Commit Graph

95 Commits

Author SHA1 Message Date
Collin Anderson 8a2f04db91 typo: urlaprse -> urlparse 2014-05-14 15:00:57 -04:00
Erik Romijn 255449c1ee Added additional checks in is_safe_url to account for flexible parsing.
This is a security fix. Disclosure following shortly.
2014-05-14 10:19:48 +02:00
Ray Ashman Jr e2ae8b048e Correct flake8 E302 violations 2013-11-02 19:53:29 -04:00
Ray Ashman Jr dcfc8fa972 Correct flake8 violation E261 2013-11-02 15:27:47 -04:00
Alex Gaynor f2d8027c9a Fixed up some more flake8 violations (this particular violation still has many occurrences in the tests/ dir so it can't be removed from setup.cfg yet) 2013-10-26 10:50:40 -07:00
Alasdair Nicol b289fcf1bf Fixed #21288 -- Fixed E126 pep8 warnings 2013-10-21 08:31:30 -04:00
Aymeric Augustin a5b062576b Removed a few trailing backslashes.
We have always been at war with trailing backslashes.
2013-09-22 14:04:10 +02:00
Aymeric Augustin 6a6428a36f Took advantage of django.utils.six.moves.urllib.*. 2013-09-05 14:39:23 -05:00
Aymeric Augustin 365c3e8b73 Replaced "not PY3" by "PY2", new in six 1.4.0. 2013-09-02 12:11:02 +02:00
Jacob Kaplan-Moss ae3535169a Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S.
This is a security fix; disclosure to follow shortly.
2013-08-13 11:06:22 -05:00
David Evans 8a160d5de1 Use `usegmt` flag in formatdate
Slightly cleaner and faster than string manipulation.
 
This flag has been available since Python 2.4:
http://docs.python.org/2/library/email.util.html#email.utils.formatdate
2013-08-07 12:00:39 +01:00
Tim Graham 1184d07789 Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.
uid is now base64 encoded in password reset URLs/views. A backwards compatible
password_reset_confirm view/URL will allow password reset links generated before
this change to continue to work. This view will be removed in Django 1.7.

Thanks jonash for the initial patch and claudep for the review.
2013-06-26 13:11:47 -04:00
Marc Tamlyn 413735b239 Fix a typo in a comment. 2013-05-19 11:24:36 +02:00
Florian Apolloner 051cb1f4c6 Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks.
Thanks to edevil for the report and saz for the patch.
2013-05-18 12:32:47 +02:00
Gavin Wahl ec04fd1344 Fixed spelling errors 2013-03-28 11:16:53 -06:00
konarkmodi bc4111ba68 Fixed #18003 -- Preserved tracebacks when re-raising errors.
Thanks jrothenbuhler for draft patch, Konark Modi for updates.
2013-03-19 15:42:39 -07:00
Florian Apolloner a2f2a39956 Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users. 2012-12-10 22:11:39 +01:00
Claude Paroz b3ee80a0cf Fixed parse_http_date docstring and moved related tests
Refs #18675.
2012-09-26 21:10:17 +02:00
Claude Paroz ae88e73fa6 Replaced some smart_xxx by force_xxx equivalent
smart_str/smart_text should only be used when a potential lazy
string should be preserved in the result of the function call.
2012-08-30 15:46:16 +02:00
Claude Paroz 928baee747 [py3] Fixed conditional_processing tests 2012-08-14 23:35:12 +02:00
Aymeric Augustin c5ef65bcf3 [py3] Ported django.utils.encoding.
* Renamed smart_unicode to smart_text (but kept the old name under
  Python 2 for backwards compatibility).
* Renamed smart_str to smart_bytes.
* Re-introduced smart_str as an alias for smart_text under Python 3
  and smart_bytes under Python 2 (which is backwards compatible).
  Thus smart_str always returns a str objects.
* Used the new smart_str in a few places where both Python 2 and 3
  want a str.
2012-08-07 12:00:22 +02:00
Aymeric Augustin d01eaf7104 [py3] Removed uses of sys.maxint under Python 3.
Also fixed #18706: improved exceptions raised by int_to_base36.
2012-08-03 18:51:28 +02:00
Aymeric Augustin 0d914d08a0 [py3] Updated urllib/urllib2/urlparse imports.
Lots of functions were moved. Use explicit imports in all cases
to keey it easy to identify where the functions come from.
2012-07-22 09:29:55 +02:00
Aymeric Augustin bdca5ea345 [py3] Replaced unicode/str by six.text_type/bytes. 2012-07-22 09:29:54 +02:00
Claude Paroz fe873e2765 Fixed #12140 -- Fixed http.urlencode result for empty lists
Thanks aneil for the report and the initial patch.
2012-06-14 11:32:40 +02:00
Aymeric Augustin 4fe87c370d Removed some Python < 2.6 compatibility code. Refs #17965.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17830 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-30 09:20:04 +00:00
Alex Gaynor b9b3e9f0ef Use Python's changed comparisons, which makes this a bit more readable.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17526 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-16 01:10:21 +00:00
Paul McMillan 6072e108e2 Fixed #17693. Input validation and tests for base36 conversion utils. Thanks Keryn Knight for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-16 00:58:49 +00:00
Aymeric Augustin d9061c01a9 Fixed #5964 -- Added unicode-aware versions of urlunquote and urlunquote_plus.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17407 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-29 09:00:12 +00:00
Alex Gaynor 699688dc2c Switch to using explicit new-style division behavior, rather than relying on teh classic behavior.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16745 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09 21:45:58 +00:00
Jannis Leidel ddaca29d3d Fixed a bunch of imports of the email stdlib module now that we are on Python 2.5 to ease the Python 3 port. Thanks, Martin von Löwis.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16731 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09 16:18:38 +00:00
Ramiro Morales dff31de20a Fixed #16155 -- Removed Python 2.4 compatibility constructs from code and mentions from docs. Thanks Aymeric Augustin for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16349 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-09 20:01:28 +00:00
Jannis Leidel f4be8bd53d Fixed #9089 -- Correctly handle list values in MultiValueDict instances when passed to django.utils.http.urlencode. Thanks, kratorius, guettli and obeattie.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16064 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-22 12:01:41 +00:00
Luke Plant 243d0bec19 Fixed #15617 - CSRF referer checking too strict
Thanks to adam for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15 20:37:09 +00:00
Ramiro Morales d50f59ee18 Fixed #15543 -- Tweaked change from r15696 to not use 'if' syntax introduce in Python 2.5. Thanks to an anonymous reporter for the heads up.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15731 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-03 18:42:59 +00:00
Luke Plant dbe6ced0d6 Fixed #717 - If-Modified-Since handling should compare dates according to RFC 2616
Thanks to Maniac for the report, julienb for the initial patch, and
especially to aaugustin for the final patch and tests.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15696 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-01 14:28:06 +00:00
Russell Keith-Magee d053624aa8 Fixed #15067 -- Modified the range checks on base36_to_int so you are guaranteed to always get an int, avoiding possible OverflowErrors. Thanks to Garthex for the report, jboutros for the patch, and kfrazier for the feedback.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15288 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-24 08:02:40 +00:00
Alex Gaynor 6819be1ea1 Fix a security issue in the auth system. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15032 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-23 03:45:08 +00:00
Luke Plant 6fb4f6e299 Fixed #13765 - 'safe' parameter for urlencode filter
Thanks to KyleMac for the suggestion and SmileyChris for the patch

git-svn-id: http://code.djangoproject.com/svn/django/trunk@13849 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-13 23:01:34 +00:00
Malcolm Tredinnick b203db6ec8 Fixed #5791 -- Added early-bailout support for views (ETags and Last-modified).
This provides support for views that can have their ETag and/or Last-modified
values computed much more quickly than the view itself. Supports all HTTP
verbs (not just GET).

Documentation and tests need a little more fleshing out (I'm not happy with the
documentation at the moment, since it's a bit backwards), but the functionality
is correct.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10114 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-22 07:58:29 +00:00
Luke Plant fcd837cd0f Fixed #7723 - implemented a secure password reset form that uses a token and prompts user for new password.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8162 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-31 20:47:53 +00:00
Gary Wilson Jr 8c442f21dc Fixed #5816 -- Fixed a regression from [6333] that generates incorrect cookie "expires" dates when using a locale other than English. Introduced `http_date` and `cookie_date` utility functions. Thanks for the report Michael Lemaire. Thanks for the patch Karen Tracey and `SmileyChris`.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6634 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-31 03:59:40 +00:00
Malcolm Tredinnick bece031772 Fixed #5734 -- Fixed an omission where we weren't passing the "safe" argument
upstream in django.utils.http.urlquote(). Thanks, Thomas Güttler.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6554 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-20 08:38:59 +00:00
Russell Keith-Magee f2303b6f7a Fixed #4402 -- Modified test client to allow multi-valued inputs on GET requests. Thanks for the suggestion, eddymul@gmail.com.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5741 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-21 05:17:20 +00:00
Malcolm Tredinnick 953badbea5 Merged Unicode branch into trunk (r4952:5608). This should be fully
backwards compatible for all practical purposes.

Fixed #2391, #2489, #2996, #3322, #3344, #3370, #3406, #3432, #3454, #3492, #3582, #3690, #3878, #3891, #3937, #4039, #4141, #4227, #4286, #4291, #4300, #4452, #4702


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5609 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-04 12:11:04 +00:00