Commit Graph

251 Commits

Author SHA1 Message Date
Claude Paroz a14f087233 Fixed #21282 -- Made HttpResponse.serialize_headers accept latin-1
Thanks Raphaël Barrois for the report and the initial patch and
Aymeric Augustin for the review.
2013-10-17 18:14:35 +02:00
Unai Zalakain c7634cd7fe Fixed #7603 -- Added a 'scheme' property to the HttpRequest object
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is
appropriately set and falls back to `HttpRequest._get_scheme()` (a hook
for subclasses to implement) otherwise.

`WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI
environ variable to determine the request scheme.

`HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is
`https`.

This provides a way to check the current scheme in templates, for example.
It also allows us to deal with other schemes.

Thanks nslater for the suggestion.
2013-10-15 09:04:12 -04:00
Tim Graham 58d555caf5 Fixed #16822 -- Added RawPostDataException
Thanks jaylett for the patch.
2013-10-08 08:05:39 -04:00
Baptiste Mispelon 20472aa827 Fixed #21189: Cleaned up usage of bare except clauses.
Thanks to berkerpeksag for the report and to claudep
for the review.
2013-10-05 11:50:03 +02:00
e0ne f2a4452882 Fixed #18403 -- Initialized bad_cookies in SimpleCookie
Thanks Stefano Crosta for the report.
2013-09-10 08:26:54 -04:00
Daniel Boeve 6dca603abb Fixed #20889 -- Prevented email.Header from inserting newlines
Passed large maxlinelen to email.Header to prevent newlines from being
inserted into value returned by _convert_to_charset

Thanks mjl at laubach.at for the report.
2013-09-09 08:47:41 -04:00
Aymeric Augustin 365c3e8b73 Replaced "not PY3" by "PY2", new in six 1.4.0. 2013-09-02 12:11:02 +02:00
Claude Paroz f4e9804567 Fixed #20961 -- Fixed HttpResponse default empty content
Thanks epandurski at gmail.com for the report.
2013-08-24 18:10:12 +02:00
Will Hardy 1c3c21b38d Fixed #19987 -- Disabled host validation when DEBUG=True.
The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.
2013-07-31 10:38:59 -04:00
Baptiste Mispelon 3c45fb8589 Fixed #10491 -- Allowed passing lazy objects to HttpResponseRedirect.
Thanks liangent for the report.
2013-07-30 13:39:44 -04:00
Claude Paroz 5c1143910e Removed most of absolute_import imports
Should be unneeded with Python 2.7 and up.
Added some unicode_literals along the way.
2013-07-29 20:28:13 +02:00
Benjamin Kagia b0953dc913 Fixed #13721 -- Added UploadedFile.content_type_extra.
Thanks Waldemar Kornewald and mvschaik for work on the patch.
2013-07-11 09:11:59 -04:00
Aymeric Augustin 8b9b8d3bda Removed compatibility code for streaming responses.
This code provided a deprecation path for old-style streaming responses.

Refs #6527, #7581.
2013-06-29 18:49:36 +02:00
Ramiro Morales 8eadbc5a03 Removed 'mimetype' arguments from a few places, as per deprecation TL.
This includes HttpResponse and co. __init__() methods,
django.shortcuts.render_to_response() and the index(), sitemap() sitemap
app views.
2013-06-28 21:48:16 -03:00
Loic Bistuer 48ce167d89 Fixed missing initializations in WSGIRequest. Refs #20619 2013-06-26 14:36:25 +07:00
CHI Cheng 659d090025 Fixed #20598 -- Add new HTTP status codes defined in rfc6585
428, 429, 431 and 511
2013-06-14 23:22:52 +10:00
Claude Paroz de66b56790 Fixed #18481 -- Wrapped request.FILES read error in UnreadablePostError
Thanks KyleMac for the report, André Cruz for the initial patch and
Hiroki Kiyohara for the tests.
2013-06-01 10:26:46 +02:00
Preston Holmes d228c1192e Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.

Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
Łukasz Langa 0594fed9ff Fixed #20472: response.content should be bytes on both Python 2 and 3 2013-05-21 01:28:16 +02:00
Aymeric Augustin cb86f707a0 Fixed #12747 -- Made reason phrases customizable. 2013-05-19 13:14:54 +02:00
Eric Urban c278e56baf Corrected documentation on the constructor arguments of MultiPartParser 2013-05-17 19:49:33 -04:00
Aymeric Augustin 9c487b5974 Replaced an antiquated pattern.
Thanks Lennart Regebro for pointing it out.
2013-05-17 18:08:58 +02:00
Baptiste Mispelon c250f9c99b Fixed #20038 -- Better error message for host validation. 2013-04-03 14:27:20 -06:00
konarkmodi bc4111ba68 Fixed #18003 -- Preserved tracebacks when re-raising errors.
Thanks jrothenbuhler for draft patch, Konark Modi for updates.
2013-03-19 15:42:39 -07:00
Aymeric Augustin ce76fbfc5a Fixed #20019 -- Ensured HttpRequest.resolver_match always exists.
Obviously it isn't set until the URL is resolved.
2013-03-10 23:28:19 +01:00
Carl Meyer d51fb74360 Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
Hiroki Kiyohara e94f405d94 Fixed #18558 -- Added url property to HttpResponseRedirect*
Thanks coolRR for the report.
2013-02-13 10:29:32 +01:00
Matt Robenolt 222a956ecc Kill mx.TextTools with fire 2013-01-15 10:15:40 -08:00
Claude Paroz f08e739bc2 Fixed #19585 -- Fixed loading cookie value as a dict
This regression was introduced by the 'unicode_literals' patch.
2013-01-11 21:09:33 +01:00
Aymeric Augustin acc5396e6d Fixed #19519 -- Fired request_finished in the WSGI iterable's close(). 2012-12-31 12:47:34 +01:00
Aymeric Augustin ef017a5f00 Advanced pending deprecation warnings.
Also added stacklevel argument, fixed #18127.
2012-12-29 21:59:07 +01:00
Aymeric Augustin 4a6490a4a0 Removed HttpRequest.raw_post_data. 2012-12-29 21:59:07 +01:00
Florian Apolloner 27560924ec Fixed a security issue in get_host.
Full disclosure and new release forthcoming.
2012-12-10 22:11:40 +01:00
Claude Paroz 2a67374b51 Fixed #19036 -- Fixed base64 uploads decoding
Thanks anthony at adsorbtion.org for the report, and johannesl for
bringing the patch up-to-date.
2012-11-17 17:25:21 +01:00
Aymeric Augustin fc10418fba Fixed #18963 -- Used a subclass-friendly pattern
for Python 2 object model compatibility methods.
2012-11-03 22:07:35 +01:00
Aymeric Augustin 095eca8dd8 Fixed #19101 -- Decoding of non-ASCII POST data on Python 3.
Thanks Claude Paroz.
2012-11-03 13:03:15 +01:00
Aymeric Augustin da56e1bac6 Fixed #18796 -- Refactored conversion to bytes in HttpResponse
Thanks mrmachine for the review.
2012-10-25 08:49:51 +02:00
Aymeric Augustin 82b3e6ffcb Fixed #13222 -- Made HttpResponse iterable once
response.content can be accessed many times as desired, and always
returns the same result.

iter(response) works only once and consumes the iterator.
2012-10-24 17:19:56 +02:00
Aymeric Augustin 495a8b8107 Fixed #6527 -- Provided repeatable content access
in HttpResponses instantiated with iterators.
2012-10-24 17:08:37 +02:00
Aymeric Augustin ea57112d53 Reverted 6a64822bf4.
This commit caused every test that does two or more assertContains to
fail, because of #6527. It also made HttpResponse non-pickleable.

Refs #13222.
2012-10-23 00:11:17 +02:00
Aymeric Augustin 6a64822bf4 Fixed #13222 -- Repeated iteration of HttpResponse
Thanks teepark for the report and grahamd for his insights.
2012-10-22 22:52:36 +02:00
Alex Gaynor b4066d7d21 Cleaned up the the http module. Moved all of the code from __init__.py to request.py, response.py and utils.py 2012-10-21 11:12:59 -07:00
Aymeric Augustin 4b27813198 Fixed #7581 -- Added streaming responses.
Thanks mrmachine and everyone else involved on this long-standing ticket.
2012-10-20 20:05:11 +02:00
Claude Paroz dfd4a71751 Fixed #5611 -- Restricted accepted content types in parsing POST data
Thanks paulegan for the report and Preston Holmes for the review.
2012-10-20 14:56:16 +02:00
Preston Holmes 9305c0e12d Fixed a security issue related to password resets
Full disclosure and new release are forthcoming
2012-10-17 14:36:41 -07:00
Aymeric Augustin 9b07b5edeb Fixed #18916 -- Allowed non-ASCII headers.
Thanks Malcolm Tredinnick for the review.
2012-09-07 19:08:57 -04:00
Alex Gaynor 335a9f9cf1 Removed many uses of bare "except:", which were either going to a) silence real issues, or b) were impossible to hit. 2012-09-07 15:08:07 -04:00
Claude Paroz ae88e73fa6 Replaced some smart_xxx by force_xxx equivalent
smart_str/smart_text should only be used when a potential lazy
string should be preserved in the result of the function call.
2012-08-30 15:46:16 +02:00
Claude Paroz ebc773ada3 Replaced many smart_bytes by force_bytes
In all those occurrences, we didn't care about preserving the
lazy status of the strings, but we really wanted to obtain a
real bytestring.
2012-08-29 11:20:32 +02:00
Claude Paroz 44c09de555 Fixed #18678 -- HttpResponse init arguments allowed for subclasses
Thanks hp1337@gmail.com for the report.
2012-08-23 10:59:22 +02:00
Claude Paroz 7cfe8e8fce Fixed #11340 -- Prevented HttpResponseNotModified to have content/content-type
The HTTP 1.1 spec tells that the 304 response MUST NOT contain a
message body.
Thanks aparajita for the report.
2012-08-22 20:55:24 +02:00
Claude Paroz e2b4eddc11 Used the decorator syntax for properties in django.http 2012-08-22 20:55:24 +02:00
Aymeric Augustin 5f2d9cdbb1 [py3] Fixed another regression from 2892cb0ec4. 2012-08-19 18:24:50 +02:00
Aymeric Augustin 2892cb0ec4 [py3] Fixed regression introduced in 536b030363.
Refs #18764.

Reverted 536b030363 and switched to a more explicit way of avoiding
calling bytes(<int>).

This definitely deserves a refactoring. Specifically, _get_content
should just return b''.join(self). Unfortunately that's impossible
with the current tests.
2012-08-19 17:56:46 +02:00
Aymeric Augustin 536b030363 [py3] Supported integers in HttpResponse
Fixed #18764.
2012-08-19 16:38:21 +02:00
Claude Paroz 4d393e1bd9 [py3] Fixed HTTP header serialization 2012-08-15 13:39:39 +02:00
Claude Paroz 0120985095 [py3] Fixed file_uploads tests 2012-08-14 23:35:12 +02:00
Claude Paroz c35501a128 [py3] Fixed HttpResponse when initialized with bytes 2012-08-14 16:15:50 +02:00
Aymeric Augustin e04230e2e4 [py3] Ported django.http according to PEP 3333.
Perfomed some style cleanup while I was in the area.
2012-08-14 10:32:16 +02:00
Claude Paroz 363dbd920e [py3] Fixed contrib.formtools tests 2012-08-13 21:26:12 +02:00
Claude Paroz a025b75f6c [py3] Fixed iterlists usage in QueryDict 2012-08-13 21:25:27 +02:00
Claude Paroz 09c589810d [py3] Used smart_str to prevent regressions in http handling 2012-08-11 15:29:29 +02:00
Claude Paroz f10a1b0641 [py3] Fixed Python 3 compatibility of http handling
* Using str() when Python 2 expects bytes and Python 3 Unicode
* Fixed reraise-ing syntax
* Fixed slicing of byte strings
2012-08-11 14:47:44 +02:00
Aymeric Augustin 5c09c59bc7 [py3] Renamed `next` to `__next__` in iterators.
See PEP 3114. `next` is retained as an alias for Python 2.
2012-08-09 14:36:05 +02:00
Claude Paroz db729266d6 [py3] Fixed 'iterable but non string' detection
In Python 3, the str type has an __iter__ attribute. Therefore, the
presence of an __iter__ attribute is not sufficient to distinguish
'standard' iterables (list, tuple) from strings.
2012-08-08 18:02:25 +02:00
Aymeric Augustin bf4da7a442 [py3] Made a small fix in django.http.
This is necessary for the 'utils' tests to pass.
2012-08-07 12:00:24 +02:00
Aymeric Augustin c5ef65bcf3 [py3] Ported django.utils.encoding.
* Renamed smart_unicode to smart_text (but kept the old name under
  Python 2 for backwards compatibility).
* Renamed smart_str to smart_bytes.
* Re-introduced smart_str as an alias for smart_text under Python 3
  and smart_bytes under Python 2 (which is backwards compatible).
  Thus smart_str always returns a str objects.
* Used the new smart_str in a few places where both Python 2 and 3
  want a str.
2012-08-07 12:00:22 +02:00
Claude Paroz 9908201d7f Replaced some byte strings by str() calls
This is a useful trick when Python 2 awaits byte strings and
Python 3 Unicode (regular) strings.
2012-08-03 15:18:13 +02:00
Florian Apolloner 4129201c3e Fixed a security issue in http redirects. Disclosure and new release forthcoming. 2012-07-30 22:01:50 +02:00
Aymeric Augustin ca07fda2ef [py3] Switched to Python 3-compatible imports.
xrange/range will be dealt with in a separate commit due to the huge
number of changes.
2012-07-22 09:29:56 +02:00
Aymeric Augustin 0d914d08a0 [py3] Updated urllib/urllib2/urlparse imports.
Lots of functions were moved. Use explicit imports in all cases
to keey it easy to identify where the functions come from.
2012-07-22 09:29:55 +02:00
Aymeric Augustin bdca5ea345 [py3] Replaced unicode/str by six.text_type/bytes. 2012-07-22 09:29:54 +02:00
Aymeric Augustin d796c94b03 [py3] Used six.reraise wherever necessary. 2012-07-22 09:29:52 +02:00
Claude Paroz 23f94f0741 Fixed #18561 -- Made HttpResponse.tell() support non-ascii chars 2012-07-17 22:00:54 +02:00
Alex Gaynor 8f002867b2 Cleaned up the QueryDict implementation.
- Use super().
- Don't poke at internals.
- Don't override methods for no reason.
2012-07-14 14:07:11 -07:00
Claude Paroz da200c5e35 Fixed #16519 -- Deprecated mimetype kwarg of HttpResponse __init__
This keyword was already deprecated in the code (supported for
backwards compatibility only), but never formally deprecated.
Thanks Paul McMillan for the report and yasar11732 for the initial
patch.
2012-06-30 21:27:47 +02:00
Claude Paroz 4a103086d5 Fixed #18269 -- Applied unicode_literals for Python 3 compatibility.
Thanks Vinay Sajip for the support of his django3 branch and
Jannis Leidel for the review.
2012-06-07 18:08:47 +02:00
Claude Paroz 38408f8007 Marked bytestrings with b prefix. Refs #18269
This is a preparation for unicode literals general usage in
Django (Python 3 compatibility).
2012-05-19 17:43:34 +02:00
Claude Paroz 169b1a404c Replaced foo.next() by next(foo).
This new syntax for next() has been introduced in Python 2.6 and is
compatible with Python 3.
2012-05-10 20:15:49 +02:00
Claude Paroz d7dfab59ea Replaced cStringIO.StringIO by io.BytesIO.
Also replaced StringIO.StringIO by BytesIO in some other appropriate
places. StringIO is not available in Python 3.
2012-05-05 21:41:44 +02:00
Aymeric Augustin e84f79f051 Fixed #18042 -- Advanced deprecation warnings.
Thanks Ramiro for the patch.
2012-05-03 15:27:01 +02:00
Claude Paroz 3904b74a3f Fixed #18013 -- Use the new 'as' syntax for exceptions.
Thanks Clueless for the initial patch.
Note that unittest has been purposely left out (external package only used by Python 2.6).
2012-04-29 20:57:15 +02:00
Aymeric Augustin bfbe4dfff7 Removed deprecated CompatCookie.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17843 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-31 12:54:40 +00:00
Claude Paroz a1ffb02107 Fixed #18029 -- Removed mod_python as of deprecation process. Thanks Aymeric Augustin for the review.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17835 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-31 10:34:11 +00:00
Claude Paroz 23d3459761 Fixed #17965 -- Definitely dropped support for Python 2.5. Thanks jonash for the initial patch and Aymeric Augustin for the review.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17834 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-31 08:24:29 +00:00
Aymeric Augustin c8e2f7591d Fixed #17931 -- Accepted aware datetimes to set cookies expiry dates. Thanks jaddison for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17766 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-18 20:58:22 +00:00
Aymeric Augustin 8d71734f15 Fixed #17923 -- Added missing import in the MySQL and Oracle backends. Thanks aldaran for the report. Also removed two duplicate imports.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17758 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-17 09:11:24 +00:00
Carl Meyer 0ce6636102 Fixed #17277 - Wrap IOErrors raised due to client disconnect in a specific IOError subclass so they can be distinguished from more serious errors. Thanks David Lowe.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17493 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-10 22:51:07 +00:00
Adrian Holovaty bfb4ed1425 Negligible spacing fixes to comments in django/http/__init__.py
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17221 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17 02:40:35 +00:00
Adrian Holovaty 81bf5e3950 Fixed comma splice in DeprecationWarning for CompatCookie
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17220 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17 02:37:26 +00:00
Adrian Holovaty 3f003a3c4b Fixed #17323 -- Renamed HttpRequest.raw_post_data to request.body. Thanks for the patch, dstufft
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17210 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-16 23:40:32 +00:00
Adrian Holovaty 61f0aff811 Fixed #14597 -- Added a SECURE_PROXY_SSL_HEADER setting for cases when you're behind a proxy that 'swallows' the fact that a request is HTTPS
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17209 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-16 22:06:06 +00:00
Luke Plant a935d436e9 Fixed #15863 - SimpleCookies are not correctly serialized with the file or database cache backends
Thanks to rakuco for the report and for the tests.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-11 21:04:56 +00:00
Aymeric Augustin affca1369c Fixed #16632 -- Crash on responses without Content-Type with IE. Thanks juan for the report and kenth for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17196 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-11 08:58:14 +00:00
Alex Gaynor 396fcaaef9 Remove all relative imports. We have always been at war with relative imports.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17009 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-10-18 00:47:49 +00:00
Paul McMillan 2fa433ed55 Slight cleanup to r16829, thanks Alex Gaynor for the note.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16830 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-14 23:58:12 +00:00
Paul McMillan 50255e3305 Fixed #16494 by normalizing HttpResponse behavior with non-string input. HttpResponse now always converts content to string on output, regardless of input type.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16829 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-14 23:27:35 +00:00
Russell Keith-Magee 893cea211a Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 00:46:38 +00:00
Jannis Leidel fb590bfa9b Replaced `has_key()` calls with `in` to ease Python 3 port. Thanks, Martin von Löwis.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16740 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09 19:33:40 +00:00
Jannis Leidel bce890ace4 Fixed #16584 -- Fixed a bunch of typos in code comments. Thanks, Bernhard Essl.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16598 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-12 14:14:15 +00:00