[2.2.x] Fixed #31029 -- Used more specific links to RFCs.

Backport of ff1b19da67 from master
2019-11-23 13:42:57 +01:00 · 2019-11-23 13:42:57 +01:00 · 019a1b9274
parent 57f5a7e36b
commit 019a1b9274
7 changed files with 24 additions and 21 deletions
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@ -298,10 +298,11 @@ This ensures that only forms that have originated from trusted domains can be
 used to POST data back.

 It deliberately ignores GET requests (and other requests that are defined as
-'safe' by :rfc:`7231`). These requests ought never to have any potentially
-dangerous side effects , and so a CSRF attack with a GET request ought to be
-harmless. :rfc:`7231` defines POST, PUT, and DELETE as 'unsafe', and all other
-methods are also assumed to be unsafe, for maximum protection.
+'safe' by :rfc:`7231#section-4.2.1`). These requests ought never to have any
+potentially dangerous side effects, and so a CSRF attack with a GET request
+ought to be harmless. :rfc:`7231#section-4.2.1` defines POST, PUT, and DELETE
+as 'unsafe', and all other methods are also assumed to be unsafe, for maximum
+protection.

 The CSRF protection cannot protect against man-in-the-middle attacks, so use
 :ref:`HTTPS <security-recommendation-ssl>` with
--- a/docs/ref/models/instances.txt
+++ b/docs/ref/models/instances.txt
@ -755,8 +755,8 @@ in ``get_absolute_url()`` and have all your other code call that one place.

 .. note::
    The string you return from ``get_absolute_url()`` **must** contain only
-    ASCII characters (required by the URI specification, :rfc:`2396`) and be
-    URL-encoded, if necessary.
+    ASCII characters (required by the URI specification, :rfc:`2396#section-2`)
+    and be URL-encoded, if necessary.

    Code and templates calling ``get_absolute_url()`` should be able to use the
    result directly without any further processing. You may wish to use the
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@ -809,9 +809,9 @@ Methods
      JavaScript from having access to the cookie.

      HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's
-      part of the :rfc:`6265` standard for cookies and can be a useful way to
-      mitigate the risk of a client-side script accessing the protected cookie
-      data.
+      part of the :rfc:`RFC 6265 <6265#section-4.1.2.6>` standard for cookies
+      and can be a useful way to mitigate the risk of a client-side script
+      accessing the protected cookie data.
    * Use ``samesite='Strict'`` or ``samesite='Lax'`` to tell the browser not
      to send this cookie when performing a cross-origin request. `SameSite`_
      isn't supported by all browsers, so it's not a replacement for Django's
@ -826,11 +826,11 @@ Methods

    .. warning::

-        :rfc:`6265` states that user agents should support cookies of at least
-        4096 bytes. For many browsers this is also the maximum size. Django
-        will not raise an exception if there's an attempt to store a cookie of
-        more than 4096 bytes, but many browsers will not set the cookie
-        correctly.
+        :rfc:`RFC 6265 <6265#section-6.1>` states that user agents should
+        support cookies of at least 4096 bytes. For many browsers this is also
+        the maximum size. Django will not raise an exception if there's an
+        attempt to store a cookie of more than 4096 bytes, but many browsers
+        will not set the cookie correctly.

 .. method:: HttpResponse.set_signed_cookie(key, value, salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False, samesite=None)

--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@ -2701,7 +2701,7 @@ preference to the ``Host`` header. This should only be enabled if a proxy
 which sets this header is in use.

 This setting takes priority over :setting:`USE_X_FORWARDED_PORT`. Per
-:rfc:`7239#page-7`, the ``X-Forwarded-Host`` header can include the port
+:rfc:`7239#section-5.3`, the ``X-Forwarded-Host`` header can include the port
 number, in which case you shouldn't use :setting:`USE_X_FORWARDED_PORT`.

 .. setting:: USE_X_FORWARDED_PORT
@ -3020,8 +3020,8 @@ Whether to use ``HttpOnly`` flag on the session cookie. If this is set to
 cookie.

 HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's part of
-the :rfc:`6265` standard for cookies and can be a useful way to mitigate the
-risk of a client-side script accessing the protected cookie data.
+the :rfc:`6265#section-4.1.2.6` standard for cookies and can be a useful way to
+mitigate the risk of a client-side script accessing the protected cookie data.

 This makes it less trivial for an attacker to escalate a cross-site scripting
 vulnerability into full hijacking of a user's session. There aren't many good
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@ -1417,7 +1417,8 @@ Format character  Description                               Example output
                  the "c" formatter will not add timezone
                  offset if value is a naive datetime
                  (see :class:`datetime.tzinfo`).
-``r``             :rfc:`5322` formatted date.               ``'Thu, 21 Dec 2000 16:01:07 +0200'``
+``r``             :rfc:`RFC 5322 <5322#section-3.3>`        ``'Thu, 21 Dec 2000 16:01:07 +0200'``
+                  formatted date.
 ``U``             Seconds since the Unix Epoch
                  (January 1 1970 00:00:00 UTC).
 ================  ========================================  =====================
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@ -720,8 +720,8 @@ escaping HTML.

 .. function:: http_date(epoch_seconds=None)

-    Formats the time to match the :rfc:`1123` date format as specified by HTTP
-    :rfc:`7231#section-7.1.1.1`.
+    Formats the time to match the :rfc:`1123#section-5.2.14` date format as
+    specified by HTTP :rfc:`7231#section-7.1.1.1`.

    Accepts a floating point number expressed in seconds since the epoch in
    UTC--such as that outputted by ``time.time()``. If set to ``None``,
--- a/docs/ref/validators.txt
+++ b/docs/ref/validators.txt
@ -154,7 +154,8 @@ to, or in lieu of custom ``field.clean()`` methods.
    an error code of ``'invalid'`` if it doesn't.

    Loopback addresses and reserved IP spaces are considered valid. Literal
-    IPv6 addresses (:rfc:`2732`) and unicode domains are both supported.
+    IPv6 addresses (:rfc:`3986#section-3.2.2`) and unicode domains are both
+    supported.

    In addition to the optional arguments of its parent :class:`RegexValidator`
    class, ``URLValidator`` accepts an extra optional attribute: