[pull] main from django:main

django/contrib/auth/__init__.py

@@ -89,6 +89,22 @@ def _clean_credentials(credentials):
     return credentials
 
 
+def _set_auth_user(request, user=None):
+    from django.contrib.auth.models import AnonymousUser
+
+    if user is None:
+        user = AnonymousUser()
+
+    if hasattr(request, "user"):
+        request.user = user
+    if hasattr(request, "auser"):
+
+        async def auser():
+            return user
+
+        request.auser = auser
+
+
 def _get_user_session_key(request):
     # This value in the session is always serialized to a string, so we need
     # to convert it back to Python whenever we access it.
@@ -177,8 +193,7 @@ def login(request, user, backend=None):
     request.session[SESSION_KEY] = user._meta.pk.value_to_string(user)
     request.session[BACKEND_SESSION_KEY] = backend
     request.session[HASH_SESSION_KEY] = session_auth_hash
-    if hasattr(request, "user"):
-        request.user = user
+    _set_auth_user(request, user)
     rotate_token(request)
     user_logged_in.send(sender=user.__class__, request=request, user=user)
 
@@ -207,14 +222,7 @@ async def alogin(request, user, backend=None):
     await request.session.aset(SESSION_KEY, user._meta.pk.value_to_string(user))
     await request.session.aset(BACKEND_SESSION_KEY, backend)
     await request.session.aset(HASH_SESSION_KEY, session_auth_hash)
-    if hasattr(request, "user"):
-        request.user = user
-    if hasattr(request, "auser"):
-
-        async def auser():
-            return user
-
-        request.auser = auser
+    _set_auth_user(request, user)
     rotate_token(request)
     await user_logged_in.asend(sender=user.__class__, request=request, user=user)
 
@@ -231,10 +239,8 @@ def logout(request):
         user = None
     user_logged_out.send(sender=user.__class__, request=request, user=user)
     request.session.flush()
-    if hasattr(request, "user"):
-        from django.contrib.auth.models import AnonymousUser
 
-        request.user = AnonymousUser()
+    _set_auth_user(request)
 
 
 async def alogout(request):
@@ -249,20 +255,7 @@ async def alogout(request):
     await user_logged_out.asend(sender=user.__class__, request=request, user=user)
     await request.session.aflush()
 
-    has_user = hasattr(request, "user")
-    has_auser = hasattr(request, "auser")
-    if has_user or has_auser:
-        from django.contrib.auth.models import AnonymousUser
-
-        anon = AnonymousUser()
-        if has_user:
-            request.user = anon
-        if has_auser:
-
-            async def auser():
-                return anon
-
-            request.auser = auser
+    _set_auth_user(request)
 
 
 def get_user_model():

django/http/response.py

@@ -20,6 +20,10 @@
 from django.http.cookie import SimpleCookie
 from django.utils import timezone
 from django.utils.datastructures import CaseInsensitiveMapping
+from django.utils.deprecation import (
+    RemovedInDjango71Warning,
+    django_file_prefixes,
+)
 from django.utils.encoding import iri_to_uri
 from django.utils.functional import cached_property
 from django.utils.http import (
@@ -755,10 +759,21 @@ def __init__(
         self,
         data,
         encoder=DjangoJSONEncoder,
-        safe=True,
+        # RemovedInDjango71Warning: Remove the safe parameter.
+        safe=None,
         json_dumps_params=None,
         **kwargs,
     ):
+        # RemovedInDjango71Warning.
+        if safe is None:
+            safe = False
+        else:
+            warnings.warn(
+                "The safe parameter is deprecated.",
+                category=RemovedInDjango71Warning,
+                skip_file_prefixes=django_file_prefixes(),
+            )
+        # RemovedInDjango71Warning.
         if safe and not isinstance(data, dict):
             raise TypeError(
                 "In order to allow non-dict objects to be serialized set the "

docs/ref/request-response.txt

@@ -1281,6 +1281,14 @@ using non-dict objects in JSON-encoded response.
     modern browsers implement ECMAScript 5 which removes this attack vector.
     Therefore it is possible to disable this security precaution.
 
+.. versionchanged:: 6.2
+
+    In earlier versions, the ``safe`` parameter defaulted to ``True``.
+
+.. deprecated:: 6.2
+
+    The ``safe`` parameter is deprecated.
+
 Changing the default JSON encoder
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

docs/releases/2.2.26.txt

@@ -19,7 +19,7 @@ In order to mitigate this issue, relatively long values are now ignored by
 ``UserAttributeSimilarityValidator``.
 
 This issue has severity "medium" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
 ================================================================================
@@ -35,7 +35,7 @@ dictionaries.
 As a reminder, all untrusted user input should be validated before use.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
 ====================================================================
@@ -44,4 +44,4 @@ CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
 crafted file names.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.

docs/releases/3.2.11.txt

@@ -19,7 +19,7 @@ In order to mitigate this issue, relatively long values are now ignored by
 ``UserAttributeSimilarityValidator``.
 
 This issue has severity "medium" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
 ================================================================================
@@ -35,7 +35,7 @@ dictionaries.
 As a reminder, all untrusted user input should be validated before use.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
 ====================================================================
@@ -44,4 +44,4 @@ CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
 crafted file names.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.

docs/releases/4.0.1.txt

@@ -19,7 +19,7 @@ In order to mitigate this issue, relatively long values are now ignored by
 ``UserAttributeSimilarityValidator``.
 
 This issue has severity "medium" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
 ================================================================================
@@ -35,7 +35,7 @@ dictionaries.
 As a reminder, all untrusted user input should be validated before use.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
 ====================================================================
@@ -44,7 +44,7 @@ CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
 crafted file names.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 Bugfixes
 ========

docs/releases/4.2.28.txt

@@ -16,7 +16,7 @@ The ``django.contrib.auth.handlers.modwsgi.check_password()`` function for
 allowed remote attackers to enumerate users via a timing attack.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI
 ==============================================================================================
@@ -28,7 +28,7 @@ repeated string concatenation while combining repeated headers, which
 produced super-linear computation resulting in service degradation or outage.
 
 This issue has severity "moderate" according to the :ref:`Django security
-policy <security-disclosure>`.
+policy <severity-levels>`.
 
 CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
 ====================================================================
@@ -40,7 +40,7 @@ index.
 As a reminder, all untrusted user input should be validated before use.
 
 This issue has severity "high" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2026-1285: Potential denial-of-service vulnerability in ``django.utils.text.Truncator`` HTML methods
 ========================================================================================================
@@ -52,7 +52,7 @@ denial-of-service attack via certain inputs with a large number of unmatched
 HTML end tags, which could cause quadratic time complexity during HTML parsing.
 
 This issue has severity "moderate" according to the :ref:`Django security
-policy <security-disclosure>`.
+policy <severity-levels>`.
 
 CVE-2026-1287: Potential SQL injection in column aliases via control characters
 ===============================================================================
@@ -65,7 +65,7 @@ expansion, as the ``**kwargs`` passed to :meth:`.QuerySet.annotate`,
 :meth:`~.QuerySet.alias`.
 
 This issue has severity "high" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2026-1312: Potential SQL injection via ``QuerySet.order_by`` and ``FilteredRelation``
 =========================================================================================
@@ -75,4 +75,4 @@ containing periods when the same alias was, using a suitably crafted
 dictionary, with dictionary expansion, used in :class:`.FilteredRelation`.
 
 This issue has severity "high" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.

docs/releases/4.2.29.txt

@@ -27,7 +27,7 @@ validation, but if you rely on custom validators, ensure they do not depend on
 the previous behavior of ``URLField.to_python()``.
 
 This issue has severity "moderate" according to the :ref:`Django security
-policy <security-disclosure>`.
+policy <severity-levels>`.
 
 CVE-2026-25674: Potential incorrect permissions on newly created file system objects
 ====================================================================================
@@ -42,4 +42,4 @@ Django now applies the requested permissions via :func:`~os.chmod` after
 :func:`~os.mkdir`, removing the dependency on the process-wide umask.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.

docs/releases/4.2.30.txt

@@ -25,7 +25,7 @@ Headers containing underscores are now ignored by ``ASGIRequest``, matching the
 behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2026-4277: Privilege abuse in ``GenericInlineModelAdmin``
 =============================================================
@@ -35,7 +35,7 @@ forged ``POST`` data in
 :class:`~django.contrib.contenttypes.admin.GenericInlineModelAdmin`.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2026-4292: Privilege abuse in ``ModelAdmin.list_editable``
 ==============================================================
@@ -45,7 +45,7 @@ Admin changelist forms using
 instances to be created via forged ``POST`` data.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2026-33033: Potential denial-of-service vulnerability in ``MultiPartParser`` via base64-encoded file upload
 ===============================================================================================================
@@ -55,7 +55,7 @@ with ``Content-Transfer-Encoding: base64`` that include excessive whitespace
 may trigger repeated memory copying, potentially degrading performance.
 
 This issue has severity "moderate" according to the :ref:`Django security
-policy <security-disclosure>`.
+policy <severity-levels>`.
 
 CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
 =========================================================================================================
@@ -66,4 +66,4 @@ bypass the :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
 memory and causing service degradation.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.

docs/releases/5.2.11.txt

@@ -16,7 +16,7 @@ The ``django.contrib.auth.handlers.modwsgi.check_password()`` function for
 allowed remote attackers to enumerate users via a timing attack.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI
 ==============================================================================================
@@ -28,7 +28,7 @@ repeated string concatenation while combining repeated headers, which
 produced super-linear computation resulting in service degradation or outage.
 
 This issue has severity "moderate" according to the :ref:`Django security
-policy <security-disclosure>`.
+policy <severity-levels>`.
 
 CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
 ====================================================================
@@ -40,7 +40,7 @@ index.
 As a reminder, all untrusted user input should be validated before use.
 
 This issue has severity "high" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2026-1285: Potential denial-of-service vulnerability in ``django.utils.text.Truncator`` HTML methods
 ========================================================================================================
@@ -52,7 +52,7 @@ denial-of-service attack via certain inputs with a large number of unmatched
 HTML end tags, which could cause quadratic time complexity during HTML parsing.
 
 This issue has severity "moderate" according to the :ref:`Django security
-policy <security-disclosure>`.
+policy <severity-levels>`.
 
 CVE-2026-1287: Potential SQL injection in column aliases via control characters
 ===============================================================================
@@ -65,7 +65,7 @@ expansion, as the ``**kwargs`` passed to :meth:`.QuerySet.annotate`,
 :meth:`~.QuerySet.alias`.
 
 This issue has severity "high" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 CVE-2026-1312: Potential SQL injection via ``QuerySet.order_by`` and ``FilteredRelation``
 =========================================================================================
@@ -75,4 +75,4 @@ containing periods when the same alias was, using a suitably crafted
 dictionary, with dictionary expansion, used in :class:`.FilteredRelation`.
 
 This issue has severity "high" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.

docs/releases/5.2.12.txt

@@ -28,7 +28,7 @@ validation, but if you rely on custom validators, ensure they do not depend on
 the previous behavior of ``URLField.to_python()``.
 
 This issue has severity "moderate" according to the :ref:`Django security
-policy <security-disclosure>`.
+policy <severity-levels>`.
 
 CVE-2026-25674: Potential incorrect permissions on newly created file system objects
 ====================================================================================
@@ -43,7 +43,7 @@ Django now applies the requested permissions via :func:`~os.chmod` after
 :func:`~os.mkdir`, removing the dependency on the process-wide umask.
 
 This issue has severity "low" according to the :ref:`Django security policy
-<security-disclosure>`.
+<severity-levels>`.
 
 Bugfixes
 ========