1dcc603eff
Fixed several typos in Django
2014-05-28 17:39:14 -07:00
c083e3815a
Prevented leaking the CSRF token through caching.
...
This is a security fix. Disclosure will follow shortly.
2014-04-21 18:11:26 -04:00
778ce245dd
Corrected many style guide violations that the newest version of flake8 catches
2014-03-30 12:11:05 -07:00
253e8ac29f
Removed django.middleware.doc. Refs #20126 .
...
Small doc changes missed in 66076268
2014-03-21 22:07:39 +01:00
0f9560855e
Removed legacy transaction management per the deprecation timeline.
2014-03-21 21:06:50 +01:00
f567d04b24
Removed settings.CACHE_MIDDLEWARE_ANONYMOUS_ONLY per deprecation timeline.
...
refs #15201 .
2014-03-21 09:46:17 -04:00
11e22129d5
Removed settings.SEND_BROKEN_LINK_EMAILS per deprecation timeline.
2014-03-21 07:15:58 -04:00
210d0489c5
Fixed #21188 -- Introduced subclasses for to-be-removed-in-django-XX warnings
...
Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.
2014-03-08 09:57:40 +01:00
9b729ddd8f
Fixed #22185 -- Added settings.CSRF_COOKIE_AGE
...
Thanks Paul McMillan for the review.
2014-03-06 08:28:43 -05:00
2bab9d6d9e
Fixed #21389 -- Accept most valid language codes
...
By removing the 'supported' keyword from the detection methods and only relying
on a cached settings.LANGUAGES, the speed of said methods has been improved;
around 4x raw performance. This allows us to stop checking Python's incomplete
list of locales, and rely on a less restrictive regular expression for
accepting certain locales.
HTTP Accept-Language is defined as being case-insensitive, based on this fact
extra performance improvements have been made; it wouldn't make sense to
check for case differences.
2014-02-26 16:58:04 +01:00
9922ed46e2
Fixed #21473 -- Limited language preservation to logout
...
Current language is no longer saved to session by LocaleMiddleware
on every response (the behavior introduced in #14825 ).
Instead language stored in session is reintroduced into new session
after logout.
Forward port of c558a43fd6
2013-12-12 10:24:43 +01:00
7477a4ffde
Fixed E125 pep8 warnings
2013-11-28 08:50:11 -05:00
ffc37e2343
Fixed #21012 -- New API to access cache backends.
...
Thanks Curtis Malony and Florian Apolloner.
Squashed commit of the following:
commit 3380495e93905a74f52b35e289fe928e274f747aee7eb0f73eFixed #21012 -- Thread-local caches, like databases.
2013-11-23 15:06:59 +01:00
cbc7cbbc5b
Fixed flake8 E251 violations
2013-11-03 03:22:11 -06:00
3bc0d46a84
Fixed all E261 warnings
2013-11-02 18:20:39 -04:00
7548aa8ffd
More attacking E302 violators
2013-11-02 13:12:09 -07:00
36ded01527
Fixed #21302 -- Fixed unused imports and import *.
2013-11-02 15:24:56 -04:00
6107435386
Fixed #21324 -- Translate CSRF failure view
...
Thanks to Claude Paroz for the original patch.
2013-11-02 11:22:30 +01:00
0d0f4f020a
Fixed #5789 -- Changed LocaleMiddleware session variable to '_language'.
...
The old 'django_language' variable will still be read from in order
to migrate users. The backwards-compatability shim will be removed in
Django 1.8.
Thanks to jdunck for the report and stugots for the initial patch.
2013-10-22 09:24:42 -04:00
b289fcf1bf
Fixed #21288 -- Fixed E126 pep8 warnings
2013-10-21 08:31:30 -04:00
ac4fec5ca2
Fixed bug causing CSRF token not to rotate on login.
...
Thanks Gavin McQuillan for the report.
2013-10-18 08:31:19 -04:00
c7634cd7fe
Fixed #7603 -- Added a 'scheme' property to the HttpRequest object
...
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is
appropriately set and falls back to `HttpRequest._get_scheme()` (a hook
for subclasses to implement) otherwise.
`WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI
environ variable to determine the request scheme.
`HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is
`https`.
This provides a way to check the current scheme in templates, for example.
It also allows us to deal with other schemes.
Thanks nslater for the suggestion.
2013-10-15 09:04:12 -04:00
cec11a3336
Used "is" for comparisons with None.
2013-10-10 09:35:56 -04:00
7a97df190c
Fixed #19277 -- Added LocaleMiddleware.response_redirect_class
...
Thanks ppetrid at yawd.eu for the suggestion.
2013-10-03 16:15:29 -04:00
07876cf02b
Deprecated SortedDict (replaced with collections.OrderedDict)
...
Thanks Loic Bistuer for the review.
2013-08-04 07:09:39 -04:00
acd7b34aaf
Advanced deprecation warnings for Django 1.7.
2013-06-29 18:49:37 +02:00
ffcf24c9ce
Removed several unused imports.
2013-06-19 17:18:40 +02:00
0fa8d43e74
Replaced `and...or...` constructs with PEP 308 conditional expressions.
2013-05-26 23:47:50 -03:00
f940e564e4
Fixed #20099 -- Eased subclassing of BrokenLinkEmailsMiddleware
...
Thanks Ram Rachum for the report and the initial patch, and Simon
Charette for the review.
2013-05-25 12:10:53 +02:00
6de81d65f4
Fixed #14825 -- LocaleMiddleware keeps language
...
* LocaleMiddleware stores language into session if it is not present there.
2013-05-25 10:52:54 +02:00
1514f17aa6
Rotate CSRF token on login
2013-05-24 22:15:08 +01:00
660762681c
Fixed #20126 -- XViewMiddleware moved to django.contrib.admindocs.middleware
2013-05-19 13:18:35 +02:00
26e3e7ecb5
Fixed #11915 : generic Accept-Language matches country-specific variants
2013-05-19 12:50:09 +02:00
bd97f7d0cb
Fixed #15201 : Marked CACHE_MIDDLEWARE_ANONYMOUS_ONLY as deprecated
2013-05-18 17:38:32 +02:00
63a9555d57
Fixed #19436 -- Don't log warnings in ensure_csrf_cookie.
2013-05-18 16:17:46 +02:00
8fd44b2551
Fixed #20356 -- Prevented crash when HTTP_REFERER contains non-ascii
...
Thanks srusskih for the report and Aymeric Augustin for the review.
2013-05-18 12:39:11 +02:00
ac37ed21b3
Deprecated TransactionMiddleware and TRANSACTIONS_MANAGED.
...
Replaced them with per-database options, for proper multi-db support.
Also toned down the recommendation to tie transactions to HTTP requests.
Thanks Jeremy for sharing his experience.
2013-03-11 15:04:05 +01:00
3bdc7a6a70
Deprecated transaction.is_managed().
...
It's synchronized with the autocommit flag.
2013-03-11 14:48:54 +01:00
7aacde84f2
Made transaction.managed a no-op and deprecated it.
...
enter_transaction_management() was nearly always followed by managed().
In three places it wasn't, but they will all be refactored eventually.
The "forced" keyword argument avoids introducing behavior changes until
then.
This is mostly backwards-compatible, except, of course, for managed
itself. There's a minor difference in _enter_transaction_management:
the top self.transaction_state now contains the new 'managed' state
rather than the previous one. Django doesn't access
self.transaction_state in _enter_transaction_management.
2013-03-11 14:48:53 +01:00
aa089b106b
Fixed #5241 -- Kept active transalation in LocaleMiddleware.process_response.
2013-02-28 14:21:48 +01:00
539900f117
Fixes #17866 : Vary: Accept-Language header when language prefix used
2013-02-23 19:41:33 +01:00
a4e97cf315
Fixed #19707 -- Reset transaction state after requests
2013-02-10 13:55:54 +02:00
720888a146
Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.
...
Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
2013-02-07 09:48:08 +01:00
ee26797cff
Fixed typos in docs and comments
2013-01-29 10:55:55 -07:00
50a985b09b
Fixed #19099 -- Split broken link emails out of common middleware.
2013-01-15 17:41:45 +01:00
bcdb4898ca
Fixed #19488 -- Made i18n_patterns redirect work with non-slash-ending paths
...
Thanks Daniel Gerzo for the report and the initial patch.
2013-01-11 21:27:51 +01:00
641acf76e7
Removed IGNORABLE_404_STARTS/ENDS settings.
2012-12-29 21:59:07 +01:00
1c8be95a86
Prevented caching of streaming responses.
...
The test introduced in 4b278131#17758 , #7581 .
2012-12-24 20:28:07 +01:00
c0efbc7b53
Fixed #19347 -- Removed unused variable definition in FetchFromCacheMiddleware
...
Thanks gregplaysguitar at gmail.com for the report.
2012-12-01 13:52:26 +01:00
973f539ab8
Fixed #15152 -- Avoided crash of CommonMiddleware on broken querystring
2012-11-03 21:28:33 +01:00
4b27813198
Fixed #7581 -- Added streaming responses.
...
Thanks mrmachine and everyone else involved on this long-standing ticket.
2012-10-20 20:05:11 +02:00
26ff2be787
Imported getLogger directly from logging module
...
This was a remainder of some 2.4 compatibility code.
2012-09-20 21:03:24 +02:00
f416ea9c8d
fixed rfc comment typo in middleware/csrf.py
2012-09-10 12:11:24 -03:00
d774ad752d
[py3] Made csrf context processor return Unicode
2012-08-13 11:54:21 +02:00
e84f79f051
Fixed #18042 -- Advanced deprecation warnings.
...
Thanks Ramiro for the patch.
2012-05-03 15:27:01 +02:00
126d9e1b49
Fixed #17817 -- Modified LocalMiddleware to use full URLs when redirecting to i18n URLs. Thanks to Paul for keeping an eye on the standards.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17633 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-02 22:35:26 +00:00
746987f916
Fixed #17734 -- Made sure to only redirect translated URLs if they can actually be resolved to prevent unwanted redirects. Many thanks to Orne Brocaar and Anssi Kääriäinen for input.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17621 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-02 11:07:36 +00:00
7dd0ceba2e
Fixed #17720 -- Stopped the LocaleMiddleware from overeagerly using the request path for language activation if it's actually not wanted. Thanks to Anssi Kääriäinen for the initial patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17547 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-18 13:37:30 +00:00
7981efe04f
Documentation (and some small source code) edits from [17432] - [17537]
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17540 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-17 20:04:11 +00:00
a77679dfaa
Fixes #16827 . Adds a length check to CSRF tokens before applying the santizing regex. Thanks to jedie for the report and zsiciarz for the initial patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17500 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-11 04:18:15 +00:00
f0a1633425
Fixed #17358 -- Updated logging calls to use official syntax for arguments instead of string interpolation. Thanks, spulec.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17480 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-09 18:58:36 +00:00
b926765a7c
Fixed #16035 -- Appended the Etag response header if the GZipMiddleware is in use to follow RFC2616 better. Thanks, ext and dracos2.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17471 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-09 18:57:13 +00:00
4288c8831b
Fixed #10762 , #17514 -- Prevented the GZip middleware from returning a response longer than the original content, allowed compression of non-200 responses, and added tests (there were none). Thanks cannona for the initial patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17365 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-09 21:42:03 +00:00
e2f9c11736
Fixed #16705 - Made the test client adhere to the WSGI spec -- in particular, removed the assumption that environ['QUERY_STRING'] exists.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16933 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-10-06 20:39:15 +00:00
bce890ace4
Fixed #16584 -- Fixed a bunch of typos in code comments. Thanks, Bernhard Essl.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16598 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-12 14:14:15 +00:00
24f4764a48
Fixed #16225 -- Removed unused imports. Many thanks to Aymeric Augustin for the work on the patch and Alex for reviewing.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16539 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-13 09:35:51 +00:00
43cb78fafd
Fixed #14506 -- Added an assertion to XViewMiddleware about the dependency on the authentication middleware. Thanks, vanschelven.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16496 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-03 17:56:25 +00:00
896e3c69c7
Fixed #11585 -- Added ability to translate and prefix URL patterns with a language code as an alternative method for language discovery. Many thanks to Orne Brocaar for his initial work and Carl Meyer for feedback.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16405 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-15 17:29:10 +00:00
524c5fa07a
Fixed #14261 - Added clickjacking protection (X-Frame-Options header)
...
Many thanks to rniemeyer for the patch!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16298 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-30 22:27:47 +00:00
d7036e52ab
Made some small tweaks/fixes to documentation from IGNORABLE_404_URLS changeset [16160]
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16275 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-24 18:39:28 +00:00
cb060f0f34
Fixed #15258 - Ajax CSRF protection doesn't apply to PUT or DELETE requests
...
Thanks to brodie for the report, and further input from tow21
This is a potentially backwards incompatible change - if you were doing
PUT/DELETE requests and relying on the lack of protection, you will need to
update your code, as noted in the releaste notes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:45:54 +00:00
8cbcf1d3a6
Fixed #14134 - ability to set cookie 'path' and 'secure' attributes of CSRF cookie
...
Thanks to cfattarsi for the report and initial patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:00:22 +00:00
171df93170
Fixed #15954 - New IGNORABLE_404_URLS setting that allows more powerful filtering of 404s to ignore
...
Thanks to aaugustin for implementing this.
(Technically this doesn't fix the original report, as we've decided against
having *any* default values, but the new feature makes it possible, and the
docs have an example addressing #15954 ).
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16160 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-05 20:49:26 +00:00
8823021625
Removed deprecated CsrfResponseMiddleware, and corresponding tests and docs
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15949 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:26 +00:00
21ef64e34c
Removed Django 1.1 fallback for CSRF checks.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15948 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:14 +00:00
13864703bc
Removed a bunch more Python 2.4 workarounds now that we don't support that version. Refs #15702 -- thanks to jonash for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15927 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28 02:11:19 +00:00
3e18969bcb
Fixed #15635 -- Converted two legacy old-style raise statements. Thanks, DaNmarner
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15917 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-26 03:30:48 +00:00
243d0bec19
Fixed #15617 - CSRF referer checking too strict
...
Thanks to adam for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15 20:37:09 +00:00
f6c991667f
Fixed #4992 -- Respect the GET request query string when creating cache keys. Thanks PeterKz and guettli for the initial patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15705 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-02 12:47:36 +00:00
dbe6ced0d6
Fixed #717 - If-Modified-Since handling should compare dates according to RFC 2616
...
Thanks to Maniac for the report, julienb for the initial patch, and
especially to aaugustin for the final patch and tests.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15696 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-01 14:28:06 +00:00
e57e296167
Corrected logging call in CSRF middleware
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15623 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-21 23:00:44 +00:00
969217d455
Fixed #15260 -- Ensured that CACHE_MIDDLEWARE_ANONYMOUS_ONLY is effective with the cache_page decorator, not only the middleware. Thanks to brodie for report and draft patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15559 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-17 04:35:26 +00:00
208630aa4b
Fixed a security issue in the CSRF component. Disclosure and new release forthcoming.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:06:27 +00:00
00fda7f45d
Fixed #13283 -- Corrected CACHE_MIDDLEWARE_ANONYMOUS_ONLY's bad habit of setting Vary: Cookie on all responses and destroying cache efficiency. Thanks to natrius for the fix.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15381 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-01 00:20:31 +00:00
4bb1b2304d
Fixed #15187 -- Ensure that missing page emails aren't sent when running under debug. Thanks to Dan Carroll for the report and patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15363 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-30 13:11:45 +00:00
3f528e10d5
Fixed #15012 -- Added post-rendering callbacks to TemplateResponse so that decorators (in particular, the cache decorator) can defer processing until after rendering has occurred. Thanks to Joshua Ginsberg for the draft patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15295 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-24 14:24:35 +00:00
fe581013b0
Fixed #15144 -- Corrected some problems with the Cache middleware when used with multiple cache settings. Thanks to Jim Dalton for the report, and to Jim and Joshua Ginsberg for the work on the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15285 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-24 06:36:31 +00:00
c0dd2babb1
Fixed sending mail on 404s to fail silently.
...
A failure in the e-mail system should not turn a 404 into a 500.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15145 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-04 04:01:37 +00:00
b22415214a
Beefed up the tests for multi-cache handling of the cache middleware and view decorators, and made a couple of tweaks for edge cases as a result.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15021 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-22 07:52:44 +00:00
673e6fc7fb
Fixed #11675 -- Added support for the PyLibMC cache library. In order to support this, and clean up some other 1.3 caching additions, this patch also includes some changes to the way caches are defined. This means you can now have multiple caches, in the same way you have multiple databases. A huge thanks to Jacob Burch for the work on the PyLibMC backend, and to Jannis for his work on the cache definition changes.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15005 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-21 15:19:19 +00:00
352deb0915
Fixed #14559 -- corrected some typos and misleading docstrings. Thanks to Gabriel Hurley for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14441 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-02 18:30:00 +00:00
cb17f7ca22
Fixed #14560 -- Enable HEAD requests to be cached properly. Thanks, codemonkey!
...
Introducing ability to cache HEAD requests and GET requests separately by
adding the method to the cache key while preserving the functionality that HEAD
requests can use cached reponses generated by a GET request.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14391 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-29 01:31:15 +00:00
90ac02300e
Fixed #14565 - No csrf_token on 404 page.
...
This solution doesn't have the negative side-effects of [14356].
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-28 11:47:15 +00:00
45c7f427ce
Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
...
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.
In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.
All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.
There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
1070c57b83
Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings to DeprecationWarnings, and removed 1.1 deprecated code.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:20:07 +00:00
fea159282b
Fixed #14406 -- Added a Python 2.4 compatibility to the logging interface. Thanks to Łukasz Rekucki for the report, and to Luke Plant for original patch this was based on.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13989 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-06 15:02:26 +00:00
24acca4139
Fixed #12012 -- Added support for logging. Thanks to Vinay Sajip for his draft patch, and to the many people who gave feedback during development of the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13981 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 15:12:39 +00:00
364583b894
Fixed #14235 - UnicodeDecodeError in CSRF middleware
...
Thanks to jbg for the report.
This changeset essentially backs out [13698] in favour of a method that
sanitizes the token rather than escaping it.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13732 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-10 22:56:56 +00:00
9e3b327aca
Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-09 00:34:54 +00:00
e8cff0b8f3
Added explanatory note on CSRF failure page for the case of a missing Referer header.
...
This is intended to help power users who have disabled Referer headers, or
installed add-ons which have done so, and to help web site administrators
with debugging, since this problem will be browser specific and not a
programming error.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-03 16:28:10 +00:00
Alex Gaynor
Aymeric Augustin
Tim Graham
Claude Paroz
Roger Hu
Bouke Haarsma
Ludwik Trammer
Christopher Medrela
Curtis Maloney
Milton Mazzarri
coagulant
Alasdair Nicol
Unai Zalakain
Emil Stenström
Ramiro Morales
Vlastimil Zíma
Andrew Godwin
Łukasz Langa
Olivier Sels
Anssi Kääriäinen
Collin Anderson
Aymeric Augustin
Jannis Leidel
Adrian Holovaty
Paul McMillan
Luke Plant
Carl Meyer
Russell Keith-Magee
Honza Král
James Bennett