Skip to content
This repository has been archived by the owner on Sep 5, 2020. It is now read-only.

2.2upgrade #2

Open
wants to merge 3,180 commits into
base: nimbis
Choose a base branch
from
Open

2.2upgrade #2

wants to merge 3,180 commits into from

Conversation

KavinKaviarasan1
Copy link

Added md5 patches to the django 2.2 fork

felixxm and others added 30 commits June 10, 2019 16:57
@felixxm
[2.2.x] Removed redundant object descriptions to prevent warnings wit…
430f7e9 
…h Sphinx 2.1.0.

Backport of 5ab75ad from master
@felixxm
[2.2.x] Changed charset and collation link to MySQL docs.
d5d22e1 
Backport of f3a03d5 from master
@vertliba @felixxm
[2.2.x] Fixed #30486 -- Fixed the default value of Aggregate.distinct…
36766e1 
… and updated example of custom aggregate functions.

Backport of 76b3fc5 from master
@jdufresne @felixxm
[2.2.x] Fixed intword example in docs/ref/contrib/humanize.txt.
13e6040 
Backport of 175656e from master
@felixxm
[2.2.x] Fixed an example of email with display name in EmailMessage.f…
26c1214 
…rom_email.

Backport of 0c2ffdd from master
@hramezani @felixxm
[2.2.x] Fixed typos and example in signals.pre_init docs.
1ce0428 
Backport of 036362e from master
@hramezani @felixxm
[2.2.x] Fixed typos in signals and custom management commands docs.
c3a9d30 
Backport of a7038ad from master
@Swat009 @carltongibson
[2.2.x] Fixed #30547 -- Doc'd how Meta.constraints affect model valid…
c3a0f76 
…ation.

Backport of 00169bc from master
@cjerdonek @carltongibson
[2.2.x] Refs #30565 -- Doc'd HttpResponse.close() method.
d200069 
Backport of 5333117 from master
@jdufresne @felixxm
[2.2.x] Fixed typos in 1.11.19, 2.0.11, 2.1.6 release notes.
e6b2471 
Backport of 2ef6f20 from master
@MarkusH @felixxm
[2.2.x] Bumped minimum ESLint version to 4.18.2.
2525785 
Backport of ad7b438 from master.
@claudep
[2.2.x] Removed unneeded non-breaking spaces added in 00169bc
3b2701e 
Backport of 8590726 from master.
@chexex @felixxm
[2.2.x] Fixed typo in docs/ref/models/indexes.txt.
f3b0365 
Backport of 2f91e78 from master
@meysam81 @felixxm
[2.2.x] Fixed typo in docs/topics/db/models.txt.
04965bf 
Backport of 8338784 from master
@orf @felixxm
[2.2.x] Fixed #30588 -- Fixed crash of autoreloader when __main__ mod…
bdc1de2 
…ule doesn't have __file__ attribute.

Backport of 8454f6d from master
@claudep
[2.2.x] Updated translations from Transifex
b3f7262
@felixxm
[2.2.x] Fixed GeoIPTest.test04_city() failure with the latest GeoIP2 …
395cf7c 
…database.

Backport of 4305fbe from master
@felixxm
[2.2.x] Added stub release notes for security releases.
db9f7b4 
Backport of 30b3ee9 from master
@carltongibson @felixxm
[2.2.x] Fixed CVE-2019-12781 -- Made HttpRequest always trust SECURE_…
77706a3 
…PROXY_SSL_HEADER if set.

An HTTP request would not be redirected to HTTPS when the
SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if
the proxy connected to Django via HTTPS.

HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if
set, rather than falling back to the request scheme when the
SECURE_PROXY_SSL_HEADER did not have the secure value.

Thanks to Gavin Wahl for the report and initial patch suggestion, and
Shai Berger for review.

Backport of 54d0f5e from master
@felixxm
[2.2.x] Added release date for 2.2.3.
4f2713f 
Backport of fc41401 from master
@felixxm
[2.2.x] Updated man page for Django 2.2.
93e719e
@felixxm
[2.2.x] Bumped version for 2.2.3 release.
89e9a4a
@felixxm
[2.2.x] Post-release version bump.
5d39f62
@felixxm
[2.2.x] Added CVE-2019-12781 to the security release archive.
2b533ae 
Backport of 868cd56 from master
@aitoehigie @felixxm
[2.2.x] Fixed #30589 -- Clarified that urlize should be applied only …
b9d1bb6 
…to email addresses without single quotes.

Backport of c2f381e from master
@carltongibson @felixxm
[2.2.x] Fixed #28588 -- Doc'd User.has_perm() & co. behavior for acti…
b6d8957 
…ve superusers.

Equivalent note for PermissionsMixin was added in d33864e.
Backport of 4b32d03 from master
@Swat009 @felixxm
[2.2.x] Fixed #28667 -- Clarified how to override list of forms field…
7d52d05 
…s for custom UserAdmin with a custom user model.

Backport of c13e371 from master
@felixxm
[2.2.x] Fixed #30600 -- Clarified that ValueError raised by converter…
0ea952e 
….to_python() means no match.

Backport of f197c3d from master
@felixxm
[2.2.x] Added stub release notes for 2.2.4.
b593c39 
Backport of 08e69ca from master
@felixxm
[2.2.x] Fixed typos in docs/ref/django-admin.txt.
8f0b9e7 
Backport of 24e8f7f from master
felixxm and others added 24 commits June 2, 2020 10:47
@felixxm
[2.2.x] Fixed Sphinx warnings on duplicate object descriptions.
b0d810a 
Backport of 69e2cd6 from master.
@felixxm
[2.2.x] Fixed CodeBlock deprecation warning on Sphinx 2.1+.
151a83e 
Backport of a4e4737 from master.
@felixxm
[2.2.x] Fixed highlightlang deprecation warning on Sphinx 1.8+.
79baf33 
Backport of 678f958 from master
@felixxm
[2.2.x] Fixed term warning on Sphinx 3.0.1+.
c7bab8d 
"term" role became case sensitive in Sphinx 3.0.1.
Backport of cc70a03 from master
@felixxm
[2.2.x] Fixed E128, E741 flake8 warnings.
8301bc9 
Backport of 0668164 from master.
@carltongibson
[2.2.x] Refs #31485 -- Backported jQuery upgrade to 3.5.1.
2b69680
@carltongibson
[2.2.x] Added release date for 2.2.13.
7e1084e 
Backport of 81dc710 from master
@jdufresne @carltongibson
[2.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignK…
6d61860 
…eyRawIdWidget.
@danpalmer @carltongibson
[2.2.x] Fixed CVE-2020-13254 -- Enforced cache key validation in memc…
07e59ca 
…ached backends.
@carltongibson
[2.2.x] Bumped version for 2.2.13 release.
8093aaa
@carltongibson
[2.2.x] Post-release version bump.
2661c22
@felixxm
[2.2.x] Refs CVE-2020-13254 -- Fixed cache.tests when KEY_PREFIX is d…
ea9bc39 
…efined.

Follow up to 2c82414.

Backport of 229c9c6 from master
@felixxm
[2.2.x] Fixed ForeignKeyRawIdWidgetTest.test_render_unsafe_limit_choi…
b877190 
…ces_to on Python 3.5.
@felixxm
[2.2.x] Fixed #31654 -- Fixed cache key validation messages.
b2b2723 
Backport of 926148e from master.
@stephenrauch @felixxm
[2.2.x] Refs #30183 -- Doc'd dropping support for sqlparse < 0.2.2.
cdad78e 
Support for sqlparse < 0.2.2 was broken in
782d85b because is_whitespace property
was added in sqlparse 0.2.2.

Backport of 4b6db76 from master.
@felixxm
[2.2.x] Refs #31682 -- Doc'd minimal sqlparse version in Django 2.2.
9ecce34 
Support for sqlparse < 0.2.2 was broken in
40b0a58 because is_whitespace property
was added in sqlparse 0.2.2.

Backport of 4339f2a from master.
@felixxm
[2.2.x] Refs #31751 -- Doc'd that cx_Oracle < 8 is required.
fc2a368
@felixxm
[2.2.x] Added release date for 2.2.14.
ee9bd41 
Backport of 0f3aecf from master.
@felixxm
[2.2.x] Bumped version for 2.2.14 release.
74934f7
@felixxm
[2.2.x] Post-release version bump.
202ac0b
@felixxm
[2.2.x] Fixed ForeignKeyRawIdWidgetTest.test_render_unsafe_limit_choi…
5968a23 
…ces_to on Python 3.5.
@smithdc1 @felixxm
[2.2.x] Fixed #30945 -- Doc'd plural equations changes in 2.2. releas…
6f09ee2 
…e notes.

Backport of 392036b from master
@compman2408
Apply patch for allowing MD5 usage
3c7e429 
This applies a patch to allow the use of Django on a FIPS-compliant
system with MD5 disabled. This utilizes the optional
'usedforsecurity=False' parameter that is passed into the hashlib.md5
function. This allows the use of MD5 even when MD5 has been disabled at
the system level.
Add try/except loops to md5 patches.
590bdda 
Had to add the try/except loop to make the md5 fixes
work/pass during testing.
@KavinKaviarasan1 KavinKaviarasan1 requested a review from mandan July 14, 2020 19:04
@KavinKaviarasan1 KavinKaviarasan1 self-assigned this Jul 14, 2020
@KavinKaviarasan1
Copy link
Author

Update fork for Django with md5 patches to 2.2

kevinrobbins
kevinrobbins approved these changes Jul 31, 2020
View reviewed changes
Copy link

@kevinrobbins kevinrobbins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could not find anymore instances of hashlib.md5() that did not have usedforsecurity added (with the exception of the exception handling calls).

@mandan
Copy link

mandan commented Jul 31, 2020

Thanks for the review @kevinrobbins . I don't think we should actually merge this into the nimbis branch, though. The best way to do this would probably be to have our separate release-2.2 branch that we sync with upstream, and then cherry pick the md5 commits on top of, for every new patch release. Then make our own release. No merge involved.

@kevinrobbins
Copy link

Update shop_core/templates/shop/catalog/product-list.html

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kevinrobbins kevinrobbins kevinrobbins approved these changes

@mandan mandan Awaiting requested review from mandan

Assignees

@KavinKaviarasan1 KavinKaviarasan1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.