From 3800f63721f6fc1c940abfb10fe21257dcf13521 Mon Sep 17 00:00:00 2001 From: Aymeric Augustin Date: Mon, 12 May 2014 07:28:07 -0400 Subject: [PATCH] Dropped fix_IE_for_vary/attach. This is a security fix. Disclosure following shortly. --- django/core/handlers/base.py | 2 -- django/http/__init__.py | 5 ++-- django/http/utils.py | 55 ---------------------------------- tests/utils_tests/test_http.py | 46 ---------------------------- 4 files changed, 2 insertions(+), 106 deletions(-) diff --git a/django/core/handlers/base.py b/django/core/handlers/base.py index 5d6b36439b..ffc48a076a 100644 --- a/django/core/handlers/base.py +++ b/django/core/handlers/base.py @@ -23,8 +23,6 @@ class BaseHandler(object): response_fixes = [ http.fix_location_header, http.conditional_content_removal, - http.fix_IE_for_attach, - http.fix_IE_for_vary, ] def __init__(self): diff --git a/django/http/__init__.py b/django/http/__init__.py index 5895c5e3ce..fc5bd180ad 100644 --- a/django/http/__init__.py +++ b/django/http/__init__.py @@ -6,8 +6,7 @@ from django.http.response import (HttpResponse, StreamingHttpResponse, HttpResponseNotModified, HttpResponseBadRequest, HttpResponseForbidden, HttpResponseNotFound, HttpResponseNotAllowed, HttpResponseGone, HttpResponseServerError, Http404, BadHeaderError, JsonResponse) -from django.http.utils import (fix_location_header, - conditional_content_removal, fix_IE_for_attach, fix_IE_for_vary) +from django.http.utils import fix_location_header, conditional_content_removal __all__ = [ 'SimpleCookie', 'parse_cookie', 'HttpRequest', 'QueryDict', @@ -17,5 +16,5 @@ __all__ = [ 'HttpResponseBadRequest', 'HttpResponseForbidden', 'HttpResponseNotFound', 'HttpResponseNotAllowed', 'HttpResponseGone', 'HttpResponseServerError', 'Http404', 'BadHeaderError', 'fix_location_header', 'JsonResponse', - 'conditional_content_removal', 'fix_IE_for_attach', 'fix_IE_for_vary', + 'conditional_content_removal', ] diff --git a/django/http/utils.py b/django/http/utils.py index 68011ab253..90155cd2ed 100644 --- a/django/http/utils.py +++ b/django/http/utils.py @@ -39,58 +39,3 @@ def conditional_content_removal(request, response): else: response.content = b'' return response - - -def fix_IE_for_attach(request, response): - """ - This function will prevent Django from serving a Content-Disposition header - while expecting the browser to cache it (only when the browser is IE). This - leads to IE not allowing the client to download. - """ - useragent = request.META.get('HTTP_USER_AGENT', '').upper() - if 'MSIE' not in useragent and 'CHROMEFRAME' not in useragent: - return response - - offending_headers = ('no-cache', 'no-store') - if response.has_header('Content-Disposition'): - try: - del response['Pragma'] - except KeyError: - pass - if response.has_header('Cache-Control'): - cache_control_values = [value.strip() for value in - response['Cache-Control'].split(',') - if value.strip().lower() not in offending_headers] - - if not len(cache_control_values): - del response['Cache-Control'] - else: - response['Cache-Control'] = ', '.join(cache_control_values) - - return response - - -def fix_IE_for_vary(request, response): - """ - This function will fix the bug reported at - http://support.microsoft.com/kb/824847/en-us?spid=8722&sid=global - by clearing the Vary header whenever the mime-type is not safe - enough for Internet Explorer to handle. Poor thing. - """ - useragent = request.META.get('HTTP_USER_AGENT', '').upper() - if 'MSIE' not in useragent and 'CHROMEFRAME' not in useragent: - return response - - # These mime-types that are decreed "Vary-safe" for IE: - safe_mime_types = ('text/html', 'text/plain', 'text/sgml') - - # The first part of the Content-Type field will be the MIME type, - # everything after ';', such as character-set, can be ignored. - mime_type = response.get('Content-Type', '').partition(';')[0] - if mime_type not in safe_mime_types: - try: - del response['Vary'] - except KeyError: - pass - - return response diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py index 9f6bcce830..edd0fde44f 100644 --- a/tests/utils_tests/test_http.py +++ b/tests/utils_tests/test_http.py @@ -2,8 +2,6 @@ from datetime import datetime import sys import unittest -from django.http import HttpResponse, utils -from django.test import RequestFactory from django.utils.datastructures import MultiValueDict from django.utils import http from django.utils import six @@ -67,50 +65,6 @@ class TestUtilsHttp(unittest.TestCase): ] self.assertTrue(result in acceptable_results) - def test_fix_IE_for_vary(self): - """ - Regression for #16632. - - `fix_IE_for_vary` shouldn't crash when there's no Content-Type header. - """ - - # functions to generate responses - def response_with_unsafe_content_type(): - r = HttpResponse(content_type="text/unsafe") - r['Vary'] = 'Cookie' - return r - - def no_content_response_with_unsafe_content_type(): - # 'Content-Type' always defaulted, so delete it - r = response_with_unsafe_content_type() - del r['Content-Type'] - return r - - # request with & without IE user agent - rf = RequestFactory() - request = rf.get('/') - ie_request = rf.get('/', HTTP_USER_AGENT='MSIE') - - # not IE, unsafe_content_type - response = response_with_unsafe_content_type() - utils.fix_IE_for_vary(request, response) - self.assertTrue('Vary' in response) - - # IE, unsafe_content_type - response = response_with_unsafe_content_type() - utils.fix_IE_for_vary(ie_request, response) - self.assertFalse('Vary' in response) - - # not IE, no_content - response = no_content_response_with_unsafe_content_type() - utils.fix_IE_for_vary(request, response) - self.assertTrue('Vary' in response) - - # IE, no_content - response = no_content_response_with_unsafe_content_type() - utils.fix_IE_for_vary(ie_request, response) - self.assertFalse('Vary' in response) - def test_base36(self): # reciprocity works for n in [0, 1, 1000, 1000000]: