@example.com',
- '/url%20with%20spaces/'):
+ '/url%20with%20spaces/',
+ 'path/http:2222222222'):
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
if six.PY2:
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git
More information about the Python-modules-commits
mailing list