Andre Cruz
929684d6ee
Fixed #21231 -- Enforced a max size for GET/POST values read into memory.
...
Thanks Tom Christie for review.
2016-05-12 10:17:52 -04:00
Vasiliy Faronov
ac77c55bc5
Fixed #26567 -- Updated references to obsolete RFC2616.
...
Didn't touch comments where it wasn't obvious that the code adhered to
the newer standard.
2016-05-03 11:14:40 -04:00
Tim Graham
3913a56558
Removed unused django.utils.http.PROTOCOL_TO_PORT.
...
Unused since b0c56b895f
.
2016-04-06 12:29:20 -04:00
Claude Paroz
552f03869e
Added safety to URL decoding in is_safe_url() on Python 2
...
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218
and ada7a4aef
.
2016-03-04 23:33:35 +01:00
Claude Paroz
ada7a4aefb
Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
...
This fixes a regression introduced by c5544d2892
.
Thanks John Eskew for the reporti and Tim Graham for the review.
2016-03-04 21:14:14 +01:00
Mark Striemer
c5544d2892
Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
...
This is a security fix.
2016-03-01 11:25:28 -05:00
Denis Cornehl
186b6c61bf
Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.
...
Thanks Denis Cornehl for help with the patch.
2016-01-05 09:37:11 -05:00
Iacopo Spalletti
d693074d43
Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy().
...
Thanks to bmispelon and uruz for the initial patch.
2015-12-12 14:46:48 -05:00
Matt Robenolt
b0c56b895f
Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
...
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Tim Graham
011a54315e
Made is_safe_url() reject URLs that start with control characters.
...
This is a security fix; disclosure to follow shortly.
2015-03-18 19:20:07 -04:00
Lukas Klein
93b3ef9b2e
Fixed #24321 -- Improved `utils.http.same_origin` compliance with RFC6454
2015-02-12 08:58:35 +01:00
Tim Graham
0ed7d15563
Sorted imports with isort; refs #23860 .
2015-02-06 08:16:28 -05:00
Tim Graham
69b5e66738
Fixed is_safe_url() to handle leading whitespace.
...
This is a security fix. Disclosure following shortly.
2015-01-13 13:03:06 -05:00
Tim Graham
2508be35ca
Fixed #23399 -- Optimized django.utils.http.int_to_bas36()
...
Thanks liminspace for the patch and Keryn Knight for benchmarking.
2014-09-08 19:31:21 -04:00
Ian Foote
03d89168a2
Fixed #23333 -- Made urlsafe_base64_decode() return proper type on Python 3.
2014-08-22 20:07:12 -04:00
Claude Paroz
e167e96cfe
Fixed #22223 -- Prevented over-escaping URLs in reverse()
...
And follow more closely the class of characters defined in the
RFC 3986.
Thanks Erik van Zijst for the report and the initial patch, and
Tim Graham for the review.
2014-07-09 09:54:34 +02:00
Collin Anderson
8a2f04db91
typo: urlaprse -> urlparse
2014-05-14 15:00:57 -04:00
Erik Romijn
255449c1ee
Added additional checks in is_safe_url to account for flexible parsing.
...
This is a security fix. Disclosure following shortly.
2014-05-14 10:19:48 +02:00
Ray Ashman Jr
e2ae8b048e
Correct flake8 E302 violations
2013-11-02 19:53:29 -04:00
Ray Ashman Jr
dcfc8fa972
Correct flake8 violation E261
2013-11-02 15:27:47 -04:00
Alex Gaynor
f2d8027c9a
Fixed up some more flake8 violations (this particular violation still has many occurrences in the tests/ dir so it can't be removed from setup.cfg yet)
2013-10-26 10:50:40 -07:00
Alasdair Nicol
b289fcf1bf
Fixed #21288 -- Fixed E126 pep8 warnings
2013-10-21 08:31:30 -04:00
Aymeric Augustin
a5b062576b
Removed a few trailing backslashes.
...
We have always been at war with trailing backslashes.
2013-09-22 14:04:10 +02:00
Aymeric Augustin
6a6428a36f
Took advantage of django.utils.six.moves.urllib.*.
2013-09-05 14:39:23 -05:00
Aymeric Augustin
365c3e8b73
Replaced "not PY3" by "PY2", new in six 1.4.0.
2013-09-02 12:11:02 +02:00
Jacob Kaplan-Moss
ae3535169a
Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S.
...
This is a security fix; disclosure to follow shortly.
2013-08-13 11:06:22 -05:00
David Evans
8a160d5de1
Use `usegmt` flag in formatdate
...
Slightly cleaner and faster than string manipulation.
This flag has been available since Python 2.4:
http://docs.python.org/2/library/email.util.html#email.utils.formatdate
2013-08-07 12:00:39 +01:00
Tim Graham
1184d07789
Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.
...
uid is now base64 encoded in password reset URLs/views. A backwards compatible
password_reset_confirm view/URL will allow password reset links generated before
this change to continue to work. This view will be removed in Django 1.7.
Thanks jonash for the initial patch and claudep for the review.
2013-06-26 13:11:47 -04:00
Marc Tamlyn
413735b239
Fix a typo in a comment.
2013-05-19 11:24:36 +02:00
Florian Apolloner
051cb1f4c6
Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks.
...
Thanks to edevil for the report and saz for the patch.
2013-05-18 12:32:47 +02:00
Gavin Wahl
ec04fd1344
Fixed spelling errors
2013-03-28 11:16:53 -06:00
konarkmodi
bc4111ba68
Fixed #18003 -- Preserved tracebacks when re-raising errors.
...
Thanks jrothenbuhler for draft patch, Konark Modi for updates.
2013-03-19 15:42:39 -07:00
Florian Apolloner
a2f2a39956
Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.
2012-12-10 22:11:39 +01:00
Claude Paroz
b3ee80a0cf
Fixed parse_http_date docstring and moved related tests
...
Refs #18675 .
2012-09-26 21:10:17 +02:00
Claude Paroz
ae88e73fa6
Replaced some smart_xxx by force_xxx equivalent
...
smart_str/smart_text should only be used when a potential lazy
string should be preserved in the result of the function call.
2012-08-30 15:46:16 +02:00
Claude Paroz
928baee747
[py3] Fixed conditional_processing tests
2012-08-14 23:35:12 +02:00
Aymeric Augustin
c5ef65bcf3
[py3] Ported django.utils.encoding.
...
* Renamed smart_unicode to smart_text (but kept the old name under
Python 2 for backwards compatibility).
* Renamed smart_str to smart_bytes.
* Re-introduced smart_str as an alias for smart_text under Python 3
and smart_bytes under Python 2 (which is backwards compatible).
Thus smart_str always returns a str objects.
* Used the new smart_str in a few places where both Python 2 and 3
want a str.
2012-08-07 12:00:22 +02:00
Aymeric Augustin
d01eaf7104
[py3] Removed uses of sys.maxint under Python 3.
...
Also fixed #18706 : improved exceptions raised by int_to_base36.
2012-08-03 18:51:28 +02:00
Aymeric Augustin
0d914d08a0
[py3] Updated urllib/urllib2/urlparse imports.
...
Lots of functions were moved. Use explicit imports in all cases
to keey it easy to identify where the functions come from.
2012-07-22 09:29:55 +02:00
Aymeric Augustin
bdca5ea345
[py3] Replaced unicode/str by six.text_type/bytes.
2012-07-22 09:29:54 +02:00
Claude Paroz
fe873e2765
Fixed #12140 -- Fixed http.urlencode result for empty lists
...
Thanks aneil for the report and the initial patch.
2012-06-14 11:32:40 +02:00
Aymeric Augustin
4fe87c370d
Removed some Python < 2.6 compatibility code. Refs #17965 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17830 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-30 09:20:04 +00:00
Alex Gaynor
b9b3e9f0ef
Use Python's changed comparisons, which makes this a bit more readable.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17526 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-16 01:10:21 +00:00
Paul McMillan
6072e108e2
Fixed #17693 . Input validation and tests for base36 conversion utils. Thanks Keryn Knight for the report.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-16 00:58:49 +00:00
Aymeric Augustin
d9061c01a9
Fixed #5964 -- Added unicode-aware versions of urlunquote and urlunquote_plus.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17407 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-29 09:00:12 +00:00
Alex Gaynor
699688dc2c
Switch to using explicit new-style division behavior, rather than relying on teh classic behavior.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16745 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09 21:45:58 +00:00
Jannis Leidel
ddaca29d3d
Fixed a bunch of imports of the email stdlib module now that we are on Python 2.5 to ease the Python 3 port. Thanks, Martin von Löwis.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16731 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09 16:18:38 +00:00
Ramiro Morales
dff31de20a
Fixed #16155 -- Removed Python 2.4 compatibility constructs from code and mentions from docs. Thanks Aymeric Augustin for the report and patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16349 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-09 20:01:28 +00:00
Jannis Leidel
f4be8bd53d
Fixed #9089 -- Correctly handle list values in MultiValueDict instances when passed to django.utils.http.urlencode. Thanks, kratorius, guettli and obeattie.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16064 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-22 12:01:41 +00:00
Luke Plant
243d0bec19
Fixed #15617 - CSRF referer checking too strict
...
Thanks to adam for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15 20:37:09 +00:00