Commit Graph

203 Commits

Author SHA1 Message Date
Tim Graham 52ef6a4726 Fixed #17101 -- Integrated django-secure and added check --deploy option
Thanks Carl Meyer for django-secure and for reviewing.

Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and
Jorge Carleitao for reviews.
2014-09-12 15:05:23 -04:00
Tim Graham fe38be96c1 Fixed #21579 -- Made LocaleMiddleware respect script prefix.
Thanks buettgenbach at datacollect.com for the report and patch.
2014-08-14 09:36:41 -04:00
Tim Graham 815e7a5721 Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data.
Thanks Walter Doekes.
2014-06-25 07:08:16 -04:00
Mark Lavin 79956d0694 Fixed #22440 -- Updated ConditionalGetMiddleware to comply with RFC 2616. 2014-06-13 20:01:35 -04:00
Aymeric Augustin df09d85482 Fixed #17552 -- Removed a hack for IE6 and earlier.
It prevented the GZipMiddleware from compressing some data types even on
more recent version of IE where the corresponding bug was fixed.

Thanks Aaron Cannon for the report and Tim Graham for the review.
2014-06-10 08:42:31 +02:00
Alex Gaynor 1dcc603eff Fixed several typos in Django 2014-05-28 17:39:14 -07:00
Aymeric Augustin c083e3815a Prevented leaking the CSRF token through caching.
This is a security fix. Disclosure will follow shortly.
2014-04-21 18:11:26 -04:00
Alex Gaynor 778ce245dd Corrected many style guide violations that the newest version of flake8 catches 2014-03-30 12:11:05 -07:00
Aymeric Augustin 253e8ac29f Removed django.middleware.doc. Refs #20126.
Small doc changes missed in 66076268.
2014-03-21 22:07:39 +01:00
Aymeric Augustin 0f9560855e Removed legacy transaction management per the deprecation timeline. 2014-03-21 21:06:50 +01:00
Tim Graham f567d04b24 Removed settings.CACHE_MIDDLEWARE_ANONYMOUS_ONLY per deprecation timeline.
refs #15201.
2014-03-21 09:46:17 -04:00
Tim Graham 11e22129d5 Removed settings.SEND_BROKEN_LINK_EMAILS per deprecation timeline. 2014-03-21 07:15:58 -04:00
Claude Paroz 210d0489c5 Fixed #21188 -- Introduced subclasses for to-be-removed-in-django-XX warnings
Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.
2014-03-08 09:57:40 +01:00
Roger Hu 9b729ddd8f Fixed #22185 -- Added settings.CSRF_COOKIE_AGE
Thanks Paul McMillan for the review.
2014-03-06 08:28:43 -05:00
Bouke Haarsma 2bab9d6d9e Fixed #21389 -- Accept most valid language codes
By removing the 'supported' keyword from the detection methods and only relying
on a cached settings.LANGUAGES, the speed of said methods has been improved;
around 4x raw performance. This allows us to stop checking Python's incomplete
list of locales, and rely on a less restrictive regular expression for
accepting certain locales.

HTTP Accept-Language is defined as being case-insensitive, based on this fact
extra performance improvements have been made; it wouldn't make sense to
check for case differences.
2014-02-26 16:58:04 +01:00
Ludwik Trammer 9922ed46e2 Fixed #21473 -- Limited language preservation to logout
Current language is no longer saved to session by LocaleMiddleware
on  every response (the behavior introduced in #14825).
Instead language stored in session is reintroduced into new session
after logout.

Forward port of c558a43fd6 to master.
2013-12-12 10:24:43 +01:00
Christopher Medrela 7477a4ffde Fixed E125 pep8 warnings 2013-11-28 08:50:11 -05:00
Curtis Maloney ffc37e2343 Fixed #21012 -- New API to access cache backends.
Thanks Curtis Malony and Florian Apolloner.

Squashed commit of the following:

commit 3380495e93
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 14:18:07 2013 +0100

    Looked up the template_fragments cache at runtime.

commit 905a74f52b
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 14:19:48 2013 +0100

    Removed all uses of create_cache.

    Refactored the cache tests significantly.

    Made it safe to override the CACHES setting.

commit 35e289fe92
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 12:23:57 2013 +0100

    Removed create_cache function.

commit 8e274f747a
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 12:04:52 2013 +0100

    Updated docs to describe a simplified cache backend API.

commit ee7eb0f73e
Author: Curtis Maloney <curtis@tinbrain.net>
Date:   Sat Oct 19 09:49:24 2013 +1100

    Fixed #21012 -- Thread-local caches, like databases.
2013-11-23 15:06:59 +01:00
Milton Mazzarri cbc7cbbc5b Fixed flake8 E251 violations 2013-11-03 03:22:11 -06:00
coagulant 3bc0d46a84 Fixed all E261 warnings 2013-11-02 18:20:39 -04:00
Alex Gaynor 7548aa8ffd More attacking E302 violators 2013-11-02 13:12:09 -07:00
Tim Graham 36ded01527 Fixed #21302 -- Fixed unused imports and import *. 2013-11-02 15:24:56 -04:00
Bouke Haarsma 6107435386 Fixed #21324 -- Translate CSRF failure view
Thanks to Claude Paroz for the original patch.
2013-11-02 11:22:30 +01:00
Bouke Haarsma 0d0f4f020a Fixed #5789 -- Changed LocaleMiddleware session variable to '_language'.
The old 'django_language' variable will still be read from in order
to migrate users. The backwards-compatability shim will be removed in
Django 1.8.

Thanks to jdunck for the report and stugots for the initial patch.
2013-10-22 09:24:42 -04:00
Alasdair Nicol b289fcf1bf Fixed #21288 -- Fixed E126 pep8 warnings 2013-10-21 08:31:30 -04:00
Tim Graham ac4fec5ca2 Fixed bug causing CSRF token not to rotate on login.
Thanks Gavin McQuillan for the report.
2013-10-18 08:31:19 -04:00
Unai Zalakain c7634cd7fe Fixed #7603 -- Added a 'scheme' property to the HttpRequest object
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is
appropriately set and falls back to `HttpRequest._get_scheme()` (a hook
for subclasses to implement) otherwise.

`WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI
environ variable to determine the request scheme.

`HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is
`https`.

This provides a way to check the current scheme in templates, for example.
It also allows us to deal with other schemes.

Thanks nslater for the suggestion.
2013-10-15 09:04:12 -04:00
Tim Graham cec11a3336 Used "is" for comparisons with None. 2013-10-10 09:35:56 -04:00
Emil Stenström 7a97df190c Fixed #19277 -- Added LocaleMiddleware.response_redirect_class
Thanks ppetrid at yawd.eu for the suggestion.
2013-10-03 16:15:29 -04:00
Curtis Maloney 07876cf02b Deprecated SortedDict (replaced with collections.OrderedDict)
Thanks Loic Bistuer for the review.
2013-08-04 07:09:39 -04:00
Aymeric Augustin acd7b34aaf Advanced deprecation warnings for Django 1.7. 2013-06-29 18:49:37 +02:00
Aymeric Augustin ffcf24c9ce Removed several unused imports. 2013-06-19 17:18:40 +02:00
Ramiro Morales 0fa8d43e74 Replaced `and...or...` constructs with PEP 308 conditional expressions. 2013-05-26 23:47:50 -03:00
Claude Paroz f940e564e4 Fixed #20099 -- Eased subclassing of BrokenLinkEmailsMiddleware
Thanks Ram Rachum for the report and the initial patch, and Simon
Charette for the review.
2013-05-25 12:10:53 +02:00
Vlastimil Zíma 6de81d65f4 Fixed #14825 -- LocaleMiddleware keeps language
* LocaleMiddleware stores language into session if it is not present there.
2013-05-25 10:52:54 +02:00
Andrew Godwin 1514f17aa6 Rotate CSRF token on login 2013-05-24 22:15:08 +01:00
Łukasz Langa 660762681c Fixed #20126 -- XViewMiddleware moved to django.contrib.admindocs.middleware 2013-05-19 13:18:35 +02:00
Łukasz Langa 26e3e7ecb5 Fixed #11915: generic Accept-Language matches country-specific variants 2013-05-19 12:50:09 +02:00
Łukasz Langa bd97f7d0cb Fixed #15201: Marked CACHE_MIDDLEWARE_ANONYMOUS_ONLY as deprecated 2013-05-18 17:38:32 +02:00
Olivier Sels 63a9555d57 Fixed #19436 -- Don't log warnings in ensure_csrf_cookie. 2013-05-18 16:17:46 +02:00
Claude Paroz 8fd44b2551 Fixed #20356 -- Prevented crash when HTTP_REFERER contains non-ascii
Thanks srusskih for the report and Aymeric Augustin for the review.
2013-05-18 12:39:11 +02:00
Aymeric Augustin ac37ed21b3 Deprecated TransactionMiddleware and TRANSACTIONS_MANAGED.
Replaced them with per-database options, for proper multi-db support.

Also toned down the recommendation to tie transactions to HTTP requests.
Thanks Jeremy for sharing his experience.
2013-03-11 15:04:05 +01:00
Aymeric Augustin 3bdc7a6a70 Deprecated transaction.is_managed().
It's synchronized with the autocommit flag.
2013-03-11 14:48:54 +01:00
Aymeric Augustin 7aacde84f2 Made transaction.managed a no-op and deprecated it.
enter_transaction_management() was nearly always followed by managed().

In three places it wasn't, but they will all be refactored eventually.
The "forced" keyword argument avoids introducing behavior changes until
then.

This is mostly backwards-compatible, except, of course, for managed
itself. There's a minor difference in _enter_transaction_management:
the top self.transaction_state now contains the new 'managed' state
rather than the previous one. Django doesn't access
self.transaction_state in _enter_transaction_management.
2013-03-11 14:48:53 +01:00
Aymeric Augustin aa089b106b Fixed #5241 -- Kept active transalation in LocaleMiddleware.process_response. 2013-02-28 14:21:48 +01:00
Łukasz Langa 539900f117 Fixes #17866: Vary: Accept-Language header when language prefix used 2013-02-23 19:41:33 +01:00
Anssi Kääriäinen a4e97cf315 Fixed #19707 -- Reset transaction state after requests 2013-02-10 13:55:54 +02:00
Aymeric Augustin 720888a146 Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.
Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
2013-02-07 09:48:08 +01:00
Tim Graham ee26797cff Fixed typos in docs and comments 2013-01-29 10:55:55 -07:00
Aymeric Augustin 50a985b09b Fixed #19099 -- Split broken link emails out of common middleware. 2013-01-15 17:41:45 +01:00