[Django] #30746: Add Feature-Policy header support

2019-09-01 Thread Django 
#30746: Add Feature-Policy header support
---+---
   Reporter:  Nick Pope|  Owner:  Nick Pope
   Type:  New feature  | Status:  assigned
  Component:  Utilities|Version:  master
   Severity:  Normal   |   Keywords:
   Triage Stage:  Unreviewed   |  Has patch:  0
Needs documentation:  0|Needs tests:  0
Patch needs improvement:  0|  Easy pickings:  0
  UI/UX:  0|
---+---
 Similar to planned support for `Referrer-Policy`, we should add `Feature-
 Policy` which allows controlling use of browser features.

 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
 - https://scotthelme.co.uk/a-new-security-header-feature-policy/
 - https://www.w3.org/TR/feature-policy/

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/050.0a0339f9e2db45c3503df23767b772ca%40djangoproject.com.

Re: [Django] #30739: OuterRef in exclude() or ~Q() uses wrong model.

2019-09-01 Thread Django 
#30739: OuterRef in exclude() or ~Q() uses wrong model.
-+-
 Reporter:  Oskar Persson|Owner:  Simon
 |  Charette
 Type:  Bug  |   Status:  assigned
Component:  Database layer   |  Version:  master
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Simon Charette):

 * has_patch:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/070.912534eb78a58bee7cb3e11cf6057555%40djangoproject.com.

[Django] #30745: Allow serving a default file for FileField from static URL.

2019-09-01 Thread Django 
#30745: Allow serving a default file for FileField from static URL.
+
   Reporter:  bhch  |  Owner:  nobody
   Type:  New feature   | Status:  new
  Component:  File uploads/storage  |Version:  2.2
   Severity:  Normal|   Keywords:
   Triage Stage:  Unreviewed|  Has patch:  0
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
  UI/UX:  0 |
+
 Prior to version 1.9, it was possible to serve a default file for a
 `FileFIeld` from an absolute url just by setting the `default` value on
 the field like:

 {{{
 ImageField(default='/static/placeholder.png' ...)
 }}}


 But due to the security concerns raised in #25905, the commit
 [changeset:"fdf5cd3429369954e8deb764d9f30f6374581613" fdf5cd34] strips off
 all the leading slashes thereby making the path relative to which
 `urljoin` later prepends a base url. This removes the possibility of
 serving a default file from the static url.

 I think a better solution would be to remove more than 1 leading slashes,
 but not one.

 Current implementation: `url.lstrip('/')`.

 Proposed: `re.sub(r'/{2,}', '/', url)` or `re.sub(r'/{2,}', '', url)`.

 This will keep the absolute urls as intended and also convert external
 urls to internal.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/047.bc1e7e9615d91d2bf49da3f349f29978%40djangoproject.com.

Re: [Django] #30255: docutils reports an error rendering view docstring when the first line is not empty

2019-09-01 Thread Django 
#30255: docutils reports an error rendering view docstring when the first line 
is
not empty
-+-
 Reporter:  Manlio Perillo   |Owner:  Hasan
 |  Ramezani
 Type:  Bug  |   Status:  assigned
Component:  contrib.admindocs|  Version:  2.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Hasan Ramezani):

 * owner:  nobody => Hasan Ramezani
 * status:  new => assigned


Comment:

 I can not reproduce on:
 * Python=3.7
 * django=master
 * docutils=0.15.2

 @Manlio Perillo, Could you please help me? I am wrong?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.9918cb22973c01c4f77d64c72c190d72%40djangoproject.com.

Re: [Django] #25905: Unsafe usage of urljoin() within FileStorageSystem

2019-09-01 Thread Django 
#25905: Unsafe usage of urljoin() within FileStorageSystem
-+-
 Reporter:  Aman Ali |Owner:  Tobias
 Type:   |  Kunze
  Cleanup/optimization   |   Status:  closed
Component:  File |  Version:  1.9
  uploads/storage|
 Severity:  Normal   |   Resolution:  fixed
 Keywords:  file, storage| Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Tobias Kunze):

 Thank you for your feedback – as this ticket has been closed some time
 ago, the best way forward would be to open a new ticket. There you could
 describe the behaviour you would like to see as opposed to the current
 one, and reference this ticket as introducing current behaviour. A new
 ticket will run through the proper ticket lifecycle and (more importantly)
 will get the attention of other developers.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/069.2cd868f69ee4437835fc292524b84f87%40djangoproject.com.

Re: [Django] #25905: Unsafe usage of urljoin() within FileStorageSystem

2019-09-01 Thread Django 
#25905: Unsafe usage of urljoin() within FileStorageSystem
-+-
 Reporter:  Aman Ali |Owner:  Tobias
 Type:   |  Kunze
  Cleanup/optimization   |   Status:  closed
Component:  File |  Version:  1.9
  uploads/storage|
 Severity:  Normal   |   Resolution:  fixed
 Keywords:  file, storage| Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by bhch):

 * cc: bhch (added)


Comment:

 The
 
[https://github.com/django/django/commit/fdf5cd3429369954e8deb764d9f30f6374581613
 #diff-87c0869f58253f571c08ccf0fc5c7465R410 current fix] strips off all the
 leading slashes thereby making it a relative path, to which `urljoin`
 later prepends a base url.  This removes the possibility of serving a
 default file from the static url.

 I think a better solution would be to remove more than 1 leading slashes,
 but not one.

 Current implementation: `url.lstrip('/')`.

 Proposed: `re.sub(r'/{2,}', '/', url)`.

 This will allow us to serve a default file from static url.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/069.717ca33680157371c9949cf495119728%40djangoproject.com.