bankc
db5b75f10f
Fixed #31840 -- Added support for Cross-Origin Opener Policy header.
...
Thanks Adam Johnson and Tim Graham for the reviews.
Co-authored-by: Tim Graham <timograham@gmail.com>
2021-03-30 19:59:24 +02:00
Chris Jerdonek
ff514309e1
Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin header has an invalid host.
2021-03-25 10:34:58 +01:00
Chris Jerdonek
f3825248a2
Refs #32579 -- Fixed cookie domain comment in CsrfViewMiddleware.process_view().
2021-03-25 06:48:36 +01:00
Chris Jerdonek
70332e6c43
Refs #32579 -- Optimized good_hosts creation in CsrfViewMiddleware.process_view().
2021-03-25 06:39:35 +01:00
Adam Donaghy
e49fdfa405
Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header.
2021-03-19 11:19:19 +01:00
Tim Graham
2411b8b5eb
Fixed #16010 -- Added Origin header checking to CSRF middleware.
...
Thanks David Benjamin for the original patch, and Florian
Apolloner, Chris Jerdonek, and Adam Johnson for reviews.
2021-03-18 20:25:20 +01:00
Tim Graham
dba44a7a7a
Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.
2021-03-18 20:00:22 +01:00
Mariusz Felisiak
4bb30fe5d5
Refs #26601 -- Made get_response argument required and don't accept None in middleware classes.
...
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Martin Thoma
302caa40e4
Made small readability improvements.
2020-10-28 20:20:20 +01:00
Carlton Gibson
ad11f5b8c9
Fixed #32124 -- Added per-view opt-out for APPEND_SLASH behavior.
2020-10-22 14:15:19 +02:00
Tom Carrick
bcc2befd0e
Fixed #31789 -- Added a new headers interface to HttpResponse.
2020-09-14 08:41:59 +02:00
Kevin Michel
825ce75fae
Fixed #31928 -- Fixed detecting an async get_response in various middlewares.
...
SecurityMiddleware and the three cache middlewares were not calling
super().__init__() during their initialization or calling the required
MiddlewareMixin._async_check() method.
This made the middlewares not properly present as coroutine and
confused the middleware chain when used in a fully async context.
Thanks Kordian Kowalski for the report.
2020-08-28 12:33:15 +02:00
Adam Johnson
d17b380653
Refs #30573 -- Rephrased "Of Course" and "Obvious(ly)" in documentation and comments.
2020-05-04 12:10:47 +02:00
Colton Hicks
f283ffaa84
Fixed #28699 -- Fixed CSRF validation with remote user middleware.
...
Ensured process_view() always accesses the CSRF token from the session
or cookie, rather than the request, as rotate_token() may have been called
by an authentication middleware during the process_request() phase.
2020-02-26 17:25:20 +01:00
Ram Rachum
5b09354954
Fixed #31291 -- Renamed salt to mask for CSRF tokens.
2020-02-25 14:16:19 +01:00
Claude Paroz
4d973f5939
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes.
...
This is the new contract since middleware refactoring in Django 1.10.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
Flavio Curella
d08d4f464a
Fixed #30765 -- Made cache_page decorator take precedence over max-age Cache-Control directive.
2020-01-16 13:39:16 +01:00
Hasan Ramezani
e3d0b4d550
Fixed #30899 -- Lazily compiled import time regular expressions.
2019-10-29 09:22:26 +01:00
Sergey Fedoseev
0315c18fe1
Refs #26601 -- Removed obsolete workarounds for MIDDLEWARE_CLASSES setting.
2019-10-23 08:18:48 +02:00
Nick Pope
406dba04e1
Fixed #29406 -- Added support for Referrer-Policy header.
...
Thanks to James Bennett for the initial implementation.
2019-09-09 13:35:41 +02:00
Claude Paroz
05d0eca635
Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.
2019-09-09 08:15:26 +02:00
Jon Dufresne
8b3f1c35dd
Removed unnecessary assignments in various code.
2019-04-24 13:09:29 +02:00
Brad
ad72895c60
Optimized CommonMiddleware's check for DISALLOWED_USER_AGENTS.
...
Avoided getattribute + getitem for each DISALLOWED_USER_AGENTS.
2019-03-30 09:02:57 -04:00
Jon Dufresne
7785e03ba8
Fixed #30137 -- Replaced OSError aliases with the canonical OSError.
...
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-28 11:15:06 -05:00
Artur Juraszek
817c6cdf0e
Capitalized SecurityMiddleware headers for consistency with other headers.
...
(No behavior change since HTTP headers are case insensitive.)
2018-10-30 18:30:51 -04:00
Michal Čihař
22e8ab0286
Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged.
2018-09-08 11:46:13 -04:00
Andreas Hug
a656a68127
Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
2018-08-01 09:28:42 -04:00
Samir Shah
10b44e4525
Fixed #26688 -- Fixed HTTP request logging inconsistencies.
...
* Added logging of 500 responses for instantiated responses.
* Added logging of all 4xx and 5xx responses.
2018-05-04 20:55:03 -04:00
Alex Gaynor
9a56b4b13e
Fixed #27863 -- Added support for the SameSite cookie flag.
...
Thanks Alex Gaynor for contributing to the patch.
2018-04-13 20:58:31 -04:00
Mariusz Felisiak
362813d628
Fixed hanging indentation in various code.
2018-03-16 10:54:34 +01:00
Tomer Chachamu
7ec0fdf62a
Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has an invalid host.
2018-02-14 20:24:01 -05:00
shanghui
d968788b57
Fixed #28833 -- Prevented CacheMiddleware from caching responses with "Cache-Control: private".
2018-02-06 09:42:05 -05:00
Дилян Палаузов
d7b2aa24f7
Fixed #28982 -- Simplified code with and/or.
2018-01-03 20:12:23 -05:00
Дилян Палаузов
23bf4ad87f
Fixed #28795 -- Removed 'not in' checks and used dict.setdefault().
2017-11-14 10:52:52 -05:00
Tim Graham
8f8a4d10d3
Refs #26447 -- Removed outdated ETag comment in CommonMiddleware.
...
Follow up to 48d57788ee
.
2017-11-11 20:45:17 -05:00
Tim Graham
48d57788ee
Refs #26447 -- Removed the USE_ETAGS setting per deprecation timeline.
2017-09-22 12:51:18 -04:00
Florian Apolloner
c4c128d67c
Fixed #28488 -- Reallowed error handlers to access CSRF tokens.
...
Regression in eef95ea96f
.
2017-09-20 16:22:18 -04:00
Anton Samarchyan
86de930f41
Refs #27656 -- Updated remaining docstring verbs according to PEP 257.
2017-03-04 10:02:06 -05:00
Asif Saifuddin Auvi
5f3a689f71
Imported django.http classes instead of django.http.
2017-02-27 14:47:11 -05:00
Claude Paroz
c688336ebc
Refs #23919 -- Assumed request COOKIES and META are str
2017-01-30 14:13:29 +01:00
Claude Paroz
2b281cc35e
Refs #23919 -- Removed most of remaining six usage
...
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
Raphael Michel
ddf169cdac
Refs #16859 -- Allowed storing CSRF tokens in sessions.
...
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-30 08:57:27 -05:00
Krzysztof Urbaniak
b8a815e9df
Fixed #27402 -- Fixed incorrect LocaleMiddleware redirects with prefix_default_language=False.
2016-11-29 13:06:35 -05:00
Sven Engström
f46a838efc
Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a trailing slash.
2016-11-06 10:38:36 +01:00
Adam Malinowski
37809b891e
Fixed #27346 -- Stopped setting the Content-Length header in ConditionalGetMiddleware.
2016-11-05 22:24:54 +01:00
Kevin Christopher Henry
2327fad54e
Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests.
2016-10-17 16:11:53 -04:00
Tim Graham
61f9243e51
Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware.
2016-10-14 12:48:03 -04:00
Kevin Christopher Henry
ad332e5ca9
Refs #19705 -- Made GZipMiddleware make ETags weak.
...
Django's conditional request processing can now produce 304 Not Modified
responses for content that is subject to compression.
2016-10-13 14:22:54 -04:00
Denis Cornehl
a840710e1e
Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ConditionalGetMiddleware.
2016-10-10 14:55:59 -04:00