Carlton Gibson
bd062445cf
Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.
...
Thanks to Motoyasu Saburi for the report.
2022-08-03 08:46:31 +02:00
Mehrdad
d4d5427571
Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams.
...
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
2022-06-28 09:42:47 +02:00
Mariusz Felisiak
bff5c114be
Removed unnecessary _parse_header() from MultiPartParser.
...
Reraising ValueError was unused since its introduction in
d725cc9734
.
2022-06-28 09:27:03 +02:00
Mehrdad
d6e0c7c30c
Refs #33697 -- Made MediaType use django.utils.http.parse_header_parameters().
2022-06-28 07:33:41 +02:00
Anv3sh
d7f5bfd241
Fixed #32969 -- Fixed pickling HttpResponse and subclasses.
2022-06-20 08:51:26 +02:00
Jonas Lundberg
e96320c917
Fixed #33755 -- Moved ASGI body-file cleanup into request class.
2022-06-09 11:11:45 +02:00
Mehrdad
49b470b918
Refs #33697 -- Made MultiPartParser use django.utils.http.parse_header_parameters() for parsing Content-Type header.
2022-06-03 21:37:29 +02:00
Mehrdad
93cedc82f2
Refs #33697 -- Fixed multipart parsing of headers with double quotes and semicolons.
...
See 1ef0c0349e
2022-06-01 10:11:07 +02:00
Collin Anderson
2a5d2eefc7
Fixed #33683 -- Document HttpResponseBase and allow import from django.http
2022-05-17 09:51:16 +02:00
Carlton Gibson
34e2148fc7
Refs #33173 -- Removed use of deprecated cgi module.
...
https://peps.python.org/pep-0594/#cgi
2022-05-11 14:06:31 +02:00
Carlton Gibson
bb61f0186d
Refs #32365 -- Removed internal uses of utils.timezone.utc alias.
...
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
2022-03-24 06:29:50 +01:00
Thomas Schmidt
1cf60ce601
Fixed #33569 -- Added SECURE_PROXY_SSL_HEADER support for list of protocols in the header value.
2022-03-23 19:33:36 +01:00
Luke Plant
f3bf6c4218
Refs #33562 -- Made HttpResponse.set_cookie() raise ValueError when both "expires" and "max_age" are passed.
...
This fixes the case where you might pass set_cookie(expires=val, max_age=val)
and max_age is silently ignored.
2022-03-07 08:04:18 +01:00
Luke Plant
ae2da5ba65
Fixed #33562 -- Made HttpResponse.set_cookie() support timedelta for the max_age argument.
2022-03-07 07:57:14 +01:00
Keryn Knight
95b7d01d38
Refs #33546 -- Optimized handling content types in HttpResponseBase.__init__().
...
This removes an extraneous conditional causing "Content-Type" to be
checked within the ResponseHeaders twice, if a content_type parameter
is provided.
2022-03-02 20:23:39 +01:00
Keryn Knight
4b2f6ace57
Refs #33546 -- Optimized HttpResponseBase.charset a bit.
...
This avoids scanning the Content-Type if it's empty, allowing the
Content-Type header itself to have a charset assigned without using
the re module.
2022-03-02 20:23:39 +01:00
Keryn Knight
51f896fe25
Refs #33546 -- Optimized ResponseHeaders._convert_to_charset() by reducing the type-checking duplication.
...
In the common case, where keys and values are be encoded into
ascii/latin-1, defer the checking for newlines until it's been
successfully coerced to a string.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2022-03-02 20:23:39 +01:00
Keryn Knight
e0b197c63c
Refs #33546 -- Avoided unpacking data in ResponseHeaders when not necessary.
2022-03-02 20:23:39 +01:00
Mariusz Felisiak
7119f40c98
Refs #33476 -- Refactored code to strictly match 88 characters line length.
2022-02-07 20:37:05 +01:00
django-bot
9c19aff7c7
Refs #33476 -- Reformatted code with Black.
2022-02-07 20:37:05 +01:00
Mariusz Felisiak
fc18f36c4a
Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
...
Thanks Alan Ryan for the report and initial patch.
2022-02-01 07:41:40 +01:00
Hrushikesh Vaidya
3fadf141e6
Fixed #33062 -- Made MultiPartParser remove non-printable chars from file names.
2022-01-20 07:19:52 +01:00
Ad Timmering
bdf3e156b4
Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate.
2022-01-07 12:25:06 +01:00
Mariusz Felisiak
5def7f3f74
Updated various links to HTTPS and new locations.
...
Co-Authored-By: Nick Pope <nick@nickpope.me.uk>
2021-12-02 11:27:29 +01:00
Carlton Gibson
4a58dfd9db
Refs #30509 -- Adjusted internal FileResponse variable name.
...
Follow up to dc724c5bf9
.
2021-10-15 07:29:55 +02:00
Piotr Kunicki
dc724c5bf9
Fixed #30509 -- Made FileResponse better handle buffers and non-zero file offsets.
2021-10-14 15:05:04 +02:00
Illia Volochii
bc4c7e5d68
Optimized handling case-insensitive mappings.
...
Elements yielded by _destruct_iterable_mapping_values are always
unpacked. Since unpacking can be done with any iterable, there is no
need to convert elements to tuples. Also, such elements can be used
directly in for loops, creating a dictionary of them is excessive.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2021-09-22 09:26:21 +02:00
Illia Volochii
f03ba0ad52
Simplified serializing HTTP response headers.
...
Since ResponseHeaders was introduced, header names and values are stored
as strings. There is no need to check whether they are bytes.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2021-08-02 09:24:48 +02:00
Nicolas Restrepo
bbb3965826
Refs #24121 -- Added __repr__() to StreamingHttpResponse and subclasses.
2021-06-22 21:28:48 +02:00
Nick Pope
d06c5b3581
Fixed #32366 -- Updated datetime module usage to recommended approach.
...
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
2021-05-12 11:08:41 +02:00
Florian Apolloner
0b79eb3691
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
2021-05-04 08:44:42 +02:00
Hasan Ramezani
8bcb00858e
Fixed #32698 -- Moved HttpRequest.get_raw_uri() to ExceptionReporter._get_raw_insecure_uri().
2021-04-30 08:05:42 +02:00
Nick Pope
2161db0792
Fixed capitalization of "ECMAScript" and "JavaScript".
2021-04-29 20:29:08 +02:00
Mariusz Felisiak
d4d800ca1a
Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.
...
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.
2021-04-06 08:15:17 +02:00
Mariusz Felisiak
ec0ff40631
Fixed #32355 -- Dropped support for Python 3.6 and 3.7
2021-02-10 10:20:54 +01:00
Illia Volochii
3c004075b1
Fixed #32389 -- Fixed ResponseHeaders crash when data is not mapping.
2021-01-28 10:10:08 +01:00
Mariusz Felisiak
d08977a0f0
Refs #30997 -- Removed HttpRequest.is_ajax() per deprecation timeline.
2021-01-14 17:50:04 +01:00
ᴙɘɘᴙgYmɘᴙɘj
2c5d6dc447
Fixed grammar in HttpResponse docstring.
2020-12-08 12:18:42 +01:00
Mariusz Felisiak
1fd9b44a6b
Refs #32074 -- Fixed handling memoryview content by HttpResponse on Python 3.10+.
...
An iterator was added to memoryview in Python 3.10,
see https://bugs.python.org/issue41732
Refs #30294
2020-11-10 09:56:15 +01:00
Tom Carrick
dcb69043d0
Fixed #32002 -- Added headers parameter to HttpResponse and subclasses.
2020-10-07 09:19:57 +02:00
aryan
11c4a4412b
Fixed #30422 -- Made TemporaryFileUploadHandler handle interrupted uploads.
...
This patch allows upload handlers to handle interrupted uploads.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-09-30 10:30:43 +02:00
Tom Carrick
bcc2befd0e
Fixed #31789 -- Added a new headers interface to HttpResponse.
2020-09-14 08:41:59 +02:00
Tim Graham
83dea65ed6
Refs #21231 -- Corrected parse_qsl() fallback.
...
An oversight in fd209f62f1
.
2020-09-07 06:25:56 +02:00
Hasan Ramezani
d2d08c8cf6
Fixed #31982 -- Made HttpResponse.set_cookie() cast max_age argument to an integer.
2020-09-05 10:07:23 +02:00
Nick Pope
fd209f62f1
Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8.
2020-09-03 14:24:42 +02:00
Mariusz Felisiak
240cbb63bf
Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in HttpResponse.delete_cookie().
...
Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.
This affects sessions and messages cookies.
2020-07-16 08:16:58 +02:00
Michael Brown
36db4dd937
Fixed #28132 -- Made MultiPartParser ignore filenames with trailing slash.
2020-06-11 08:46:59 +02:00
Mariusz Felisiak
7fc317ae73
Refs #30997 -- Improved HttpRequest.is_ajax() warning message with stacklevel=2.
2020-06-03 08:47:19 +02:00
Mariusz Felisiak
0668164b4a
Fixed E128, E741 flake8 warnings.
2020-05-12 08:52:23 +02:00
Jon Dufresne
d6aff369ad
Refs #30116 -- Simplified regex match group access with Match.__getitem__().
...
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
2020-05-11 12:01:28 +02:00