When `NotUpdated` was added in ab148c02ce,
these additional tests that have equivalents for the `DoesNotExist` and
`MultipleObjectsReturned` exceptions were missed.
This prevents failures at the database layer, given that aliases in the
ON clause are not quoted.
Systematically quoting aliases even in FilteredRelation is tracked in
https://code.djangoproject.com/ticket/36795.
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.
In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.
Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada32.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
Refs CVE-2024-39329, #20760.
Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Unlike Chromium-based browsers, Firefox does not automatically scroll
elements into view when using the Actions API with move_to_element.
This calls the scrollIntoView function explicitly, which fixes
some selenium tests when not running in headless mode.
Instead of casting non-text fields to CharField (which prevents index
usage), skip exact lookups when the search term fails
formfield.to_python().
This preserves index usage for valid searches while gracefully handling
invalid search terms by simply not including them in the query for that
field.
For multi-term searches like 'foo 123' on search_fields=['name', 'age__exact']:
- 'foo': invalid for age, so only name lookup is used
- '123': valid for both, so both lookups are used
This entails a slight increase in permissiveness for search terms that
can be normalized by formfield.to_python().
Regression in 94680437a4. Refs #27222.
During INSERT operations, `field.pre_save()` is called to prepare values
for db insertion. The `add` param must be `True` for `auto_now_add`
fields to be populated. The regression commit passed `False`, causing
`auto_now_add` fields to remain `None` when used by other fields, such
as `upload_to` callables.
Thanks Ran Benita for the report.
It's problematic on MongoDB. Simon: "It seems odd that we'd use
__in=OuterRef("pk") over __in=[OuterRef("pk")]. It's a SQLism that
only works because right-hand-side is wrapped with (...) and that's
interpreted as a singleton tuple which is allowed with IN."
Removed flex-wrap from .changelist-form-container and added min-width to the
main content container to ensure proper layout behavior.
Regression in 6ea3319079.
This patch adds support for <optgroup>s in FilteredSelectMultiple widgets.
When a popup returns a new object, if the source field contains optgroup
choices, the optgroup is now also included in the response data.
Additionally, this adds error handling for invalid source_model parameters
to prevent crashes and display user-friendly error messages instead.
Co-authored-by: Michael McLarnon <mmclar@gmail.com>
The only use case for visiting grandchild nodes turned out to be to
support an unintentionally invalid fixture in the test suite.
The invalid fixture added in #36969 was modeled on fixture9.xml in
dae08cf55b, so that is corrected as well
in this commit, where the test will still pass.
fixture9.xml was likely wrong since its introduction in
35cc439228.
The relevant part of the Visa model is:
class Visa(models.Model):
person = models.ForeignKey(Person, models.CASCADE)
The Visa.person <field>s needed to be declared as relations, and
the Person <field>s didn't need their values wrapped in `<natural>`,
since they weren't relations.
