Commit Graph

107 Commits

Author SHA1 Message Date
Honza Král cb17f7ca22 Fixed #14560 -- Enable HEAD requests to be cached properly. Thanks, codemonkey!
Introducing ability to cache HEAD requests and GET requests separately by
adding the method to the cache key while preserving the functionality that HEAD
requests can use cached reponses generated by a GET request.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14391 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-29 01:31:15 +00:00
Luke Plant 90ac02300e Fixed #14565 - No csrf_token on 404 page.
This solution doesn't have the negative side-effects of [14356].

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-28 11:47:15 +00:00
Luke Plant 45c7f427ce Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.

In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.

All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.

There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
Russell Keith-Magee 1070c57b83 Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings to DeprecationWarnings, and removed 1.1 deprecated code.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:20:07 +00:00
Russell Keith-Magee fea159282b Fixed #14406 -- Added a Python 2.4 compatibility to the logging interface. Thanks to Łukasz Rekucki for the report, and to Luke Plant for original patch this was based on.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13989 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-06 15:02:26 +00:00
Russell Keith-Magee 24acca4139 Fixed #12012 -- Added support for logging. Thanks to Vinay Sajip for his draft patch, and to the many people who gave feedback during development of the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13981 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 15:12:39 +00:00
Luke Plant 364583b894 Fixed #14235 - UnicodeDecodeError in CSRF middleware
Thanks to jbg for the report.

This changeset essentially backs out [13698] in favour of a method that
sanitizes the token rather than escaping it.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13732 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-10 22:56:56 +00:00
James Bennett 9e3b327aca Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-09 00:34:54 +00:00
Luke Plant e8cff0b8f3 Added explanatory note on CSRF failure page for the case of a missing Referer header.
This is intended to help power users who have disabled Referer headers, or
installed add-ons which have done so, and to help web site administrators
with debugging, since this problem will be browser specific and not a
programming error.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-03 16:28:10 +00:00
Luke Plant f92a21daa7 Added proper code comments for the HTTPS CSRF protection.
Refs #13489 which noticed a vague comment - thanks pmclanahan



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13405 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-06-30 22:30:37 +00:00
Luke Plant ac8b7ff021 Fixed #13716 - the CSRF get_token function stopped working for views with csrf_view_exempt
This was a regression caused by the the CSRF changes in 1.2.

Thanks to edevil for the report.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13336 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-06-08 14:35:48 +00:00
Karen Tracey 8b2c1a484e Fixed #6228: Changed common middleware to respect request-specific urlconf. Thanks trey, skevy, and mikexstudios.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12704 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-07 20:03:04 +00:00
Adrian Holovaty 92568d31b8 Removed an 'assert False' I stupidly committed in [12165]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12166 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 17:37:48 +00:00
Adrian Holovaty ca6f64a43f Fixed #6094 -- Middleware exceptions are now caught by the core handler. Thanks, isagalaev
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12165 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 17:35:01 +00:00
Adrian Holovaty 19b72077f7 Fixed #8049 -- Fixed inconsistency in admin site is_active checks. Thanks for patch and tests, isagalaev
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12159 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 16:51:13 +00:00
Adrian Holovaty 933b9e8de7 Fixed #6991 -- Removed some redundant user.is_authenticated() calls in various places. Thanks, alexkoshelev, Liang Feng and Ivan Sagalaev
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12142 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-09 20:11:01 +00:00
Luke Plant 905dba3694 Misc clarifications in csrf middleware comments
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:31:20 +00:00
Luke Plant d0b900e6f5 Slight change to CSRF error messages to make debugging easier.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11669 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 14:04:21 +00:00
Luke Plant c2ffe94d9a Removed unused import.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11664 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:49:33 +00:00
Luke Plant 7230a995ce Moved contrib.csrf.* to core code.
There is stub code for backwards compatiblity with Django 1.1 imports.

The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
Jacob Kaplan-Moss d78cf61c99 BACKWARDS-INCOMPATIBLE CHANGE: Removed SetRemoteAddrFromForwardedFor middleware.
In a nutshell, it's been demonstrated that this middleware can never be made reliable enough for general-purpose use, and that (despite documentation to the contrary) its inclusion in Django may lead application developers to assume that the value of ``REMOTE_ADDR`` is "safe" or in some way reliable as a source of authentication. So it's gone.

See the Django 1.1 release notes for full details, as well as upgrade instructions.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11363 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-07-29 05:35:51 +00:00
Malcolm Tredinnick 499a8ac331 Fixed #10630 -- Be even more conservative in GZipMiddleware for IE.
Patch from sebastien_noack.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10541 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-12 04:14:23 +00:00
Malcolm Tredinnick 30b568226f Fixed #9199 -- We were erroneously only prepending "www" to the domain if we
also needed to append a slash (when PREPEND_WWW=True).

Based on a patch and tests from gonz. Thanks.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9184 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-07 08:22:50 +00:00
Malcolm Tredinnick ba59295068 Fixed #9221 -- Small optimisation to caching middleware handling.
In the slightly unusual case that CACHE_MIDDLEWARE_SECONDS is set to 0, don't
bother storing a copy in the local cache.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9098 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-30 03:58:09 +00:00
Jacob Kaplan-Moss 40e5cde1c5 Fixed #7379: fixed a subtle corner case involving URL encoding in `CommonMiddleware`
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8635 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-27 20:29:58 +00:00
Malcolm Tredinnick 1e1f7c58bc Fixed #8381 -- Fixed a problem with appending slashes in the common middleware
when SCRIPT_NAME contains something other than '/'. Patch from jcassee.

Also fixed the middleware tests to work with this patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8456 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-21 01:32:18 +00:00
Gary Wilson Jr c0d862d638 Fixed a typo and added a bit more ReST markup to cache middleware docstring.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8387 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 17:47:03 +00:00
Jacob Kaplan-Moss 7526590376 Split CacheMiddleware up into two parts -- an update-cache and a fetch-from-cache middleware. This lets you run each half of the cache middleware at the correct time to avoid bad interactions between the cache middleware and other middleware that must modify the cache key (like the locale middleware).
CacheMiddleware itself is still around for backwards-compatibility and as a hook point for the cache decorator, but the documentation has been updated to point people towards the two-part caching middleware.

Refs #730.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8260 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-09 15:07:45 +00:00
Malcolm Tredinnick e8f18643cf Fixed #8121 -- Don't override the Content-Language HTTP header in the locale
middleware if it's already been set. Thanks, jcassee.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8259 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-09 15:04:45 +00:00
Gary Wilson Jr c85c8f8891 Fixed #7919 -- md5 and sha modules are deprecated since Python 2.5, use hashlib module when available. Patch from Karen Tracey.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-02 05:56:57 +00:00
Malcolm Tredinnick 94beaa6ebb Fixed #7046 -- set the response status code correctly in ConditionalGetMiddleware.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7793 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-30 07:03:58 +00:00
Adrian Holovaty 02bbd9a9b2 Fixed #7228 -- Fixed our ETag header creation to meet the HTTP spec, by quoting it. Thanks, skjohn@us.ibm.com
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7659 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-16 04:13:04 +00:00
Malcolm Tredinnick 5f477760ac Fixed #6480 -- Added application/pdf the list of content types we don't compress when sending to Internet Explorer. Thanks, Bastien Kleineidam.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7080 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-02-04 01:40:53 +00:00
Malcolm Tredinnick 1f629bff99 Fixed #3228 -- Added new APPEND_SLASH handling behaviour in the common middleware. Makes customisation a bit easier. Thanks, Mihai Preda and Andy Gayton.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6852 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-02 23:25:55 +00:00
Malcolm Tredinnick f2f6e70b08 Fixed #5813 -- Taught the CacheMiddleware to respect any max-age HTTP header
when setting the expiry time. Thanks, SmileyChris.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6736 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-11-29 16:57:18 +00:00
Gary Wilson Jr 5870ffd4b0 Made some stylistic changes in `GZipMiddleware` and added some notes about IE, refs #5313.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6697 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-11-19 03:41:46 +00:00
Malcolm Tredinnick 3ee3d6b5f3 Fixed #5898 -- Changed a few response processing paths to make things harder to get wrong and easier to get right. Previous behaviour wasn't buggy, but it was harder to use than necessary.
We now have automatic HEAD processing always (previously required ConditionalGetMiddleware), middleware benefits from the Location header rewrite, so they can use relative URLs as well, and responses with response codes 1xx, 204 or 304 will always have their content removed, in accordance with the HTTP spec (so it's much harder to indavertently deliver invalid responses).

Based on a patch and diagnosis from regexbot@gmail.com.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6662 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-11-11 03:55:44 +00:00
Gary Wilson Jr 5997cb8ad4 Removed unused variable.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6635 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-31 04:04:07 +00:00
Gary Wilson Jr 8c442f21dc Fixed #5816 -- Fixed a regression from [6333] that generates incorrect cookie "expires" dates when using a locale other than English. Introduced `http_date` and `cookie_date` utility functions. Thanks for the report Michael Lemaire. Thanks for the patch Karen Tracey and `SmileyChris`.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6634 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-31 03:59:40 +00:00
Malcolm Tredinnick 5ef7c4c525 Fixed #5762 -- Quoted the portions that make up the URL when appending
"www." or adding a trailing slash in common middleware.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6553 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-20 08:31:05 +00:00
Malcolm Tredinnick c4cdb214a6 Fixed #5313 -- Only avoid compressing Javascript when the user agent says it's Internet Explorer. Thanks, mgiger@earthbrowser.com.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6538 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-20 03:45:48 +00:00
Jacob Kaplan-Moss 5ae6fafad7 Fixed #3872, which turns out to not have been a bug in the first place, by reverting [6364].
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6397 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-20 17:03:14 +00:00
Adrian Holovaty 0f4fb9755c Fixed #3872 -- Fixed incorrect handling of HTTP_X_FORWARDED_FOR in SetRemoteAddrFromForwardedFor. Thanks, Simon Willison and gregorth
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6364 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-16 16:54:16 +00:00
Malcolm Tredinnick 4b610f42d3 Added a get_host() method to HttpRequest. There is still an http.get_host() version in place, so this is fully backwards compatible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6296 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-15 17:46:03 +00:00
Jacob Kaplan-Moss ca9388cdaf Added more dict-like methods to HttpResponse as part of the response.headers -> response._headers move, and fixed a few direct uses of response.headers in Django itself. Thanks to PhiR for tracking down and slaying these bugs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6235 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-14 22:33:56 +00:00
Malcolm Tredinnick 0e7299e10a Fixed #4994 -- Send back set-cookie headers in "not modified" responses. Well spotted, colin@owlfish.com.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5878 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-08-12 13:10:45 +00:00
Malcolm Tredinnick c050b6a25a Fixed #4946 -- Added some small improvements to Gzip middleware. Thanks, colin@owlfish.com.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5875 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-08-12 12:29:25 +00:00
Malcolm Tredinnick 5dd9a2ab38 Fixed #4199 -- Changed date formatting in HTTP expires header to be spec
compliant. Thanks, Chris Bennett.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5712 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-16 03:50:22 +00:00
Malcolm Tredinnick 50a3cea8b6 Fixed #4484 -- Fixed APPEND_SLASH handling to handle an empty path value.
Thanks, VesselinK.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5688 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-13 14:33:46 +00:00
Malcolm Tredinnick 9b397ee50d Changed ETag computation to first check if an ETag header already exists in the
response.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5483 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-06-17 07:21:09 +00:00