Commit Graph

50 Commits

Author SHA1 Message Date
Tim Graham ff0a5aff4f Fixed #27046 -- Supported IPv6-formatted IPv4 addresses in host validation.
Thanks LaMont Jones for the report and patch.
2016-08-11 13:54:39 -04:00
Tim Graham 5c63b3e5a7 Fixed #27005 -- Fixed crash if request.META[''CONTENT_LENGTH']=''. 2016-08-03 13:12:40 -04:00
wim glenn 5ebebd1159 Fixed #26707 -- Added QueryDict.fromkeys() 2016-06-06 08:54:25 -04:00
Andre Cruz 929684d6ee Fixed #21231 -- Enforced a max size for GET/POST values read into memory.
Thanks Tom Christie for review.
2016-05-12 10:17:52 -04:00
Tim Graham ead21a1949 Refs #22897 -- Removed unneeded empty string QueryDict argument. 2016-05-03 12:04:08 -04:00
Curtis Maloney 6f1318734f Fixed #26014 -- Added WSGIRequest content_type and content_params attributes.
Parsed the CONTENT_TYPE header once and recorded it on the request.
2016-02-10 18:19:23 -05:00
userimack 60586dd737 Fixed #26125 -- Fixed E731 flake warnings. 2016-01-25 14:23:43 -05:00
Matt Robenolt b0c56b895f Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Vlastimil Zíma cf29b6b561 Fixed #25099 -- Fixed crash in AdminEmailHandler on DisallowedHost. 2015-09-04 09:24:21 -04:00
Maxime Lorant 5153a3bfdc Fixed #25331 -- Removed trailing blank lines in docstrings. 2015-08-31 17:37:21 -04:00
Matt Robenolt 4dcfbd7923 Fixed #25211 -- Added HttpRequest.get_port() and USE_X_FORWARDED_PORT setting. 2015-08-04 09:50:57 -04:00
Vlastimil Zíma 8f8c54f70b Fixed #25099 -- Cleaned up HttpRequest representations in error reporting. 2015-07-13 19:22:39 -04:00
Piotr Jakimiak 4157c502a5 Removed unnecessary arguments in .get method calls 2015-05-13 20:51:18 +02:00
Bas Peschier 9128762f16 Fixed #19910 -- Added slash to i18n redirect if APPEND_SLASH is set.
This introduces a force_append_slash argument for request.get_full_path()
which is used by RedirectFallbackMiddleware and CommonMiddleware when
handling redirects for settings.APPEND_SLASH.
2015-03-26 09:26:55 -04:00
Rik ccff08c194 Fixed #24463 -- Removed mod_python functionality from HttpRequest._get_scheme() 2015-03-11 14:35:25 -04:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Jon Dufresne 4468c08d70 Fixed #23968 -- Replaced list comprehension with generators and dict comprehension 2014-12-08 07:58:23 -05:00
Matt Robenolt 80facd7a0f Removed unused variable django.http.request.absolute_http_url_re 2014-11-24 07:01:55 -05:00
Berker Peksag 788fa9fffa Fixed #12098 -- Simplified HttpRequest.__repr__(). 2014-11-20 08:45:11 -05:00
Unai Zalakain c548c8d0d1 Fixed #18456 -- Added path escaping to HttpRequest.get_full_path(). 2014-11-03 07:59:19 -05:00
Tim Graham 1101467ce0 Limited lines to 119 characters in django/
refs #23395.
2014-09-05 09:22:16 -04:00
Claude Paroz fa02120d36 Fixed #22996 -- Prevented crash with unencoded query string
Thanks Jorge Carleitao for the report and Aymeric Augustin, Tim Graham
for the reviews.
2014-08-19 22:29:31 +02:00
Daniel Hahler fff7b507ef Added a space before explanation of "Invalid HTTP_HOST header: ..." 2014-07-05 20:18:52 -04:00
Duncan Parkes fd4ccd045c Fixed #22799 -- Made GET and POST on HttpRequest QueryDicts, and FILES a MultiValueDict.
Previously, GET, POST, and FILES on an HttpRequest were created in
the __init__ method as dictionaries. This was not something you would
usually notice causing trouble in production as you'd only see a
WSGIRequest, but in testing using the test client, calling .getlist
on GET, POST, or FILES for a request with no get/post data resulted in
an AttributeError.

Changed GET and POST on an HttpRequest object to be mutable
QueryDicts (mutable because the Django tests, and probably many
third party tests, were expecting it).
2014-06-24 22:03:22 -04:00
Duncan Parkes d68987ae25 Fixed #22897 -- Made QueryDict query_string argument optional.
Now QueryDict() is equivalent to QueryDict('') or QueryDict(None).
2014-06-24 22:02:03 -04:00
Duncan Parkes 7f4e2ef1e9 Improved documentation for QueryDict. 2014-06-24 21:40:21 -04:00
Florian Apolloner e2efc8965e Fixed #22680 -- I/O operation on closed file.
This patch is two-fold; first it ensure that Django does close everything in
request.FILES at the end of the request and secondly the storage system should
no longer close any files during save, it's up to the caller to handle that --
or let Django close the files at the end of the request.
2014-06-11 08:57:30 +02:00
Unai Zalakain 11284a63d4 Fixed #18314 -- Corrected request.build_absolute_uri() handling of paths starting with //
``HttpRequest.build_absolute_uri()`` now correctly handles paths starting with ``//``.
``WSGIRequest`` now doesn't remove all the leading slashes either,
because ``http://test/server`` and http://test//server`` aren't the same thing
(RFC2396).

Thanks to SmileyChris for the initial patch.
2014-06-07 08:59:02 -04:00
Alex Gaynor 2bcb8bfc8d Fix many many typos in comments throughout the codebase 2014-04-26 10:18:45 -07:00
Tim Graham 981b864fbd Replaced urllib/urlparse imports with from django.utils.six.moves. 2014-03-31 07:54:22 -04:00
Christopher Medrela 7477a4ffde Fixed E125 pep8 warnings 2013-11-28 08:50:11 -05:00
Baptiste Mispelon ceecc962ad Fixed #21447 -- Restored code erroneously removed in 20472aa827.
Also added some tests for HttpRequest.__repr__.
Note that the added tests don't actually catch the accidental code
removal (see ticket) but they do cover a codepath that wasn't tested
before.

Thanks to Tom Christie for the report and the original patch.
2013-11-16 01:09:35 +01:00
coagulant 3bc0d46a84 Fixed all E261 warnings 2013-11-02 18:20:39 -04:00
Claude Paroz c052699be3 Fixed #20338 -- Stripped ending dot during host validation
Thanks manfre for the report and Timo Graham for the review.
2013-10-24 21:24:04 +02:00
Alasdair Nicol a800036981 Fixed #21287 -- Fixed E123 pep8 warnings 2013-10-18 10:07:39 +01:00
Unai Zalakain c7634cd7fe Fixed #7603 -- Added a 'scheme' property to the HttpRequest object
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is
appropriately set and falls back to `HttpRequest._get_scheme()` (a hook
for subclasses to implement) otherwise.

`WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI
environ variable to determine the request scheme.

`HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is
`https`.

This provides a way to check the current scheme in templates, for example.
It also allows us to deal with other schemes.

Thanks nslater for the suggestion.
2013-10-15 09:04:12 -04:00
Tim Graham 58d555caf5 Fixed #16822 -- Added RawPostDataException
Thanks jaylett for the patch.
2013-10-08 08:05:39 -04:00
Baptiste Mispelon 20472aa827 Fixed #21189: Cleaned up usage of bare except clauses.
Thanks to berkerpeksag for the report and to claudep
for the review.
2013-10-05 11:50:03 +02:00
Will Hardy 1c3c21b38d Fixed #19987 -- Disabled host validation when DEBUG=True.
The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.
2013-07-31 10:38:59 -04:00
Claude Paroz 5c1143910e Removed most of absolute_import imports
Should be unneeded with Python 2.7 and up.
Added some unicode_literals along the way.
2013-07-29 20:28:13 +02:00
Loic Bistuer 48ce167d89 Fixed missing initializations in WSGIRequest. Refs #20619 2013-06-26 14:36:25 +07:00
Claude Paroz de66b56790 Fixed #18481 -- Wrapped request.FILES read error in UnreadablePostError
Thanks KyleMac for the report, André Cruz for the initial patch and
Hiroki Kiyohara for the tests.
2013-06-01 10:26:46 +02:00
Preston Holmes d228c1192e Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.

Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
Baptiste Mispelon c250f9c99b Fixed #20038 -- Better error message for host validation. 2013-04-03 14:27:20 -06:00
Aymeric Augustin ce76fbfc5a Fixed #20019 -- Ensured HttpRequest.resolver_match always exists.
Obviously it isn't set until the URL is resolved.
2013-03-10 23:28:19 +01:00
Carl Meyer d51fb74360 Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
Aymeric Augustin 4a6490a4a0 Removed HttpRequest.raw_post_data. 2012-12-29 21:59:07 +01:00
Florian Apolloner 27560924ec Fixed a security issue in get_host.
Full disclosure and new release forthcoming.
2012-12-10 22:11:40 +01:00
Aymeric Augustin 095eca8dd8 Fixed #19101 -- Decoding of non-ASCII POST data on Python 3.
Thanks Claude Paroz.
2012-11-03 13:03:15 +01:00
Alex Gaynor b4066d7d21 Cleaned up the the http module. Moved all of the code from __init__.py to request.py, response.py and utils.py 2012-10-21 11:12:59 -07:00