Commit Graph

274 Commits

Author SHA1 Message Date
Artur Juraszek 817c6cdf0e Capitalized SecurityMiddleware headers for consistency with other headers.
(No behavior change since HTTP headers are case insensitive.)
2018-10-30 18:30:51 -04:00
Michal Čihař 22e8ab0286 Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged. 2018-09-08 11:46:13 -04:00
Andreas Hug a656a68127 Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware. 2018-08-01 09:28:42 -04:00
Samir Shah 10b44e4525 Fixed #26688 -- Fixed HTTP request logging inconsistencies.
* Added logging of 500 responses for instantiated responses.
* Added logging of all 4xx and 5xx responses.
2018-05-04 20:55:03 -04:00
Alex Gaynor 9a56b4b13e Fixed #27863 -- Added support for the SameSite cookie flag.
Thanks Alex Gaynor for contributing to the patch.
2018-04-13 20:58:31 -04:00
Mariusz Felisiak 362813d628
Fixed hanging indentation in various code. 2018-03-16 10:54:34 +01:00
Tomer Chachamu 7ec0fdf62a Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has an invalid host. 2018-02-14 20:24:01 -05:00
shanghui d968788b57 Fixed #28833 -- Prevented CacheMiddleware from caching responses with "Cache-Control: private". 2018-02-06 09:42:05 -05:00
Дилян Палаузов d7b2aa24f7 Fixed #28982 -- Simplified code with and/or. 2018-01-03 20:12:23 -05:00
Дилян Палаузов 23bf4ad87f Fixed #28795 -- Removed 'not in' checks and used dict.setdefault(). 2017-11-14 10:52:52 -05:00
Tim Graham 8f8a4d10d3 Refs #26447 -- Removed outdated ETag comment in CommonMiddleware.
Follow up to 48d57788ee.
2017-11-11 20:45:17 -05:00
Tim Graham 48d57788ee Refs #26447 -- Removed the USE_ETAGS setting per deprecation timeline. 2017-09-22 12:51:18 -04:00
Florian Apolloner c4c128d67c Fixed #28488 -- Reallowed error handlers to access CSRF tokens.
Regression in eef95ea96f.
2017-09-20 16:22:18 -04:00
Anton Samarchyan 86de930f41 Refs #27656 -- Updated remaining docstring verbs according to PEP 257. 2017-03-04 10:02:06 -05:00
Asif Saifuddin Auvi 5f3a689f71 Imported django.http classes instead of django.http. 2017-02-27 14:47:11 -05:00
Claude Paroz c688336ebc Refs #23919 -- Assumed request COOKIES and META are str 2017-01-30 14:13:29 +01:00
Claude Paroz 2b281cc35e Refs #23919 -- Removed most of remaining six usage
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Raphael Michel ddf169cdac Refs #16859 -- Allowed storing CSRF tokens in sessions.
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-30 08:57:27 -05:00
Krzysztof Urbaniak b8a815e9df Fixed #27402 -- Fixed incorrect LocaleMiddleware redirects with prefix_default_language=False. 2016-11-29 13:06:35 -05:00
Sven Engström f46a838efc Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a trailing slash. 2016-11-06 10:38:36 +01:00
Adam Malinowski 37809b891e Fixed #27346 -- Stopped setting the Content-Length header in ConditionalGetMiddleware. 2016-11-05 22:24:54 +01:00
Kevin Christopher Henry 2327fad54e Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests. 2016-10-17 16:11:53 -04:00
Tim Graham 61f9243e51 Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware. 2016-10-14 12:48:03 -04:00
Kevin Christopher Henry ad332e5ca9 Refs #19705 -- Made GZipMiddleware make ETags weak.
Django's conditional request processing can now produce 304 Not Modified
responses for content that is subject to compression.
2016-10-13 14:22:54 -04:00
Denis Cornehl a840710e1e Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ConditionalGetMiddleware. 2016-10-10 14:55:59 -04:00
Rinat Khabibiev f9702977b7 Fixed #27211 -- Made UpdateCacheMiddleware include caching headers for "304 Not Modified" responses. 2016-09-14 19:37:18 -04:00
Kevin Christopher Henry 4ef0e019b7 Fixed #27083 -- Added support for weak ETags. 2016-09-10 08:14:52 -04:00
Ed Morley 3c2447dd13 Fixed #26947 -- Added an option to enable the HSTS header preload directive. 2016-08-10 20:23:54 -04:00
andrewnester 20d39325ca Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response has Cache-Control: no-store. 2016-07-15 15:34:00 -04:00
Claude Paroz 9588718cd4 Fixed #5897 -- Added the Content-Length response header in CommonMiddleware
Thanks Tim Graham for the review.
2016-06-27 10:44:57 +02:00
Carl Meyer 7d1b69dbe7 Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware exception handling. 2016-06-17 10:00:39 -07:00
Tim Graham 563d534d33 Removed an unused logger in middleware/common.py 2016-06-04 12:01:44 -04:00
Holly Becker 55fec16aaf Fixed #26628 -- Changed CSRF logger to django.security.csrf. 2016-06-04 10:17:06 -04:00
Tim Graham 546649f2d6 Fixed some newlines in imports per isort. 2016-05-19 11:05:44 -04:00
Shai Berger 5112e65ef2 Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).

While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).

Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
Florian Apolloner 9baf692a58 Fixed #26601 -- Improved middleware per DEP 0005.
Thanks Tim Graham for polishing the patch, updating the tests, and
writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-17 07:22:22 -04:00
Florian Apolloner 05c888ffb8 Refs #26601 -- Refactored BaseHandler to prepare for new-style middleware. 2016-05-17 07:20:56 -04:00
Vasiliy Faronov ac77c55bc5 Fixed #26567 -- Updated references to obsolete RFC2616.
Didn't touch comments where it wasn't obvious that the code adhered to
the newer standard.
2016-05-03 11:14:40 -04:00
Tim Graham df8d8d4292 Fixed E128 flake8 warnings in django/. 2016-04-08 09:51:06 -04:00
Tim Graham 2cd2d18851 Fixed W503 flake8 warnings. 2016-04-04 17:14:26 -04:00
ieatkittens 9390da7fb6 Fixed #26293 -- Fixed CommonMiddleware to process PREPEND_WWW and APPEND_SLASH independently. 2016-03-23 09:23:19 -04:00
Krzysztof Urbaniak 85a4844f8a Refs #25933 -- Fixed i18n_patterns() prefix_default_language=False with HTTP_ACCEPT_LANGUAGE header. 2016-03-10 10:51:55 -05:00
harikrishnakanchi 74670498e9 Fixed #25971 -- Made BrokenLinkEmailsMiddleware ignore APPEND_SLASH redirects.
If APPEND_SLASH=True and the referer is the URL without a trailing '/', then
BrokenLinkEmailsMiddleware shouldn't send an email.
2016-03-08 09:21:42 -05:00
Krzysztof Urbaniak 839a955d08 Fixed #25933 -- Allowed an unprefixed default language in i18n_patterns(). 2016-03-08 08:14:10 -05:00
Simon Charette d0451e4cad Fixed #26295 -- Allowed using i18n_patterns() in any root URLconf.
Thanks Tim for the review.
2016-03-03 12:08:49 -05:00
Liam Brenner 182f98c4c7 Fixed typo in django/middleware/common.py docstring. 2016-02-09 08:06:26 -05:00
chemary 2d28144c95 Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True). 2016-01-20 18:19:24 -05:00
Denis Cornehl 186b6c61bf Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.
Thanks Denis Cornehl for help with the patch.
2016-01-05 09:37:11 -05:00
Marten Kenbeek 16411b8400 Fixed #26013 -- Moved django.core.urlresolvers to django.urls.
Thanks to Tim Graham for the review.
2015-12-31 14:21:29 -05:00