django1/django/middleware/http.py

from django.core.exceptions import MiddlewareNotUsed
from django.utils.http import http_date

class ConditionalGetMiddleware(object):
    """
    Handles conditional GET operations. If the response has a ETag or
    Last-Modified header, and the request has If-None-Match or
    If-Modified-Since, the response is replaced by an HttpNotModified.

    Also sets the Date and Content-Length response-headers.
    """
    def process_response(self, request, response):
        response['Date'] = http_date()
        if not response.has_header('Content-Length'):
            response['Content-Length'] = str(len(response.content))

        if response.has_header('ETag'):
            if_none_match = request.META.get('HTTP_IF_NONE_MATCH', None)
            if if_none_match == response['ETag']:
                # Setting the status is enough here. The response handling path
                # automatically removes content for this status code (in
                # http.conditional_content_removal()).
                response.status_code = 304

        if response.has_header('Last-Modified'):
            if_modified_since = request.META.get('HTTP_IF_MODIFIED_SINCE', None)
            if if_modified_since == response['Last-Modified']:
                # Setting the status code is enough here (same reasons as
                # above).
                response.status_code = 304

        return response

class SetRemoteAddrFromForwardedFor(object):
    """
    This middleware has been removed; see the Django 1.1 release notes for
    details.
    
    It previously set REMOTE_ADDR based on HTTP_X_FORWARDED_FOR. However, after
    investiagtion, it turns out this is impossible to do in a general manner:
    different proxies treat the X-Forwarded-For header differently. Thus, a
    built-in middleware can lead to application-level security problems, and so
    this was removed in Django 1.1
    
    """
    def __init__(self):
        import warnings
        warnings.warn("SetRemoteAddrFromForwardedFor has been removed. "
                      "See the Django 1.1 release notes for details.",
                      category=DeprecationWarning)
        raise MiddlewareNotUsed()
BACKWARDS-INCOMPATIBLE CHANGE: Removed SetRemoteAddrFromForwardedFor middleware. In a nutshell, it's been demonstrated that this middleware can never be made reliable enough for general-purpose use, and that (despite documentation to the contrary) its inclusion in Django may lead application developers to assume that the value of ``REMOTE_ADDR`` is "safe" or in some way reliable as a source of authentication. So it's gone. See the Django 1.1 release notes for full details, as well as upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11363 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-07-29 13:35:51 +08:00			`from django.core.exceptions import MiddlewareNotUsed`
Fixed #5816 -- Fixed a regression from [6333] that generates incorrect cookie "expires" dates when using a locale other than English. Introduced `http_date` and `cookie_date` utility functions. Thanks for the report Michael Lemaire. Thanks for the patch Karen Tracey and `SmileyChris`. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6634 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-10-31 11:59:40 +08:00			`from django.utils.http import http_date`
Fixed #580 -- Added mega support for generating Vary headers, including some view decorators, and changed the CacheMiddleware to account for the Vary header. Also added GZipMiddleware and ConditionalGetMiddleware, which are no longer handled by CacheMiddleware itself. Also updated the cache.txt and middleware.txt docs. Thanks to Hugo and Sune for the excellent patches git-svn-id: http://code.djangoproject.com/svn/django/trunk@810 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-10-09 08:55:08 +08:00
Fixed #2109 -- Convert old-style classes to new-style classes throughout Django. Thanks, Nicola Larosa git-svn-id: http://code.djangoproject.com/svn/django/trunk@3113 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-06-08 13:00:13 +08:00			`class ConditionalGetMiddleware(object):`
Fixed #580 -- Added mega support for generating Vary headers, including some view decorators, and changed the CacheMiddleware to account for the Vary header. Also added GZipMiddleware and ConditionalGetMiddleware, which are no longer handled by CacheMiddleware itself. Also updated the cache.txt and middleware.txt docs. Thanks to Hugo and Sune for the excellent patches git-svn-id: http://code.djangoproject.com/svn/django/trunk@810 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-10-09 08:55:08 +08:00			`"""`
			`Handles conditional GET operations. If the response has a ETag or`
			`Last-Modified header, and the request has If-None-Match or`
			`If-Modified-Since, the response is replaced by an HttpNotModified.`

			`Also sets the Date and Content-Length response-headers.`
			`"""`
			`def process_response(self, request, response):`
Fixed #5816 -- Fixed a regression from [6333] that generates incorrect cookie "expires" dates when using a locale other than English. Introduced `http_date` and `cookie_date` utility functions. Thanks for the report Michael Lemaire. Thanks for the patch Karen Tracey and `SmileyChris`. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6634 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-10-31 11:59:40 +08:00			`response['Date'] = http_date()`
Fixed #580 -- Added mega support for generating Vary headers, including some view decorators, and changed the CacheMiddleware to account for the Vary header. Also added GZipMiddleware and ConditionalGetMiddleware, which are no longer handled by CacheMiddleware itself. Also updated the cache.txt and middleware.txt docs. Thanks to Hugo and Sune for the excellent patches git-svn-id: http://code.djangoproject.com/svn/django/trunk@810 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-10-09 08:55:08 +08:00			`if not response.has_header('Content-Length'):`
			`response['Content-Length'] = str(len(response.content))`

			`if response.has_header('ETag'):`
			`if_none_match = request.META.get('HTTP_IF_NONE_MATCH', None)`
			`if if_none_match == response['ETag']:`
Fixed #5898 -- Changed a few response processing paths to make things harder to get wrong and easier to get right. Previous behaviour wasn't buggy, but it was harder to use than necessary. We now have automatic HEAD processing always (previously required ConditionalGetMiddleware), middleware benefits from the Location header rewrite, so they can use relative URLs as well, and responses with response codes 1xx, 204 or 304 will always have their content removed, in accordance with the HTTP spec (so it's much harder to indavertently deliver invalid responses). Based on a patch and diagnosis from regexbot@gmail.com. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6662 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-11-11 11:55:44 +08:00			`# Setting the status is enough here. The response handling path`
			`# automatically removes content for this status code (in`
			`# http.conditional_content_removal()).`
Fixed #7046 -- set the response status code correctly in ConditionalGetMiddleware. git-svn-id: http://code.djangoproject.com/svn/django/trunk@7793 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-06-30 15:03:58 +08:00			`response.status_code = 304`
Fixed #580 -- Added mega support for generating Vary headers, including some view decorators, and changed the CacheMiddleware to account for the Vary header. Also added GZipMiddleware and ConditionalGetMiddleware, which are no longer handled by CacheMiddleware itself. Also updated the cache.txt and middleware.txt docs. Thanks to Hugo and Sune for the excellent patches git-svn-id: http://code.djangoproject.com/svn/django/trunk@810 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-10-09 08:55:08 +08:00
			`if response.has_header('Last-Modified'):`
			`if_modified_since = request.META.get('HTTP_IF_MODIFIED_SINCE', None)`
			`if if_modified_since == response['Last-Modified']:`
Fixed #5898 -- Changed a few response processing paths to make things harder to get wrong and easier to get right. Previous behaviour wasn't buggy, but it was harder to use than necessary. We now have automatic HEAD processing always (previously required ConditionalGetMiddleware), middleware benefits from the Location header rewrite, so they can use relative URLs as well, and responses with response codes 1xx, 204 or 304 will always have their content removed, in accordance with the HTTP spec (so it's much harder to indavertently deliver invalid responses). Based on a patch and diagnosis from regexbot@gmail.com. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6662 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2007-11-11 11:55:44 +08:00			`# Setting the status code is enough here (same reasons as`
			`# above).`
Fixed #7046 -- set the response status code correctly in ConditionalGetMiddleware. git-svn-id: http://code.djangoproject.com/svn/django/trunk@7793 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2008-06-30 15:03:58 +08:00			`response.status_code = 304`
Fixed #580 -- Added mega support for generating Vary headers, including some view decorators, and changed the CacheMiddleware to account for the Vary header. Also added GZipMiddleware and ConditionalGetMiddleware, which are no longer handled by CacheMiddleware itself. Also updated the cache.txt and middleware.txt docs. Thanks to Hugo and Sune for the excellent patches git-svn-id: http://code.djangoproject.com/svn/django/trunk@810 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2005-10-09 08:55:08 +08:00
			`return response`
Fixed #2552 -- Added SetRemoteAddrFromForwardedFor middleware and documentation. Thanks, Ian Holsman git-svn-id: http://code.djangoproject.com/svn/django/trunk@3602 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-08-18 11:12:36 +08:00
			`class SetRemoteAddrFromForwardedFor(object):`
			`"""`
BACKWARDS-INCOMPATIBLE CHANGE: Removed SetRemoteAddrFromForwardedFor middleware. In a nutshell, it's been demonstrated that this middleware can never be made reliable enough for general-purpose use, and that (despite documentation to the contrary) its inclusion in Django may lead application developers to assume that the value of ``REMOTE_ADDR`` is "safe" or in some way reliable as a source of authentication. So it's gone. See the Django 1.1 release notes for full details, as well as upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11363 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-07-29 13:35:51 +08:00			`This middleware has been removed; see the Django 1.1 release notes for`
			`details.`

			`It previously set REMOTE_ADDR based on HTTP_X_FORWARDED_FOR. However, after`
			`investiagtion, it turns out this is impossible to do in a general manner:`
			`different proxies treat the X-Forwarded-For header differently. Thus, a`
			`built-in middleware can lead to application-level security problems, and so`
			`this was removed in Django 1.1`

Fixed #2552 -- Added SetRemoteAddrFromForwardedFor middleware and documentation. Thanks, Ian Holsman git-svn-id: http://code.djangoproject.com/svn/django/trunk@3602 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2006-08-18 11:12:36 +08:00			`"""`
BACKWARDS-INCOMPATIBLE CHANGE: Removed SetRemoteAddrFromForwardedFor middleware. In a nutshell, it's been demonstrated that this middleware can never be made reliable enough for general-purpose use, and that (despite documentation to the contrary) its inclusion in Django may lead application developers to assume that the value of ``REMOTE_ADDR`` is "safe" or in some way reliable as a source of authentication. So it's gone. See the Django 1.1 release notes for full details, as well as upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11363 bcc190cf-cafb-0310-a4f2-bffc1f526a37 2009-07-29 13:35:51 +08:00			`def __init__(self):`
			`import warnings`
			`warnings.warn("SetRemoteAddrFromForwardedFor has been removed. "`
			`"See the Django 1.1 release notes for details.",`
			`category=DeprecationWarning)`
			`raise MiddlewareNotUsed()`