Re: Ticket #21289 - Login rate limiting

[Claude Paroz]

Le mardi 28 juillet 2020 08:31:51 UTC+2, Aymeric Augustin a écrit :
>
> - We should focus this on usernames and ignore IP addresses, as most sites 
> are behind a reverse proxy of some kind and no one handles X-Forwarded-For 
> headers right (even Heroku doesn't care — when I reported they were 
> vulnerable to XFF injection, their security team [or, more accurately, 
> their subcontractors] didn't understand the report, even after several 
> rounds of explanation and a working proof of concept)
>

What if we consider REMOTE_ADDR? In the worst case, it is not filled or 
filled with the same proxy address for all requests and we found ourselves 
in the same case where it is not considered at all. In the best case, it is 
properly filled and then the user is getting a bit better DOS protection. 
Am I missing something?

Claude

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/77d835d8-85bc-4c7b-ae99-9f27cb4a6543o%40googlegroups.com.

Review help with GSoC Mypy plugin project.

[Carlton Gibson]

Hi all. 

This is just a quick note, with a request for input, if you have an 
interest typing with Django. 

Kacper is doing a GSoC project to improve the django-stubs Mypy plugin. 

It's going well, but as ever, extra reviewing capacity is always handy. 

Current PR is here: 
https://github.com/typeddjango/django-stubs/pull/427

There's a discussion thread on the forum too: 
https://forum.djangoproject.com/t/gsoc-2020-django-stubs-mypy-plugin/2513/8

If you know about such things, and have capacity to give it a run and dig 
in a bit, that would be great. 

Thanks. 
Carlton

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/12f711fc-1625-4419-9b9b-de381538f829o%40googlegroups.com.

Re: Fellow Reports -- July 2020

[Carlton Gibson]

Hi all. 


Calendar Week 29 -- ending 19 July.


Triaged:

https://code.djangoproject.com/ticket/31780 -- Include the Python traceback 
in the debug-page footer as a HTML comment (wontfix)
https://code.djangoproject.com/ticket/31774 -- validate_unique in Model 
class doesn't validate uniqueness for ImageField. (needsinfo)
https://code.djangoproject.com/ticket/31793 -- Async management command 
support (wontfix)
https://code.djangoproject.com/ticket/31791 -- Make technical 404 page 
always show tried URL patterns (Accepted)
https://code.djangoproject.com/ticket/31777 -- Custom collations (needsinfo)
https://code.djangoproject.com/ticket/31007 -- Make it possible to change 
the default AutoField to BigAutoField. (Accepted)
https://code.djangoproject.com/ticket/31785 -- Documentation suggesting 
using UUIDField as a good alternative for primary_key, without inviting to 
consider performance drawbacks (Invalid)



Reviewed:

https://github.com/django/django/pull/11414 -- Fixed #30509 -- Various 
FileResponse fixes and changes
https://github.com/django/django/pull/13197 -- Stopped adapting 
DecimalField values to strings on Oracle.
https://github.com/django/django/pull/13145 -- Fixed #31623 -- Allowed 
specifying number of adjacent time units in timesince()/timeuntil().
https://github.com/django/django/pull/13192 -- Fixed #31784 -- Fixed 
sanitize_address() crash on wrapped display names.
https://github.com/django/django/pull/13195 -- Fixed #31790 -- Fixed 
setting SameSite cookie flag for deleted session/messages cookies.
https://github.com/django/django/pull/12310 -- Fixed #31180 -- Configured 
applications automatically.
https://github.com/django/django/pull/13186 -- Fixed #31789 -- Added a new 
response headers interface
https://github.com/django/django/pull/13134 -- Fixed #31747 -- Fixed model 
enumeration via admin URLs.
https://github.com/django/django/pull/13171 -- Fixed #21528 -- Added note 
about filtering form field's queryset based on instance to admin docs.







Calendar Week 30 -- ending 26 July.


Triaged:

https://code.djangoproject.com/ticket/31819 -- Django + Django REST 
Framework generates API errors with swagger (Invalid)
https://code.djangoproject.com/ticket/31805 -- MySQL Schema tests fail when 
table names are case-insensitive. (Accepted)
https://code.djangoproject.com/ticket/30114 -- ValidationError sometimes 
raised for valid UUIDs with mod_wsgi (Invalid)
https://code.djangoproject.com/ticket/31804 -- Parallelize database cloning 
process (Accepted)



Reviewed:

https://github.com/django/django/pull/13227 -- [2.2.x] Pinned geoip2 < 
4.0.0 in test requirements.
https://github.com/django/django/pull/13224 -- Fixed #31811 -- Add optional 
timing outputs to the test runner
https://github.com/django/django/pull/12449 -- Fixed #31262 -- Allowed 
dictionaries in Field.choices for named groups.
https://github.com/django/django/pull/13221 -- Fixed #31805 -- Fixed 
SchemaTests.tearDown() when table names are case-insensitive.
https://github.com/django/django/pull/13215 -- Fixed #31797 -- Skipped 
schema tests on specific MariaDB versions.
https://github.com/django/django/pull/13183 -- Fixed #31757 - add 
dj::insecure to default SECRET_KEY
https://github.com/django/django/pull/13153 -- Fixed #31765 -- Disabled 
bundled SQLite renaming atomic references on macOS 10.15.
https://github.com/django/django/pull/13213 -- Update tutorial04.txt
https://github.com/django/django/pull/12310 -- Fixed #31180 -- Configured 
applications automatically.



Authored:

https://github.com/django/django/pull/13214 -- Fixed #29988 -- Updated 
coding style allow f-strings.



Kind Regards,

Carlton


-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/5369bfb9-29a2-4d96-8b27-4e98dc27835fo%40googlegroups.com.

Re: Review help with GSoC Mypy plugin project.

[Kacper Szmigiel]

Hi!

Thank you Carlton for mentioning this.
There's not that much knowledge on the Django Stubs project required, but
experience with writing Mypy plugins is. I'll appreciate all kinds of help.
Please contact me directly if you want to participate :)

Kind regards,
Kacper

wt., 28 lip 2020 o 10:05 Carlton Gibson 
napisał(a):

> Hi all.
>
> This is just a quick note, with a request for input, if you have an
> interest typing with Django.
>
> Kacper is doing a GSoC project to improve the django-stubs Mypy plugin.
>
> It's going well, but as ever, extra reviewing capacity is always handy.
>
> Current PR is here:
> https://github.com/typeddjango/django-stubs/pull/427
>
> There's a discussion thread on the forum too:
> https://forum.djangoproject.com/t/gsoc-2020-django-stubs-mypy-plugin/2513/8
>
> If you know about such things, and have capacity to give it a run and dig
> in a bit, that would be great.
>
> Thanks.
> Carlton
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/12f711fc-1625-4419-9b9b-de381538f829o%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAFfZ%2Bb46%2BcspJHvRkO4P6%3DYhFG0EHYA4%2BnLSekFJxU5VQEp0bA%40mail.gmail.com.

Re: Review help with GSoC Mypy plugin project.

[jhabar singh]

sir I have forked the mypy package and Once I get thoroght with It's doc I
will set it up on my system and start  doing what you told.

On Tue, Jul 28, 2020 at 5:14 PM Kacper Szmigiel 
wrote:

> Hi!
>
> Thank you Carlton for mentioning this.
> There's not that much knowledge on the Django Stubs project required, but
> experience with writing Mypy plugins is. I'll appreciate all kinds of help.
> Please contact me directly if you want to participate :)
>
> Kind regards,
> Kacper
>
> wt., 28 lip 2020 o 10:05 Carlton Gibson 
> napisał(a):
>
>> Hi all.
>>
>> This is just a quick note, with a request for input, if you have an
>> interest typing with Django.
>>
>> Kacper is doing a GSoC project to improve the django-stubs Mypy plugin.
>>
>> It's going well, but as ever, extra reviewing capacity is always handy.
>>
>> Current PR is here:
>> https://github.com/typeddjango/django-stubs/pull/427
>>
>> There's a discussion thread on the forum too:
>>
>> https://forum.djangoproject.com/t/gsoc-2020-django-stubs-mypy-plugin/2513/8
>>
>> If you know about such things, and have capacity to give it a run and dig
>> in a bit, that would be great.
>>
>> Thanks.
>> Carlton
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-developers+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-developers/12f711fc-1625-4419-9b9b-de381538f829o%40googlegroups.com
>> 
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAFfZ%2Bb46%2BcspJHvRkO4P6%3DYhFG0EHYA4%2BnLSekFJxU5VQEp0bA%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAJ1QTgnq-M%2BQVv4P-YwTzcorinPbt7c5deS%3D7V%2BZE%3DTx-bHQ9w%40mail.gmail.com.

Re: Fellow Reports - July 2020

[Mariusz Felisiak]

Week ending July 26, 2020.

Released Django 3.1rc1.

*Triaged:*
https://code.djangoproject.com/ticket/31799 - Queryset.update() examine 
Fields which has auto_now=True (duplicate)
https://code.djangoproject.com/ticket/31802 - Add system check for 
SITE_ID. (accepted)
https://code.djangoproject.com/ticket/31805 - MySQL Schema tests fail 
when table names are case-insensitive. (accepted)
https://code.djangoproject.com/ticket/31807 - Whether support more 
secure method to generate session id (wontfix)
https://code.djangoproject.com/ticket/31803 - Should 
ModelState.field_cache be documented? (wontfix)
https://code.djangoproject.com/ticket/31806 - Make validators include 
the provided value in ValidationError (accepted)
https://code.djangoproject.com/ticket/31808 - Django causes latest 
setuptools to issue "UserWarning: Distutils was imported before Setuptools. 
(invalid)
https://code.djangoproject.com/ticket/31809 - Regex URL patterns with 
conditional capture break default values in view functions (invalid)
https://code.djangoproject.com/ticket/31810 - HttpRequest.headers 
doesn't contain headers without HTTP prefix. (invalid)
https://code.djangoproject.com/ticket/31814 - CACHE_MIDDLEWARE_ALIAS 
default is missing quotation marks. (accepted)
https://code.djangoproject.com/ticket/31818 - Allow `startproject` to 
ignore patterns / folders (duplicate)
https://code.djangoproject.com/ticket/31816 - StreamingHttpResponse 
docs incorrectly specifies strings. (accepted)
https://code.djangoproject.com/ticket/31817 - sanitize_address() raises 
TypeError for bytestrings. (wontfix)
https://code.djangoproject.com/ticket/31815 - CheckConstraint() with 
unicode parameters crashes on PostgreSQL. (accepted)
https://code.djangoproject.com/ticket/31812 - The `model` attribute of 
image fields doesn't point to concrete model. (accepted)
https://code.djangoproject.com/ticket/31821 - FILE_UPLOAD_PERMISSIONS 
docs contain outdated note. (accepted)
https://code.djangoproject.com/ticket/31820 - CheckboxSelectMultiple 
widget doesn't work with TextChoices enabled CharFields (invalid)
https://code.djangoproject.com/ticket/31823 - Add Support for Fetch 
Metadata Request Headers (someday/maybe)
https://code.djangoproject.com/ticket/31822 - Add support for 
item_comments to syndication framework (accepted)
https://code.djangoproject.com/ticket/31824 - Internal Server Error 
while rendering template (invalid)

*Reviewed/committed:*
https://github.com/django/django/pull/13192 - Fixed #31784 -- Fixed 
sending emails crash on Python 3.6.11+, 3.7.8+, and 3.8.4+.
https://github.com/django/django/pull/13106 - Improved description of 
USE_THOUSAND_SEPARATOR setting.
https://github.com/django/django/pull/13162 - Fixed #31769 -- Improved 
default naming of merged migrations.
https://github.com/django/django/pull/13209 - Fixed #31720 -- Defined 
default output_field of BoolAnd() and BoolOr() aggregate functions and 
added examples to docs.
https://github.com/django/django/pull/13218 - Reverted "Fixed #30300 -- 
Allowed migrations to be loaded from directories without __init__.py file."
https://github.com/django/django/pull/13153 - Fixed #31765 -- Disabled 
bundled SQLite renaming atomic references on macOS 10.15.
https://github.com/django/django/pull/13194 - Doc'd 
Model.MultipleObjectsReturned docs and improved documentation related with 
models exceptions.
https://github.com/django/django/pull/13225 - Fixed #31814 -- Fixed 
typo in docs/ref/settings.txt.
https://github.com/django/django/pull/13229 - Fixed #31816 -- Corrected 
the expected content type in StreamingHttpResponse docs.
https://github.com/django/django/pull/13231 - Fixed #31821 -- Removed 
outdated note in FILE_UPLOAD_PERMISSIONS docs.
https://github.com/django/django/pull/13226 - Fixed #31802 -- Added 
system check for non-integer SITE_ID.
https://github.com/django/django/pull/13233 - Fixed #31812 -- Fixed 
FileField.model for fields defined in abstract models.

*Reviewed:*
https://github.com/django/django/pull/12310 - Fixed #31180 -- 
Configured applications automatically.

*Authored:*
https://github.com/django/django/pull/13215 - Fixed #31797 -- Skipped 
schema tests on specific MariaDB versions.
https://github.com/django/django/pull/13221 - Fixed #31805 -- Fixed 
SchemaTests.tearDown() when table names are case-insensitive.
https://github.com/django/django/pull/13235 - Fixed #31815 -- Fixed 
schema value encoding on PostgreSQL.

Best,
Mariusz

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/159fa852-4cb0-47ef-9f93-e3c1b2967fd6n