9c19aff7c7
Refs #33476 -- Reformatted code with Black.
2022-02-07 20:37:05 +01:00
3ff7f6cf07
Refs #32800 -- Renamed _sanitize_token() to _check_token_format().
2021-11-29 10:48:31 +01:00
5d80843ebc
Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret.
...
This also adds CSRF_COOKIE_MASKED transitional setting helpful in
migrating multiple instance of the same project to Django 4.1+.
Thanks Florian Apolloner and Shai Berger for reviews.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-11-29 10:47:39 +01:00
3ff7b15bb7
Fixed #33252 -- Made cache middlewares thread-safe.
2021-11-03 09:39:27 +01:00
eeed488a34
Fixed #32768 -- Added Vary header when redirecting to prefixed i18n pattern.
...
get_language_from_request() uses Accept-Language and/or Cookie to determine the
correct redirect. Upstream caches need the matching Vary header to cache the
result.
2021-09-01 14:02:37 +02:00
231de683d8
Refs #32800 -- Added _add_new_csrf_cookie() helper function.
...
This centralizes the logic to use when setting a new cookie. It also
eliminates the need for the _get_new_csrf_token() function, which is now
removed.
2021-08-17 12:23:54 +02:00
f10553ec93
Refs #32800 -- Renamed _set_token() to _set_csrf_cookie().
2021-08-17 12:23:54 +02:00
7132341255
Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match().
2021-08-03 07:10:31 +02:00
7c30bdbdb1
Refs #32916 -- Replaced request.csrf_cookie_needs_reset with request.META['CSRF_COOKIE_NEEDS_UPDATE'].
2021-07-29 11:55:36 +02:00
6ebf931de8
Fixed #32916 -- Combined request.META['CSRF_COOKIE_USED'] and request.csrf_cookie_needs_reset.
2021-07-29 11:55:36 +02:00
00ea883ef5
Fixed #32329 -- Made CsrfViewMiddleware catch more specific UnreadablePostError.
...
Thanks Chris Jerdonek for the review.
2021-07-23 13:10:41 +02:00
a2e1f1e295
Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset logic.
...
Thanks Florian Apolloner and Shai Berger for reviews.
2021-07-23 07:08:45 +02:00
fcb75651f9
Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token error messages.
2021-06-23 16:07:15 +02:00
ee408309d2
Fixed #32842 -- Refactored out CsrfViewMiddleware._check_token().
2021-06-22 07:42:28 +02:00
316cc34d04
Fixed comment in CsrfViewMiddleware to say _reject instead of reject.
2021-06-12 16:46:42 +02:00
cd19db10df
Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly formatted cookie tokens.
2021-06-01 09:02:27 +02:00
55775891fb
Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly formatted tokens.
2021-05-31 21:12:21 +02:00
d270dd584e
Refs #32778 -- Improved the name of the regex object detecting invalid CSRF token characters.
...
This also improves the comments near where the variable is used.
2021-05-29 12:53:50 +02:00
214b36f50a
Refs #32596 -- Added early return on safe methods in CsrfViewMiddleware.process_view().
2021-05-28 07:32:01 +02:00
cfd8c91839
Refs #32596 -- Optimized CsrfViewMiddleware._check_referer() to delay computing good_referer.
2021-05-28 07:32:01 +02:00
71179a6124
Fixed #32596 -- Added CsrfViewMiddleware._check_referer().
...
This encapsulates CsrfViewMiddleware's referer logic into a method and
updates existing tests to check the "seam" introduced by the refactor,
when doing so would improve the test.
2021-05-28 07:31:56 +02:00
866dccb650
Fixed #32778 -- Avoided unnecessary recompilation of token regex in _sanitize_token().
2021-05-25 09:56:09 +02:00
54da6e2ac2
Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.
2021-04-30 12:32:52 +02:00
db5b75f10f
Fixed #31840 -- Added support for Cross-Origin Opener Policy header.
...
Thanks Adam Johnson and Tim Graham for the reviews.
Co-authored-by: Tim Graham <timograham@gmail.com>
2021-03-30 19:59:24 +02:00
ff514309e1
Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin header has an invalid host.
2021-03-25 10:34:58 +01:00
f3825248a2
Refs #32579 -- Fixed cookie domain comment in CsrfViewMiddleware.process_view().
2021-03-25 06:48:36 +01:00
70332e6c43
Refs #32579 -- Optimized good_hosts creation in CsrfViewMiddleware.process_view().
2021-03-25 06:39:35 +01:00
e49fdfa405
Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header.
2021-03-19 11:19:19 +01:00
2411b8b5eb
Fixed #16010 -- Added Origin header checking to CSRF middleware.
...
Thanks David Benjamin for the original patch, and Florian
Apolloner, Chris Jerdonek, and Adam Johnson for reviews.
2021-03-18 20:25:20 +01:00
dba44a7a7a
Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.
2021-03-18 20:00:22 +01:00
4bb30fe5d5
Refs #26601 -- Made get_response argument required and don't accept None in middleware classes.
...
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
302caa40e4
Made small readability improvements.
2020-10-28 20:20:20 +01:00
ad11f5b8c9
Fixed #32124 -- Added per-view opt-out for APPEND_SLASH behavior.
2020-10-22 14:15:19 +02:00
bcc2befd0e
Fixed #31789 -- Added a new headers interface to HttpResponse.
2020-09-14 08:41:59 +02:00
825ce75fae
Fixed #31928 -- Fixed detecting an async get_response in various middlewares.
...
SecurityMiddleware and the three cache middlewares were not calling
super().__init__() during their initialization or calling the required
MiddlewareMixin._async_check() method.
This made the middlewares not properly present as coroutine and
confused the middleware chain when used in a fully async context.
Thanks Kordian Kowalski for the report.
2020-08-28 12:33:15 +02:00
d17b380653
Refs #30573 -- Rephrased "Of Course" and "Obvious(ly)" in documentation and comments.
2020-05-04 12:10:47 +02:00
f283ffaa84
Fixed #28699 -- Fixed CSRF validation with remote user middleware.
...
Ensured process_view() always accesses the CSRF token from the session
or cookie, rather than the request, as rotate_token() may have been called
by an authentication middleware during the process_request() phase.
2020-02-26 17:25:20 +01:00
5b09354954
Fixed #31291 -- Renamed salt to mask for CSRF tokens.
2020-02-25 14:16:19 +01:00
4d973f5939
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes.
...
This is the new contract since middleware refactoring in Django 1.10.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
d08d4f464a
Fixed #30765 -- Made cache_page decorator take precedence over max-age Cache-Control directive.
2020-01-16 13:39:16 +01:00
e3d0b4d550
Fixed #30899 -- Lazily compiled import time regular expressions.
2019-10-29 09:22:26 +01:00
0315c18fe1
Refs #26601 -- Removed obsolete workarounds for MIDDLEWARE_CLASSES setting.
2019-10-23 08:18:48 +02:00
406dba04e1
Fixed #29406 -- Added support for Referrer-Policy header.
...
Thanks to James Bennett for the initial implementation.
2019-09-09 13:35:41 +02:00
05d0eca635
Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.
2019-09-09 08:15:26 +02:00
8b3f1c35dd
Removed unnecessary assignments in various code.
2019-04-24 13:09:29 +02:00
ad72895c60
Optimized CommonMiddleware's check for DISALLOWED_USER_AGENTS.
...
Avoided getattribute + getitem for each DISALLOWED_USER_AGENTS.
2019-03-30 09:02:57 -04:00
7785e03ba8
Fixed #30137 -- Replaced OSError aliases with the canonical OSError.
...
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-28 11:15:06 -05:00
817c6cdf0e
Capitalized SecurityMiddleware headers for consistency with other headers.
...
(No behavior change since HTTP headers are case insensitive.)
2018-10-30 18:30:51 -04:00
22e8ab0286
Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged.
2018-09-08 11:46:13 -04:00
a656a68127
Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
2018-08-01 09:28:42 -04:00
django-bot
Chris Jerdonek
Iuri de Silvio
Alex Hayward
Virtosu Bogdan
abhiabhi94
Tim Graham
bankc
Adam Donaghy
Mariusz Felisiak
Martin Thoma
Carlton Gibson
Tom Carrick
Kevin Michel
Adam Johnson
Colton Hicks
Ram Rachum
Claude Paroz
Flavio Curella
Hasan Ramezani
Sergey Fedoseev
Nick Pope
Jon Dufresne
Brad
Artur Juraszek
Michal Čihař
Andreas Hug