Commit Graph

342 Commits

Author SHA1 Message Date
Vinay Karanam 4a246a02bd Refs #17235 -- Made MultiPartParser leave request.POST immutable. 2016-12-07 08:28:46 -05:00
Anton Samarchyan 05d2c5a66d Fixed #27181 -- Allowed contrib.sites to match domains with trailing ".". 2016-11-29 18:17:10 -05:00
PREMANAND 371adc472a Fixed #27156 -- Made changing HttpRequest.encoding clear GET. 2016-11-17 12:46:42 -05:00
Ramin Farajpour Cami 967be82443 Fixed E305 flake8 warnings. 2016-11-14 12:30:46 -05:00
Tim Graham 7fe2d8d940 Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True.
This is a security fix.
2016-11-01 09:30:57 -04:00
Claude Paroz 2ced2f785d Replaced smart_* by force_* calls whenever possible
The smart_* version should only be used when a lazy string should keep
its lazy status.
2016-09-03 13:46:41 +02:00
Ryan Allen 190d2ff4a7 Fixed #27153 -- Added validation for HttpResponse status. 2016-08-30 21:59:43 -04:00
Tim Graham ff0a5aff4f Fixed #27046 -- Supported IPv6-formatted IPv4 addresses in host validation.
Thanks LaMont Jones for the report and patch.
2016-08-11 13:54:39 -04:00
Tim Graham 5c63b3e5a7 Fixed #27005 -- Fixed crash if request.META[''CONTENT_LENGTH']=''. 2016-08-03 13:12:40 -04:00
Ville Skyttä 96f97691ad Fixed broken links in docs and comments. 2016-06-15 21:20:23 -04:00
wim glenn 5ebebd1159 Fixed #26707 -- Added QueryDict.fromkeys() 2016-06-06 08:54:25 -04:00
Jon Dufresne a8f957797d Fixed comment typo in multiparser.py 2016-06-05 16:36:59 -04:00
Asif Saifuddin Auvi dc88516e5b Made style improvements to multipartparser.py 2016-06-04 11:06:25 -04:00
Andre Cruz 929684d6ee Fixed #21231 -- Enforced a max size for GET/POST values read into memory.
Thanks Tom Christie for review.
2016-05-12 10:17:52 -04:00
Tim Graham 086510fde0 Removed HTTP prefixed CONTENT_TYPE/LENGTH headers in MultiPartParser.
The docs say that these headers always appear without the HTTP_ prefix.
This may have been an oversight when they were added in
d725cc9734, the only commit that uses
these names.
2016-05-06 10:30:03 -04:00
Tim Graham ead21a1949 Refs #22897 -- Removed unneeded empty string QueryDict argument. 2016-05-03 12:04:08 -04:00
Tim Graham bb0b4b705b Fixed #26052 -- Moved conditional_content_removal() processing to the test client. 2016-04-25 07:56:07 -04:00
Tim Graham df8d8d4292 Fixed E128 flake8 warnings in django/. 2016-04-08 09:51:06 -04:00
Collin Anderson 93a135d111 Fixed #26158 -- Rewrote http.parse_cookie() to better match browsers. 2016-03-15 12:24:06 -04:00
Tim Graham 59df07738c Simplified _cookie_allows_colon_in_names condition. 2016-03-14 18:58:49 -04:00
Tim Graham 2f81f466a8 Removed a workaround for a cookie encoding bug [1] in Python < 2.7.2.
[1] http://bugs.python.org/issue9824
2016-03-14 18:58:49 -04:00
John-Mark Bell 4b129ac81f Fixed #26325 -- Made MultiPartParser ignore filenames that normalize to an empty string. 2016-03-07 13:19:39 -05:00
Curtis Maloney 6f1318734f Fixed #26014 -- Added WSGIRequest content_type and content_params attributes.
Parsed the CONTENT_TYPE header once and recorded it on the request.
2016-02-10 18:19:23 -05:00
userimack 60586dd737 Fixed #26125 -- Fixed E731 flake warnings. 2016-01-25 14:23:43 -05:00
Johannes Hoppe 5233b70070 Fixed #25725 -- Made HttpReponse immediately close objects. 2015-12-14 12:46:48 -05:00
Raphael Merx 0a19f8d4fc Fixed #25644 -- Fixed reset cookie expiry date bug.
Setting a cookie with the same name as a previously deleted cookie
would set its expiry date to 'Thu, 01-Jan-1970 00:00:00 GMT'.
2015-11-18 07:47:40 -05:00
Jon Dufresne 05248a1009 Fixed #25576 -- Added IOBase methods required by TextIOWrapper to HttpResponse. 2015-10-21 10:42:29 -04:00
Matt Robenolt b0c56b895f Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Vlastimil Zíma cf29b6b561 Fixed #25099 -- Fixed crash in AdminEmailHandler on DisallowedHost. 2015-09-04 09:24:21 -04:00
Maxime Lorant 5153a3bfdc Fixed #25331 -- Removed trailing blank lines in docstrings. 2015-08-31 17:37:21 -04:00
Sambhav Satija d0bd533043 Fixed #25254 -- Added JsonResponse json_dumps_params parameter. 2015-08-12 10:39:07 -04:00
Matt Robenolt 4dcfbd7923 Fixed #25211 -- Added HttpRequest.get_port() and USE_X_FORWARDED_PORT setting. 2015-08-04 09:50:57 -04:00
Keryn Knight c96f11257b Refs #24121 -- Added meaningful repr() to HttpResponse and subclasses. 2015-07-15 09:01:25 -04:00
Vlastimil Zíma 8f8c54f70b Fixed #25099 -- Cleaned up HttpRequest representations in error reporting. 2015-07-13 19:22:39 -04:00
Tim Graham 7da3923ba0 Sorted imports in __init__.py files. 2015-06-27 11:53:33 -04:00
Tim Graham 3f2de80318 Refs #23763 -- Fixed Python 3.5 PendingDeprecationWarning in LazyStream.
Fixed "PendingDeprecationWarning: generator 'LazyStream.read.<locals>.parts'
raised StopIteration" per PEP 0479.
2015-06-17 06:55:16 -04:00
Piotr Jakimiak 4157c502a5 Removed unnecessary arguments in .get method calls 2015-05-13 20:51:18 +02:00
Bas Peschier 9128762f16 Fixed #19910 -- Added slash to i18n redirect if APPEND_SLASH is set.
This introduces a force_append_slash argument for request.get_full_path()
which is used by RedirectFallbackMiddleware and CommonMiddleware when
handling redirects for settings.APPEND_SLASH.
2015-03-26 09:26:55 -04:00
Claude Paroz a0c2eb46dd Fixed #23960 -- Removed http.fix_location_header
Thanks Carl Meyer for the report and Tim Graham for the review.
2015-03-18 18:22:50 +01:00
Jon Dufresne d861f95c44 Fixed #24139 -- Changed HttpResponse.reason_phrase to evaluate based on status_code. 2015-03-12 20:18:06 -04:00
Rik ccff08c194 Fixed #24463 -- Removed mod_python functionality from HttpRequest._get_scheme() 2015-03-11 14:35:25 -04:00
Claude Paroz efb1f99f94 Fixed #20889 -- Prevented BadHeaderError when Python inserts newline
Workaround for http://bugs.python.org/issue20747.
In some corner cases, Python 2 inserts a newline in a header value
despite `maxlinelen` passed in Header constructor.
Thanks Tim Graham for the review.
2015-02-19 20:18:31 +01:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Matthew Somerville 250aa7c39b Fixed #24240 -- Allowed GZipping a Unicode StreamingHttpResponse
make_bytes() assumed that if the Content-Encoding header is set, then
everything had already been dealt with bytes-wise, but in a streaming
situation this was not necessarily the case.

make_bytes() is only called when necessary when working with a
StreamingHttpResponse iterable, but by that point the middleware has
added the Content-Encoding header and thus make_bytes() tried to call
bytes(value) (and dies). If it had been a normal HttpResponse,
make_bytes() would have been called when the content was set, well
before the middleware set the Content-Encoding header.

This commit removes the special casing when Content-Encoding is set,
allowing unicode strings to be encoded during the iteration before they
are e.g. gzipped. This behaviour was added a long time ago for #4969 and
it doesn't appear to be necessary any more, as everything is correctly
made into bytes at the appropriate places.

Two new tests, to show that supplying non-ASCII characters to a
StreamingHttpResponse works fine normally, and when passed through the
GZip middleware (the latter dies without the change to make_bytes()).
Removes the test with a nonsense Content-Encoding and Unicode input - if
this were to happen, it can still be encoded as bytes fine.
2015-02-03 18:18:12 +01:00
Jon Dufresne 24b2bc635e Fixed #24137 -- Switched to HTTP reason phrases from Python stdlib. 2015-01-28 06:59:40 -05:00
Raul Cumplido ac650d02cb Fixed #24209 -- Prevented crash when parsing malformed RFC 2231 headers
Thanks Tom Christie for the report and review.
2015-01-27 20:12:22 +01:00
Collin Anderson a9aec1154e Closed files in FileResponse; refs #24072 2015-01-05 14:54:55 -05:00
Collin Anderson 3d2cae0896 Fixed #24072 -- Added FileResponse for streaming binary files. 2015-01-05 10:51:52 -05:00
Sergey Parkhomenko 059c9ab24c Fixed #23977 -- Added setdefault() method to HttpResponse 2014-12-11 13:56:56 -05:00
Jon Dufresne 4468c08d70 Fixed #23968 -- Replaced list comprehension with generators and dict comprehension 2014-12-08 07:58:23 -05:00
Matt Robenolt 80facd7a0f Removed unused variable django.http.request.absolute_http_url_re 2014-11-24 07:01:55 -05:00
Berker Peksag 788fa9fffa Fixed #12098 -- Simplified HttpRequest.__repr__(). 2014-11-20 08:45:11 -05:00
Tim Graham 42b5e4feea Fixed #23730 -- Moved support for SimpleCookie HIGHEST_PROTOCOL pickling to http.cookie.
This fix is necessary for Python 3.5 compatibility (refs #23763).

Thanks Berker Peksag for review.
2014-11-12 19:04:45 +01:00
Michael Kelly ebc8e79cf3 Fixed #18523 -- Added stream-like API to HttpResponse.
Added getvalue() to HttpResponse to return the content of the response,
along with a few other methods to partially match io.IOBase.

Thanks Claude Paroz for the suggestion and Nick Sanford for review.
2014-11-03 12:29:19 -05:00
Unai Zalakain c548c8d0d1 Fixed #18456 -- Added path escaping to HttpRequest.get_full_path(). 2014-11-03 07:59:19 -05:00
Jason Hobbs e1424b2370 Fixed #23397 -- Stripped whitespace from base64 during chunking
This insures the actual base64 content has a length a multiple of 4.
Also added a test case for the failure.
2014-09-13 19:06:21 +02:00
Tim Graham 1101467ce0 Limited lines to 119 characters in django/
refs #23395.
2014-09-05 09:22:16 -04:00
Unai Zalakain 5f2542f12a Fixed #10190 -- Made HttpResponse charset customizable.
Thanks to Simon Charette, Aymeric Augustin, and Tim Graham
for reviews and contributions.
2014-08-19 17:34:38 -04:00
Claude Paroz fa02120d36 Fixed #22996 -- Prevented crash with unencoded query string
Thanks Jorge Carleitao for the report and Aymeric Augustin, Tim Graham
for the reviews.
2014-08-19 22:29:31 +02:00
Collin Anderson 230393e5e8 Fixed #23295 -- Removed unnecessary fix_location_header request.get_host() check. 2014-08-15 14:59:36 -04:00
Claude Paroz b42e5ca058 Fixed #22971 -- Properly parsed RFC 2388 encoded headers
Thanks homm for the report, Cea Stapleton for patch improvements
and Ian Cordasco, Christian Schmitt and Tim Graham for the review.
2014-08-14 11:45:43 +02:00
qingfeng 0d23450e81 Fixed #19802 -- Fixed HttpResponse.set_cookie() with unicode data on Python 2.
Thanks django at patrickbregman.eu for the report.
2014-08-03 12:50:25 -04:00
Daniel Hahler fff7b507ef Added a space before explanation of "Invalid HTTP_HOST header: ..." 2014-07-05 20:18:52 -04:00
Duncan Parkes fd4ccd045c Fixed #22799 -- Made GET and POST on HttpRequest QueryDicts, and FILES a MultiValueDict.
Previously, GET, POST, and FILES on an HttpRequest were created in
the __init__ method as dictionaries. This was not something you would
usually notice causing trouble in production as you'd only see a
WSGIRequest, but in testing using the test client, calling .getlist
on GET, POST, or FILES for a request with no get/post data resulted in
an AttributeError.

Changed GET and POST on an HttpRequest object to be mutable
QueryDicts (mutable because the Django tests, and probably many
third party tests, were expecting it).
2014-06-24 22:03:22 -04:00
Duncan Parkes d68987ae25 Fixed #22897 -- Made QueryDict query_string argument optional.
Now QueryDict() is equivalent to QueryDict('') or QueryDict(None).
2014-06-24 22:02:03 -04:00
Duncan Parkes 7f4e2ef1e9 Improved documentation for QueryDict. 2014-06-24 21:40:21 -04:00
Yazhong Liu 97adfc2bf8 Added HTTP 308 status and its description. 2014-06-20 13:35:59 -04:00
Florian Apolloner e2efc8965e Fixed #22680 -- I/O operation on closed file.
This patch is two-fold; first it ensure that Django does close everything in
request.FILES at the end of the request and secondly the storage system should
no longer close any files during save, it's up to the caller to handle that --
or let Django close the files at the end of the request.
2014-06-11 08:57:30 +02:00
Unai Zalakain 11284a63d4 Fixed #18314 -- Corrected request.build_absolute_uri() handling of paths starting with //
``HttpRequest.build_absolute_uri()`` now correctly handles paths starting with ``//``.
``WSGIRequest`` now doesn't remove all the leading slashes either,
because ``http://test/server`` and http://test//server`` aren't the same thing
(RFC2396).

Thanks to SmileyChris for the initial patch.
2014-06-07 08:59:02 -04:00
mbacho 8a9d54aa69 Fixed typo in multipartparser.py 2014-05-16 05:34:40 -04:00
Aymeric Augustin 3800f63721 Dropped fix_IE_for_vary/attach.
This is a security fix. Disclosure following shortly.
2014-05-14 10:19:48 +02:00
Alex Gaynor 2bcb8bfc8d Fix many many typos in comments throughout the codebase 2014-04-26 10:18:45 -07:00
Tim Graham 981b864fbd Replaced urllib/urlparse imports with from django.utils.six.moves. 2014-03-31 07:54:22 -04:00
Rodolfo Carvalho 0d91225892 Fixed many typos in comments and docstrings.
Thanks Piotr Kasprzyk for help with the patch.
2014-03-03 07:38:09 -05:00
Lukasz Balcerzak 0242134d32 Fixed #17942 -- Added a JsonResponse class to more easily create JSON encoded responses.
Thanks leahculver for the suggestion and Erik Romijn,
Simon Charette, and Marc Tamlyn for the reviews.
2014-02-14 18:25:19 -05:00
Martin Matusiak 63ff03c4ec Fixed typo in docstring. 2014-01-16 22:34:35 +01:00
Loic Bistuer 6685713869 Fixed E127 pep8 warnings. 2013-12-14 11:59:15 -05:00
Christopher Medrela 7477a4ffde Fixed E125 pep8 warnings 2013-11-28 08:50:11 -05:00
Aymeric Augustin a480f8320a Simplified iteration in HTTP response objects.
Fixed #20187 -- Allowed repeated iteration of HttpResponse.

All this became possible when support for old-style streaming responses was
finally removed.
2013-11-23 17:03:43 +01:00
Baptiste Mispelon ceecc962ad Fixed #21447 -- Restored code erroneously removed in 20472aa827.
Also added some tests for HttpRequest.__repr__.
Note that the added tests don't actually catch the accidental code
removal (see ticket) but they do cover a codepath that wasn't tested
before.

Thanks to Tom Christie for the report and the original patch.
2013-11-16 01:09:35 +01:00
Alex Gaynor 10a09b8e60 Fixed the use of the -ise suffix, where -ize is prefered 2013-11-15 05:23:14 -08:00
Alex Gaynor c347f78cc1 Fixed all E226 violations 2013-11-03 10:08:55 -08:00
Milton Mazzarri cbc7cbbc5b Fixed flake8 E251 violations 2013-11-03 03:22:11 -06:00
Alex Gaynor fe995e6cbd Fixed the remaining E302 violations int eh django package 2013-11-02 17:37:15 -07:00
coagulant 3bc0d46a84 Fixed all E261 warnings 2013-11-02 18:20:39 -04:00
Alex Gaynor 7548aa8ffd More attacking E302 violators 2013-11-02 13:12:09 -07:00
Tim Graham 36ded01527 Fixed #21302 -- Fixed unused imports and import *. 2013-11-02 15:24:56 -04:00
Alex Gaynor f2d8027c9a Fixed up some more flake8 violations (this particular violation still has many occurrences in the tests/ dir so it can't be removed from setup.cfg yet) 2013-10-26 10:50:40 -07:00
Claude Paroz c052699be3 Fixed #20338 -- Stripped ending dot during host validation
Thanks manfre for the report and Timo Graham for the review.
2013-10-24 21:24:04 +02:00
Alasdair Nicol b289fcf1bf Fixed #21288 -- Fixed E126 pep8 warnings 2013-10-21 08:31:30 -04:00
Alasdair Nicol a800036981 Fixed #21287 -- Fixed E123 pep8 warnings 2013-10-18 10:07:39 +01:00
Claude Paroz a14f087233 Fixed #21282 -- Made HttpResponse.serialize_headers accept latin-1
Thanks Raphaël Barrois for the report and the initial patch and
Aymeric Augustin for the review.
2013-10-17 18:14:35 +02:00
Unai Zalakain c7634cd7fe Fixed #7603 -- Added a 'scheme' property to the HttpRequest object
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is
appropriately set and falls back to `HttpRequest._get_scheme()` (a hook
for subclasses to implement) otherwise.

`WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI
environ variable to determine the request scheme.

`HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is
`https`.

This provides a way to check the current scheme in templates, for example.
It also allows us to deal with other schemes.

Thanks nslater for the suggestion.
2013-10-15 09:04:12 -04:00
Tim Graham 58d555caf5 Fixed #16822 -- Added RawPostDataException
Thanks jaylett for the patch.
2013-10-08 08:05:39 -04:00
Baptiste Mispelon 20472aa827 Fixed #21189: Cleaned up usage of bare except clauses.
Thanks to berkerpeksag for the report and to claudep
for the review.
2013-10-05 11:50:03 +02:00
e0ne f2a4452882 Fixed #18403 -- Initialized bad_cookies in SimpleCookie
Thanks Stefano Crosta for the report.
2013-09-10 08:26:54 -04:00
Daniel Boeve 6dca603abb Fixed #20889 -- Prevented email.Header from inserting newlines
Passed large maxlinelen to email.Header to prevent newlines from being
inserted into value returned by _convert_to_charset

Thanks mjl at laubach.at for the report.
2013-09-09 08:47:41 -04:00
Aymeric Augustin 365c3e8b73 Replaced "not PY3" by "PY2", new in six 1.4.0. 2013-09-02 12:11:02 +02:00
Claude Paroz f4e9804567 Fixed #20961 -- Fixed HttpResponse default empty content
Thanks epandurski at gmail.com for the report.
2013-08-24 18:10:12 +02:00
Will Hardy 1c3c21b38d Fixed #19987 -- Disabled host validation when DEBUG=True.
The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.
2013-07-31 10:38:59 -04:00