Krzysztof Urbaniak
85a4844f8a
Refs #25933 -- Fixed i18n_patterns() prefix_default_language=False with HTTP_ACCEPT_LANGUAGE header.
2016-03-10 10:51:55 -05:00
harikrishnakanchi
74670498e9
Fixed #25971 -- Made BrokenLinkEmailsMiddleware ignore APPEND_SLASH redirects.
...
If APPEND_SLASH=True and the referer is the URL without a trailing '/', then
BrokenLinkEmailsMiddleware shouldn't send an email.
2016-03-08 09:21:42 -05:00
Krzysztof Urbaniak
839a955d08
Fixed #25933 -- Allowed an unprefixed default language in i18n_patterns().
2016-03-08 08:14:10 -05:00
Simon Charette
d0451e4cad
Fixed #26295 -- Allowed using i18n_patterns() in any root URLconf.
...
Thanks Tim for the review.
2016-03-03 12:08:49 -05:00
Liam Brenner
182f98c4c7
Fixed typo in django/middleware/common.py docstring.
2016-02-09 08:06:26 -05:00
chemary
2d28144c95
Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).
2016-01-20 18:19:24 -05:00
Denis Cornehl
186b6c61bf
Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.
...
Thanks Denis Cornehl for help with the patch.
2016-01-05 09:37:11 -05:00
Marten Kenbeek
16411b8400
Fixed #26013 -- Moved django.core.urlresolvers to django.urls.
...
Thanks to Tim Graham for the review.
2015-12-31 14:21:29 -05:00
Derek J. Curtis
6be9589eb3
Fixed #25900 -- Fixed regression in CommonMiddleware ETag support.
2015-12-10 13:51:07 -05:00
Aymeric Augustin
11f10b70f3
Fixed #25302 (again) -- Ignored scheme when checking for bad referers.
...
The check introduced in 4ce433e
was too strict in real life. The poorly
implemented bots this patch attempted to ignore are sloppy when it comes
to http vs. https.
2015-11-26 21:27:12 +01:00
Matt Robenolt
b0c56b895f
Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
...
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Joshua Kehn
ab26b65b2f
Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
...
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
2015-09-05 09:19:57 -04:00
Maxime Lorant
4ce433e811
Fixed #25302 -- Prevented BrokenLinkEmailsMiddleware from reporting 404s when Referer = URL.
2015-08-24 19:35:49 -04:00
Denis Cornehl
7a40fef17a
Fixed #24935 -- Refactored common conditional GET handling.
2015-08-15 09:08:45 -04:00
Claude Paroz
64982cc2fb
Updated Wikipedia links to use https
2015-08-08 12:02:32 +02:00
Jay Cox
434d309ef6
Fixed #24720 -- Avoided resolving URLs that don't end in a slash twice in CommonMiddleware.
...
This speeds up affected requests by about 5%.
2015-07-31 12:04:06 -04:00
sujayskumar
2e70bf3785
Fixed #25017 -- Allowed customizing the DISALLOWED_USER_AGENTS response
2015-06-27 08:46:23 -04:00
Piotr Jakimiak
4157c502a5
Removed unnecessary arguments in .get method calls
2015-05-13 20:51:18 +02:00
Jay Cox
eef95ea96f
Fixed #24696 -- Made CSRF_COOKIE computation lazy.
...
Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.
Changed result of the “test_token_node_no_csrf_cookie” test: It gets
a valid CSRF token now which seems like the correct behavior.
Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to
use get_token() to trigger CSRF cookie inclusion instead of changing
request.META["CSRF_COOKIE_USED"] directly.
2015-05-02 19:45:14 -04:00
Oliver A Bristow
4cd727095d
Fixed #24681 -- Removed Unicode bug in BrokenLinkEmailMiddleware
2015-04-21 22:02:04 +02:00
Bas Peschier
9128762f16
Fixed #19910 -- Added slash to i18n redirect if APPEND_SLASH is set.
...
This introduces a force_append_slash argument for request.get_full_path()
which is used by RedirectFallbackMiddleware and CommonMiddleware when
handling redirects for settings.APPEND_SLASH.
2015-03-26 09:26:55 -04:00
Claude Paroz
a0c2eb46dd
Fixed #23960 -- Removed http.fix_location_header
...
Thanks Carl Meyer for the report and Tim Graham for the review.
2015-03-18 18:22:50 +01:00
Grzegorz Slusarek
668d53cd12
Fixed #21495 -- Added settings.CSRF_HEADER_NAME
2015-03-05 15:03:40 -05:00
Claude Paroz
80be597a7b
Fixed #24360 -- Delayed internal LocaleMiddleware variable initialization
...
Failing in a middleware `__init__` is preventing proper debug view.
2015-03-02 20:06:24 +01:00
Tim Graham
0ed7d15563
Sorted imports with isort; refs #23860 .
2015-02-06 08:16:28 -05:00
Tim Graham
0e60912492
Removed UpdateCacheMiddleware._session_accessed()
...
This method is unused since f567d04b24
2015-02-01 20:33:22 -05:00
Samuel Colvin
5b74134f27
Fixed #24145 -- Added PUT & PATCH to CommonMiddleware APPEND_SLASH redirect error.
2015-01-29 15:23:01 -05:00
Claude Paroz
27dd7e7271
Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middleware
...
Thanks codeitloadit for the report, living180 for investigations
and Tim Graham for the review.
2015-01-06 08:42:58 +01:00
Berker Peksag
df0523debc
Fixed #23531 -- Added CommonMiddleware.response_redirect_class.
2014-11-04 17:56:57 -05:00
Tim Graham
52ef6a4726
Fixed #17101 -- Integrated django-secure and added check --deploy option
...
Thanks Carl Meyer for django-secure and for reviewing.
Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and
Jorge Carleitao for reviews.
2014-09-12 15:05:23 -04:00
Tim Graham
fe38be96c1
Fixed #21579 -- Made LocaleMiddleware respect script prefix.
...
Thanks buettgenbach at datacollect.com for the report and patch.
2014-08-14 09:36:41 -04:00
Tim Graham
815e7a5721
Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data.
...
Thanks Walter Doekes.
2014-06-25 07:08:16 -04:00
Mark Lavin
79956d0694
Fixed #22440 -- Updated ConditionalGetMiddleware to comply with RFC 2616.
2014-06-13 20:01:35 -04:00
Aymeric Augustin
df09d85482
Fixed #17552 -- Removed a hack for IE6 and earlier.
...
It prevented the GZipMiddleware from compressing some data types even on
more recent version of IE where the corresponding bug was fixed.
Thanks Aaron Cannon for the report and Tim Graham for the review.
2014-06-10 08:42:31 +02:00
Alex Gaynor
1dcc603eff
Fixed several typos in Django
2014-05-28 17:39:14 -07:00
Aymeric Augustin
c083e3815a
Prevented leaking the CSRF token through caching.
...
This is a security fix. Disclosure will follow shortly.
2014-04-21 18:11:26 -04:00
Alex Gaynor
778ce245dd
Corrected many style guide violations that the newest version of flake8 catches
2014-03-30 12:11:05 -07:00
Aymeric Augustin
253e8ac29f
Removed django.middleware.doc. Refs #20126 .
...
Small doc changes missed in 66076268
.
2014-03-21 22:07:39 +01:00
Aymeric Augustin
0f9560855e
Removed legacy transaction management per the deprecation timeline.
2014-03-21 21:06:50 +01:00
Tim Graham
f567d04b24
Removed settings.CACHE_MIDDLEWARE_ANONYMOUS_ONLY per deprecation timeline.
...
refs #15201 .
2014-03-21 09:46:17 -04:00
Tim Graham
11e22129d5
Removed settings.SEND_BROKEN_LINK_EMAILS per deprecation timeline.
2014-03-21 07:15:58 -04:00
Claude Paroz
210d0489c5
Fixed #21188 -- Introduced subclasses for to-be-removed-in-django-XX warnings
...
Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.
2014-03-08 09:57:40 +01:00
Roger Hu
9b729ddd8f
Fixed #22185 -- Added settings.CSRF_COOKIE_AGE
...
Thanks Paul McMillan for the review.
2014-03-06 08:28:43 -05:00
Bouke Haarsma
2bab9d6d9e
Fixed #21389 -- Accept most valid language codes
...
By removing the 'supported' keyword from the detection methods and only relying
on a cached settings.LANGUAGES, the speed of said methods has been improved;
around 4x raw performance. This allows us to stop checking Python's incomplete
list of locales, and rely on a less restrictive regular expression for
accepting certain locales.
HTTP Accept-Language is defined as being case-insensitive, based on this fact
extra performance improvements have been made; it wouldn't make sense to
check for case differences.
2014-02-26 16:58:04 +01:00
Ludwik Trammer
9922ed46e2
Fixed #21473 -- Limited language preservation to logout
...
Current language is no longer saved to session by LocaleMiddleware
on every response (the behavior introduced in #14825 ).
Instead language stored in session is reintroduced into new session
after logout.
Forward port of c558a43fd6
to master.
2013-12-12 10:24:43 +01:00
Christopher Medrela
7477a4ffde
Fixed E125 pep8 warnings
2013-11-28 08:50:11 -05:00
Curtis Maloney
ffc37e2343
Fixed #21012 -- New API to access cache backends.
...
Thanks Curtis Malony and Florian Apolloner.
Squashed commit of the following:
commit 3380495e93
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sat Nov 23 14:18:07 2013 +0100
Looked up the template_fragments cache at runtime.
commit 905a74f52b
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sat Nov 23 14:19:48 2013 +0100
Removed all uses of create_cache.
Refactored the cache tests significantly.
Made it safe to override the CACHES setting.
commit 35e289fe92
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sat Nov 23 12:23:57 2013 +0100
Removed create_cache function.
commit 8e274f747a
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sat Nov 23 12:04:52 2013 +0100
Updated docs to describe a simplified cache backend API.
commit ee7eb0f73e
Author: Curtis Maloney <curtis@tinbrain.net>
Date: Sat Oct 19 09:49:24 2013 +1100
Fixed #21012 -- Thread-local caches, like databases.
2013-11-23 15:06:59 +01:00
Milton Mazzarri
cbc7cbbc5b
Fixed flake8 E251 violations
2013-11-03 03:22:11 -06:00
coagulant
3bc0d46a84
Fixed all E261 warnings
2013-11-02 18:20:39 -04:00
Alex Gaynor
7548aa8ffd
More attacking E302 violators
2013-11-02 13:12:09 -07:00
Tim Graham
36ded01527
Fixed #21302 -- Fixed unused imports and import *.
2013-11-02 15:24:56 -04:00
Bouke Haarsma
6107435386
Fixed #21324 -- Translate CSRF failure view
...
Thanks to Claude Paroz for the original patch.
2013-11-02 11:22:30 +01:00
Bouke Haarsma
0d0f4f020a
Fixed #5789 -- Changed LocaleMiddleware session variable to '_language'.
...
The old 'django_language' variable will still be read from in order
to migrate users. The backwards-compatability shim will be removed in
Django 1.8.
Thanks to jdunck for the report and stugots for the initial patch.
2013-10-22 09:24:42 -04:00
Alasdair Nicol
b289fcf1bf
Fixed #21288 -- Fixed E126 pep8 warnings
2013-10-21 08:31:30 -04:00
Tim Graham
ac4fec5ca2
Fixed bug causing CSRF token not to rotate on login.
...
Thanks Gavin McQuillan for the report.
2013-10-18 08:31:19 -04:00
Unai Zalakain
c7634cd7fe
Fixed #7603 -- Added a 'scheme' property to the HttpRequest object
...
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is
appropriately set and falls back to `HttpRequest._get_scheme()` (a hook
for subclasses to implement) otherwise.
`WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI
environ variable to determine the request scheme.
`HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is
`https`.
This provides a way to check the current scheme in templates, for example.
It also allows us to deal with other schemes.
Thanks nslater for the suggestion.
2013-10-15 09:04:12 -04:00
Tim Graham
cec11a3336
Used "is" for comparisons with None.
2013-10-10 09:35:56 -04:00
Emil Stenström
7a97df190c
Fixed #19277 -- Added LocaleMiddleware.response_redirect_class
...
Thanks ppetrid at yawd.eu for the suggestion.
2013-10-03 16:15:29 -04:00
Curtis Maloney
07876cf02b
Deprecated SortedDict (replaced with collections.OrderedDict)
...
Thanks Loic Bistuer for the review.
2013-08-04 07:09:39 -04:00
Aymeric Augustin
acd7b34aaf
Advanced deprecation warnings for Django 1.7.
2013-06-29 18:49:37 +02:00
Aymeric Augustin
ffcf24c9ce
Removed several unused imports.
2013-06-19 17:18:40 +02:00
Ramiro Morales
0fa8d43e74
Replaced `and...or...` constructs with PEP 308 conditional expressions.
2013-05-26 23:47:50 -03:00
Claude Paroz
f940e564e4
Fixed #20099 -- Eased subclassing of BrokenLinkEmailsMiddleware
...
Thanks Ram Rachum for the report and the initial patch, and Simon
Charette for the review.
2013-05-25 12:10:53 +02:00
Vlastimil Zíma
6de81d65f4
Fixed #14825 -- LocaleMiddleware keeps language
...
* LocaleMiddleware stores language into session if it is not present there.
2013-05-25 10:52:54 +02:00
Andrew Godwin
1514f17aa6
Rotate CSRF token on login
2013-05-24 22:15:08 +01:00
Łukasz Langa
660762681c
Fixed #20126 -- XViewMiddleware moved to django.contrib.admindocs.middleware
2013-05-19 13:18:35 +02:00
Łukasz Langa
26e3e7ecb5
Fixed #11915 : generic Accept-Language matches country-specific variants
2013-05-19 12:50:09 +02:00
Łukasz Langa
bd97f7d0cb
Fixed #15201 : Marked CACHE_MIDDLEWARE_ANONYMOUS_ONLY as deprecated
2013-05-18 17:38:32 +02:00
Olivier Sels
63a9555d57
Fixed #19436 -- Don't log warnings in ensure_csrf_cookie.
2013-05-18 16:17:46 +02:00
Claude Paroz
8fd44b2551
Fixed #20356 -- Prevented crash when HTTP_REFERER contains non-ascii
...
Thanks srusskih for the report and Aymeric Augustin for the review.
2013-05-18 12:39:11 +02:00
Aymeric Augustin
ac37ed21b3
Deprecated TransactionMiddleware and TRANSACTIONS_MANAGED.
...
Replaced them with per-database options, for proper multi-db support.
Also toned down the recommendation to tie transactions to HTTP requests.
Thanks Jeremy for sharing his experience.
2013-03-11 15:04:05 +01:00
Aymeric Augustin
3bdc7a6a70
Deprecated transaction.is_managed().
...
It's synchronized with the autocommit flag.
2013-03-11 14:48:54 +01:00
Aymeric Augustin
7aacde84f2
Made transaction.managed a no-op and deprecated it.
...
enter_transaction_management() was nearly always followed by managed().
In three places it wasn't, but they will all be refactored eventually.
The "forced" keyword argument avoids introducing behavior changes until
then.
This is mostly backwards-compatible, except, of course, for managed
itself. There's a minor difference in _enter_transaction_management:
the top self.transaction_state now contains the new 'managed' state
rather than the previous one. Django doesn't access
self.transaction_state in _enter_transaction_management.
2013-03-11 14:48:53 +01:00
Aymeric Augustin
aa089b106b
Fixed #5241 -- Kept active transalation in LocaleMiddleware.process_response.
2013-02-28 14:21:48 +01:00
Łukasz Langa
539900f117
Fixes #17866 : Vary: Accept-Language header when language prefix used
2013-02-23 19:41:33 +01:00
Anssi Kääriäinen
a4e97cf315
Fixed #19707 -- Reset transaction state after requests
2013-02-10 13:55:54 +02:00
Aymeric Augustin
720888a146
Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.
...
Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
2013-02-07 09:48:08 +01:00
Tim Graham
ee26797cff
Fixed typos in docs and comments
2013-01-29 10:55:55 -07:00
Aymeric Augustin
50a985b09b
Fixed #19099 -- Split broken link emails out of common middleware.
2013-01-15 17:41:45 +01:00
Claude Paroz
bcdb4898ca
Fixed #19488 -- Made i18n_patterns redirect work with non-slash-ending paths
...
Thanks Daniel Gerzo for the report and the initial patch.
2013-01-11 21:27:51 +01:00
Aymeric Augustin
641acf76e7
Removed IGNORABLE_404_STARTS/ENDS settings.
2012-12-29 21:59:07 +01:00
Aymeric Augustin
1c8be95a86
Prevented caching of streaming responses.
...
The test introduced in 4b278131
accidentally passed because of a
limitation of Python < 3.3.
Refs #17758 , #7581 .
2012-12-24 20:28:07 +01:00
Claude Paroz
c0efbc7b53
Fixed #19347 -- Removed unused variable definition in FetchFromCacheMiddleware
...
Thanks gregplaysguitar at gmail.com for the report.
2012-12-01 13:52:26 +01:00
Aymeric Augustin
973f539ab8
Fixed #15152 -- Avoided crash of CommonMiddleware on broken querystring
2012-11-03 21:28:33 +01:00
Aymeric Augustin
4b27813198
Fixed #7581 -- Added streaming responses.
...
Thanks mrmachine and everyone else involved on this long-standing ticket.
2012-10-20 20:05:11 +02:00
Claude Paroz
26ff2be787
Imported getLogger directly from logging module
...
This was a remainder of some 2.4 compatibility code.
2012-09-20 21:03:24 +02:00
Collin Anderson
f416ea9c8d
fixed rfc comment typo in middleware/csrf.py
2012-09-10 12:11:24 -03:00
Claude Paroz
d774ad752d
[py3] Made csrf context processor return Unicode
2012-08-13 11:54:21 +02:00
Aymeric Augustin
e84f79f051
Fixed #18042 -- Advanced deprecation warnings.
...
Thanks Ramiro for the patch.
2012-05-03 15:27:01 +02:00
Jannis Leidel
126d9e1b49
Fixed #17817 -- Modified LocalMiddleware to use full URLs when redirecting to i18n URLs. Thanks to Paul for keeping an eye on the standards.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17633 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-02 22:35:26 +00:00
Jannis Leidel
746987f916
Fixed #17734 -- Made sure to only redirect translated URLs if they can actually be resolved to prevent unwanted redirects. Many thanks to Orne Brocaar and Anssi Kääriäinen for input.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17621 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-02 11:07:36 +00:00
Jannis Leidel
7dd0ceba2e
Fixed #17720 -- Stopped the LocaleMiddleware from overeagerly using the request path for language activation if it's actually not wanted. Thanks to Anssi Kääriäinen for the initial patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17547 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-18 13:37:30 +00:00
Adrian Holovaty
7981efe04f
Documentation (and some small source code) edits from [17432] - [17537]
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17540 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-17 20:04:11 +00:00
Paul McMillan
a77679dfaa
Fixes #16827 . Adds a length check to CSRF tokens before applying the santizing regex. Thanks to jedie for the report and zsiciarz for the initial patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17500 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-11 04:18:15 +00:00
Jannis Leidel
f0a1633425
Fixed #17358 -- Updated logging calls to use official syntax for arguments instead of string interpolation. Thanks, spulec.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17480 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-09 18:58:36 +00:00
Jannis Leidel
b926765a7c
Fixed #16035 -- Appended the Etag response header if the GZipMiddleware is in use to follow RFC2616 better. Thanks, ext and dracos2.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17471 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-09 18:57:13 +00:00
Aymeric Augustin
4288c8831b
Fixed #10762 , #17514 -- Prevented the GZip middleware from returning a response longer than the original content, allowed compression of non-200 responses, and added tests (there were none). Thanks cannona for the initial patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17365 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-09 21:42:03 +00:00
Aymeric Augustin
e2f9c11736
Fixed #16705 - Made the test client adhere to the WSGI spec -- in particular, removed the assumption that environ['QUERY_STRING'] exists.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16933 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-10-06 20:39:15 +00:00
Jannis Leidel
bce890ace4
Fixed #16584 -- Fixed a bunch of typos in code comments. Thanks, Bernhard Essl.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16598 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-12 14:14:15 +00:00
Jannis Leidel
24f4764a48
Fixed #16225 -- Removed unused imports. Many thanks to Aymeric Augustin for the work on the patch and Alex for reviewing.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16539 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-13 09:35:51 +00:00