[2.2.x] Fixed #31029 -- Used more specific links to RFCs.

Backport of ff1b19da67 from master
This commit is contained in:
Baptiste Mispelon 2019-11-23 13:42:57 +01:00 committed by Mariusz Felisiak
parent 57f5a7e36b
commit 019a1b9274
7 changed files with 24 additions and 21 deletions

View File

@ -298,10 +298,11 @@ This ensures that only forms that have originated from trusted domains can be
used to POST data back.
It deliberately ignores GET requests (and other requests that are defined as
'safe' by :rfc:`7231`). These requests ought never to have any potentially
dangerous side effects , and so a CSRF attack with a GET request ought to be
harmless. :rfc:`7231` defines POST, PUT, and DELETE as 'unsafe', and all other
methods are also assumed to be unsafe, for maximum protection.
'safe' by :rfc:`7231#section-4.2.1`). These requests ought never to have any
potentially dangerous side effects, and so a CSRF attack with a GET request
ought to be harmless. :rfc:`7231#section-4.2.1` defines POST, PUT, and DELETE
as 'unsafe', and all other methods are also assumed to be unsafe, for maximum
protection.
The CSRF protection cannot protect against man-in-the-middle attacks, so use
:ref:`HTTPS <security-recommendation-ssl>` with

View File

@ -755,8 +755,8 @@ in ``get_absolute_url()`` and have all your other code call that one place.
.. note::
The string you return from ``get_absolute_url()`` **must** contain only
ASCII characters (required by the URI specification, :rfc:`2396`) and be
URL-encoded, if necessary.
ASCII characters (required by the URI specification, :rfc:`2396#section-2`)
and be URL-encoded, if necessary.
Code and templates calling ``get_absolute_url()`` should be able to use the
result directly without any further processing. You may wish to use the

View File

@ -809,9 +809,9 @@ Methods
JavaScript from having access to the cookie.
HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's
part of the :rfc:`6265` standard for cookies and can be a useful way to
mitigate the risk of a client-side script accessing the protected cookie
data.
part of the :rfc:`RFC 6265 <6265#section-4.1.2.6>` standard for cookies
and can be a useful way to mitigate the risk of a client-side script
accessing the protected cookie data.
* Use ``samesite='Strict'`` or ``samesite='Lax'`` to tell the browser not
to send this cookie when performing a cross-origin request. `SameSite`_
isn't supported by all browsers, so it's not a replacement for Django's
@ -826,11 +826,11 @@ Methods
.. warning::
:rfc:`6265` states that user agents should support cookies of at least
4096 bytes. For many browsers this is also the maximum size. Django
will not raise an exception if there's an attempt to store a cookie of
more than 4096 bytes, but many browsers will not set the cookie
correctly.
:rfc:`RFC 6265 <6265#section-6.1>` states that user agents should
support cookies of at least 4096 bytes. For many browsers this is also
the maximum size. Django will not raise an exception if there's an
attempt to store a cookie of more than 4096 bytes, but many browsers
will not set the cookie correctly.
.. method:: HttpResponse.set_signed_cookie(key, value, salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False, samesite=None)

View File

@ -2701,7 +2701,7 @@ preference to the ``Host`` header. This should only be enabled if a proxy
which sets this header is in use.
This setting takes priority over :setting:`USE_X_FORWARDED_PORT`. Per
:rfc:`7239#page-7`, the ``X-Forwarded-Host`` header can include the port
:rfc:`7239#section-5.3`, the ``X-Forwarded-Host`` header can include the port
number, in which case you shouldn't use :setting:`USE_X_FORWARDED_PORT`.
.. setting:: USE_X_FORWARDED_PORT
@ -3020,8 +3020,8 @@ Whether to use ``HttpOnly`` flag on the session cookie. If this is set to
cookie.
HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's part of
the :rfc:`6265` standard for cookies and can be a useful way to mitigate the
risk of a client-side script accessing the protected cookie data.
the :rfc:`6265#section-4.1.2.6` standard for cookies and can be a useful way to
mitigate the risk of a client-side script accessing the protected cookie data.
This makes it less trivial for an attacker to escalate a cross-site scripting
vulnerability into full hijacking of a user's session. There aren't many good

View File

@ -1417,7 +1417,8 @@ Format character Description Example output
the "c" formatter will not add timezone
offset if value is a naive datetime
(see :class:`datetime.tzinfo`).
``r`` :rfc:`5322` formatted date. ``'Thu, 21 Dec 2000 16:01:07 +0200'``
``r`` :rfc:`RFC 5322 <5322#section-3.3>` ``'Thu, 21 Dec 2000 16:01:07 +0200'``
formatted date.
``U`` Seconds since the Unix Epoch
(January 1 1970 00:00:00 UTC).
================ ======================================== =====================

View File

@ -720,8 +720,8 @@ escaping HTML.
.. function:: http_date(epoch_seconds=None)
Formats the time to match the :rfc:`1123` date format as specified by HTTP
:rfc:`7231#section-7.1.1.1`.
Formats the time to match the :rfc:`1123#section-5.2.14` date format as
specified by HTTP :rfc:`7231#section-7.1.1.1`.
Accepts a floating point number expressed in seconds since the epoch in
UTC--such as that outputted by ``time.time()``. If set to ``None``,

View File

@ -154,7 +154,8 @@ to, or in lieu of custom ``field.clean()`` methods.
an error code of ``'invalid'`` if it doesn't.
Loopback addresses and reserved IP spaces are considered valid. Literal
IPv6 addresses (:rfc:`2732`) and unicode domains are both supported.
IPv6 addresses (:rfc:`3986#section-3.2.2`) and unicode domains are both
supported.
In addition to the optional arguments of its parent :class:`RegexValidator`
class, ``URLValidator`` accepts an extra optional attribute: