243d0bec19
Fixed #15617 - CSRF referer checking too strict
...
Thanks to adam for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15 20:37:09 +00:00
f6c991667f
Fixed #4992 -- Respect the GET request query string when creating cache keys. Thanks PeterKz and guettli for the initial patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15705 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-02 12:47:36 +00:00
dbe6ced0d6
Fixed #717 - If-Modified-Since handling should compare dates according to RFC 2616
...
Thanks to Maniac for the report, julienb for the initial patch, and
especially to aaugustin for the final patch and tests.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15696 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-01 14:28:06 +00:00
e57e296167
Corrected logging call in CSRF middleware
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15623 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-21 23:00:44 +00:00
969217d455
Fixed #15260 -- Ensured that CACHE_MIDDLEWARE_ANONYMOUS_ONLY is effective with the cache_page decorator, not only the middleware. Thanks to brodie for report and draft patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15559 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-17 04:35:26 +00:00
208630aa4b
Fixed a security issue in the CSRF component. Disclosure and new release forthcoming.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:06:27 +00:00
00fda7f45d
Fixed #13283 -- Corrected CACHE_MIDDLEWARE_ANONYMOUS_ONLY's bad habit of setting Vary: Cookie on all responses and destroying cache efficiency. Thanks to natrius for the fix.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15381 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-01 00:20:31 +00:00
4bb1b2304d
Fixed #15187 -- Ensure that missing page emails aren't sent when running under debug. Thanks to Dan Carroll for the report and patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15363 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-30 13:11:45 +00:00
3f528e10d5
Fixed #15012 -- Added post-rendering callbacks to TemplateResponse so that decorators (in particular, the cache decorator) can defer processing until after rendering has occurred. Thanks to Joshua Ginsberg for the draft patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15295 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-24 14:24:35 +00:00
fe581013b0
Fixed #15144 -- Corrected some problems with the Cache middleware when used with multiple cache settings. Thanks to Jim Dalton for the report, and to Jim and Joshua Ginsberg for the work on the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15285 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-24 06:36:31 +00:00
c0dd2babb1
Fixed sending mail on 404s to fail silently.
...
A failure in the e-mail system should not turn a 404 into a 500.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15145 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-04 04:01:37 +00:00
b22415214a
Beefed up the tests for multi-cache handling of the cache middleware and view decorators, and made a couple of tweaks for edge cases as a result.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15021 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-22 07:52:44 +00:00
673e6fc7fb
Fixed #11675 -- Added support for the PyLibMC cache library. In order to support this, and clean up some other 1.3 caching additions, this patch also includes some changes to the way caches are defined. This means you can now have multiple caches, in the same way you have multiple databases. A huge thanks to Jacob Burch for the work on the PyLibMC backend, and to Jannis for his work on the cache definition changes.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15005 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-21 15:19:19 +00:00
352deb0915
Fixed #14559 -- corrected some typos and misleading docstrings. Thanks to Gabriel Hurley for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14441 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-02 18:30:00 +00:00
cb17f7ca22
Fixed #14560 -- Enable HEAD requests to be cached properly. Thanks, codemonkey!
...
Introducing ability to cache HEAD requests and GET requests separately by
adding the method to the cache key while preserving the functionality that HEAD
requests can use cached reponses generated by a GET request.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14391 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-29 01:31:15 +00:00
90ac02300e
Fixed #14565 - No csrf_token on 404 page.
...
This solution doesn't have the negative side-effects of [14356].
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-28 11:47:15 +00:00
45c7f427ce
Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
...
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.
In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.
All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.
There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
1070c57b83
Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings to DeprecationWarnings, and removed 1.1 deprecated code.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:20:07 +00:00
fea159282b
Fixed #14406 -- Added a Python 2.4 compatibility to the logging interface. Thanks to Łukasz Rekucki for the report, and to Luke Plant for original patch this was based on.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13989 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-06 15:02:26 +00:00
24acca4139
Fixed #12012 -- Added support for logging. Thanks to Vinay Sajip for his draft patch, and to the many people who gave feedback during development of the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13981 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 15:12:39 +00:00
364583b894
Fixed #14235 - UnicodeDecodeError in CSRF middleware
...
Thanks to jbg for the report.
This changeset essentially backs out [13698] in favour of a method that
sanitizes the token rather than escaping it.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13732 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-10 22:56:56 +00:00
9e3b327aca
Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-09 00:34:54 +00:00
e8cff0b8f3
Added explanatory note on CSRF failure page for the case of a missing Referer header.
...
This is intended to help power users who have disabled Referer headers, or
installed add-ons which have done so, and to help web site administrators
with debugging, since this problem will be browser specific and not a
programming error.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-03 16:28:10 +00:00
f92a21daa7
Added proper code comments for the HTTPS CSRF protection.
...
Refs #13489 which noticed a vague comment - thanks pmclanahan
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13405 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-06-30 22:30:37 +00:00
ac8b7ff021
Fixed #13716 - the CSRF get_token function stopped working for views with csrf_view_exempt
...
This was a regression caused by the the CSRF changes in 1.2.
Thanks to edevil for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13336 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-06-08 14:35:48 +00:00
8b2c1a484e
Fixed #6228 : Changed common middleware to respect request-specific urlconf. Thanks trey, skevy, and mikexstudios.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12704 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-07 20:03:04 +00:00
92568d31b8
Removed an 'assert False' I stupidly committed in [12165]
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12166 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 17:37:48 +00:00
ca6f64a43f
Fixed #6094 -- Middleware exceptions are now caught by the core handler. Thanks, isagalaev
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12165 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 17:35:01 +00:00
19b72077f7
Fixed #8049 -- Fixed inconsistency in admin site is_active checks. Thanks for patch and tests, isagalaev
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12159 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 16:51:13 +00:00
933b9e8de7
Fixed #6991 -- Removed some redundant user.is_authenticated() calls in various places. Thanks, alexkoshelev, Liang Feng and Ivan Sagalaev
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12142 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-09 20:11:01 +00:00
905dba3694
Misc clarifications in csrf middleware comments
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:31:20 +00:00
d0b900e6f5
Slight change to CSRF error messages to make debugging easier.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11669 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 14:04:21 +00:00
c2ffe94d9a
Removed unused import.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11664 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:49:33 +00:00
7230a995ce
Moved contrib.csrf.* to core code.
...
There is stub code for backwards compatiblity with Django 1.1 imports.
The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
d78cf61c99
BACKWARDS-INCOMPATIBLE CHANGE: Removed SetRemoteAddrFromForwardedFor middleware.
...
In a nutshell, it's been demonstrated that this middleware can never be made reliable enough for general-purpose use, and that (despite documentation to the contrary) its inclusion in Django may lead application developers to assume that the value of ``REMOTE_ADDR`` is "safe" or in some way reliable as a source of authentication. So it's gone.
See the Django 1.1 release notes for full details, as well as upgrade instructions.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11363 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-07-29 05:35:51 +00:00
499a8ac331
Fixed #10630 -- Be even more conservative in GZipMiddleware for IE.
...
Patch from sebastien_noack.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10541 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-12 04:14:23 +00:00
30b568226f
Fixed #9199 -- We were erroneously only prepending "www" to the domain if we
...
also needed to append a slash (when PREPEND_WWW=True).
Based on a patch and tests from gonz. Thanks.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9184 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-07 08:22:50 +00:00
ba59295068
Fixed #9221 -- Small optimisation to caching middleware handling.
...
In the slightly unusual case that CACHE_MIDDLEWARE_SECONDS is set to 0, don't
bother storing a copy in the local cache.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9098 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-30 03:58:09 +00:00
40e5cde1c5
Fixed #7379 : fixed a subtle corner case involving URL encoding in `CommonMiddleware`
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8635 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-27 20:29:58 +00:00
1e1f7c58bc
Fixed #8381 -- Fixed a problem with appending slashes in the common middleware
...
when SCRIPT_NAME contains something other than '/'. Patch from jcassee.
Also fixed the middleware tests to work with this patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8456 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-21 01:32:18 +00:00
c0d862d638
Fixed a typo and added a bit more ReST markup to cache middleware docstring.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8387 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 17:47:03 +00:00
7526590376
Split CacheMiddleware up into two parts -- an update-cache and a fetch-from-cache middleware. This lets you run each half of the cache middleware at the correct time to avoid bad interactions between the cache middleware and other middleware that must modify the cache key (like the locale middleware).
...
CacheMiddleware itself is still around for backwards-compatibility and as a hook point for the cache decorator, but the documentation has been updated to point people towards the two-part caching middleware.
Refs #730 .
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8260 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-09 15:07:45 +00:00
e8f18643cf
Fixed #8121 -- Don't override the Content-Language HTTP header in the locale
...
middleware if it's already been set. Thanks, jcassee.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8259 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-09 15:04:45 +00:00
c85c8f8891
Fixed #7919 -- md5 and sha modules are deprecated since Python 2.5, use hashlib module when available. Patch from Karen Tracey.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-02 05:56:57 +00:00
94beaa6ebb
Fixed #7046 -- set the response status code correctly in ConditionalGetMiddleware.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7793 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-30 07:03:58 +00:00
02bbd9a9b2
Fixed #7228 -- Fixed our ETag header creation to meet the HTTP spec, by quoting it. Thanks, skjohn@us.ibm.com
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7659 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-16 04:13:04 +00:00
5f477760ac
Fixed #6480 -- Added application/pdf the list of content types we don't compress when sending to Internet Explorer. Thanks, Bastien Kleineidam.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7080 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-02-04 01:40:53 +00:00
1f629bff99
Fixed #3228 -- Added new APPEND_SLASH handling behaviour in the common middleware. Makes customisation a bit easier. Thanks, Mihai Preda and Andy Gayton.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6852 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-02 23:25:55 +00:00
f2f6e70b08
Fixed #5813 -- Taught the CacheMiddleware to respect any max-age HTTP header
...
when setting the expiry time. Thanks, SmileyChris.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6736 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-11-29 16:57:18 +00:00
5870ffd4b0
Made some stylistic changes in `GZipMiddleware` and added some notes about IE, refs #5313 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6697 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-11-19 03:41:46 +00:00
Luke Plant
Jannis Leidel
Carl Meyer
Alex Gaynor
Russell Keith-Magee
Honza Král
James Bennett
Karen Tracey
Adrian Holovaty
Jacob Kaplan-Moss
Malcolm Tredinnick
Gary Wilson Jr