Commit Graph

130 Commits

Author SHA1 Message Date
Tim Graham 1101467ce0 Limited lines to 119 characters in django/
refs #23395.
2014-09-05 09:22:16 -04:00
Florian Apolloner 28e765810d Prevented reverse() from generating URLs pointing to other hosts.
This is a security fix. Disclosure following shortly.
2014-08-20 14:39:40 -04:00
Claude Paroz e167e96cfe Fixed #22223 -- Prevented over-escaping URLs in reverse()
And follow more closely the class of characters defined in the
RFC 3986.
Thanks Erik van Zijst for the report and the initial patch, and
Tim Graham for the review.
2014-07-09 09:54:34 +02:00
Anubhav Joshi 7f76251fb7 Refactored common code in handlers/base.py and urlresolvers.py 2014-06-23 15:27:25 -04:00
Tim Graham 4445d36d47 Fixed #22384 -- Deprecated reversing URLs by dotted path. 2014-06-03 07:30:14 -04:00
Kevin Christopher Henry 91afc00513 Fixed #21157 -- Fixed problems with ResolverMatch
- Fixed bug in get_callable() that caused resolve() to put a string
  in ResolverMatch.func.
- Made ResolverMatch.url_name match the actual url name (or None).
- Updated tests that used the string value in ResolverMatch.func, and
  added regression tests for this bug.
- Corrected test urls whose dummy view paths caused failures (behavior
  that was previously masked by this bug).
2014-04-23 20:12:34 -04:00
Preston Timmons 3c06b2f2a3 Fixed #22486 -- Restored the ability to reverse views created using functools.partial.
Regression in 8b93b31487.

Thanks rcoup for the report.
2014-04-23 07:27:52 -04:00
Tim Graham 8b93b31487 Fixed a remote code execution vulnerabilty in URL reversing.
Thanks Benjamin Bach for the report and initial patch.

This is a security fix; disclosure to follow shortly.
2014-04-21 18:11:26 -04:00
Athena 5d568bcfa6 Fixed #7571 -- Fixed parameter matching in include()'d urlpattern
Fixed URL resolving in the case where an outer regex includes an inner
regex and both regexes use positional parameters instead of named
groups, causing the outer regex's parameters to override the inner
regex's.

Modified the regex url resolver so that it will concatenates and then
normalizes, instead of normalizing and then concatenating.
2014-03-05 00:35:03 +01:00
Baptiste Mispelon 173aa51997 Fixed #21435 -- Improved error message when urlconf is empty.
The new error message now hints that the most likely issue
is a circular import.

Thanks to trac user elena for the report and to
bpeschier for the original patch.
2014-02-22 15:36:49 +01:00
Alex Gaynor cd7f37b647 Corrected a pair of flake8 violations 2014-02-15 10:42:12 -08:00
Grzegorz Nosek 0b6f9f7c6f Improved fix for #18373 -- backward compatibility
Commit 79558c78 cleaned up the (undocumented) interface of Resolver404
exception, which breaks compatibility with code messing with .args[0]
directly. Revert the cleanup part and simply leave the fix itself.
2014-02-15 17:51:18 +01:00
Tim Graham 65b421c661 Fixed some flake8 errors from recent commits. 2014-02-15 11:21:15 -05:00
Grzegorz Nosek 79558c787e Fixed #18373 - improved handling of Resolver404s from views
When django.core.urlresolvers.resolve was called from a view, failed
and the exception was propagated and rendered by technical_404_response,
the URL mentioned on the page was the current URL instead of the URL
passed to resolve().

Fixed by using the path attribute from the Resolver404 exception instead
of request.path_info. Also cleaned up the exceptions to use standard
named parameters instead of stuffing a dict in args[0]
2014-02-15 15:56:04 +01:00
Tim Graham 8251438cb8 Moved relative URL handling added in refs #21177 to a better place.
Thanks apollo13: "reverse() shouldn't know about absolute/relative paths."
2014-02-15 07:54:35 -05:00
Antoine Catton e3d0790bd0 Fixed #21177 -- Made resolve_url support relative URLs.
This fixes redirecting to relative URLs with django.shortcuts.redirect.
2014-02-14 17:58:03 -05:00
Loic Bistuer 6685713869 Fixed E127 pep8 warnings. 2013-12-14 11:59:15 -05:00
Bouke Haarsma 9b7455e918 Fixed #21351 -- Replaced memoize with Python's lru_cache.
Replaced the custom, untested memoize with a similar decorator from Python's
3.2 stdlib. Although some minor performance degradation (see ticket), it is
expected that in the long run lru_cache will outperform memoize once it is
implemented in C.

Thanks to EvilDMP for the report and Baptiste Mispelon for the idea of
replacing memoize with lru_cache.
2013-11-11 08:53:09 +01:00
Alex Gaynor c347f78cc1 Fixed all E226 violations 2013-11-03 10:08:55 -08:00
coagulant 3bc0d46a84 Fixed all E261 warnings 2013-11-02 18:20:39 -04:00
Alex Gaynor 7548aa8ffd More attacking E302 violators 2013-11-02 13:12:09 -07:00
Alex Gaynor b35ff0d920 Fixed all the E203 violations 2013-10-26 18:27:42 -07:00
Alasdair Nicol bab9123daa Fixed #21268 -- Fixed E303 pep8 warnings 2013-10-18 01:46:24 +01:00
Dan Johnson df462cf760 Fixed #21043 -- Made resolve() handle reverse_lazy objects.
Thanks Keryn Knight for the report.
2013-09-06 15:46:43 -04:00
Simon Charette 11cd7388f7 Fixed #20989 -- Removed useless explicit list comprehensions. 2013-08-30 10:57:51 -04:00
Claude Paroz fdd7a355bf Deprecated django.utils.importlib
This was a shim for pre-Python 2.7 support.
2013-07-29 17:10:22 +02:00
Wilfred Hughes 8365ed08b8 Fixed #17076 -- When reversing a URL fails, inform the user which patterns were tried. 2013-06-14 10:26:30 +01:00
Anssi Kääriäinen 369b6fab25 Fixed #18169 -- NoReverseMatch not silenced if from block.super 2013-06-01 00:59:04 +03:00
Preston Holmes d228c1192e Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.

Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
Aymeric Augustin 31b5275235 Fixed #13260 -- Quoted arguments interpolated in URLs in reverse. 2013-03-18 23:58:22 +01:00
Baptiste Mispelon 4fa7f3cdd9 Fix #20022: Correctly handle prefixes with url-unsafe characters in reverse(). 2013-03-13 18:19:29 +01:00
Aymeric Augustin a44531ae15 Fixed #18862 -- Honored script prefix in FlatPage.get_absolute_url. 2013-02-24 13:27:13 +01:00
Claude Paroz c91667338a Fixed #19357 -- Allow non-ASCII chars in filesystem paths
Thanks kujiu for the report and Aymeric Augustin for the review.
2012-12-08 11:13:52 +01:00
Gabriel Hurley 90e530978d Fixed #18210 -- Escaped special characters in reverse prefixes.
Ensured that special characters passed in to reverse via the
prefix argument are properly escaped so that calls to
django.utils.regex_helpers.normalize and/or string formatting
operations don't result in exceptions.

Thanks to toofishes for the error report.
2012-11-03 13:06:57 -07:00
Claude Paroz 28fd876bae Fixed #17892 -- Do not include whole RegexURLPattern lists in RegexURLResolver repr
Thanks milosu for the report and the initial patch.
2012-09-01 22:20:46 +02:00
Claude Paroz ae88e73fa6 Replaced some smart_xxx by force_xxx equivalent
smart_str/smart_text should only be used when a potential lazy
string should be preserved in the result of the function call.
2012-08-30 15:46:16 +02:00
Florian Apolloner 367bfaa522 Don't swallow AttributeError in core.urlresolvers.get_callable. 2012-08-14 21:23:25 +02:00
Claude Paroz dce34dc969 [py3] Made __repr__ return str with Python 3 2012-08-12 20:45:39 +02:00
Aymeric Augustin c5ef65bcf3 [py3] Ported django.utils.encoding.
* Renamed smart_unicode to smart_text (but kept the old name under
  Python 2 for backwards compatibility).
* Renamed smart_str to smart_bytes.
* Re-introduced smart_str as an alias for smart_text under Python 3
  and smart_bytes under Python 2 (which is backwards compatible).
  Thus smart_str always returns a str objects.
* Used the new smart_str in a few places where both Python 2 and 3
  want a str.
2012-08-07 12:00:22 +02:00
Aymeric Augustin ee191715ea [py3] Fixed access to dict keys/values/items. 2012-08-07 12:00:22 +02:00
Aymeric Augustin bdca5ea345 [py3] Replaced unicode/str by six.text_type/bytes. 2012-07-22 09:29:54 +02:00
Aymeric Augustin 3cb2457f46 [py3] Replaced basestring by six.string_types. 2012-07-22 09:29:54 +02:00
Julien Phalip 2b6644388f Fixed an `except` statement to be Python3-compatible. Thanks to charettes for the tip. 2012-07-21 15:13:55 -07:00
Aymeric Augustin 4ceb9db9d8 Removed u prefix on a unicode string. 2012-07-21 22:38:25 +02:00
Julien Phalip 1af0271d7c Fixed #6170 -- Ensured that a useful exception is raised when a regex is invalid in the URLConf.
Thanks to abrahamson.j for the report, to guettli for initial work on the patch, and to David Gouldin for the new patch and test.
2012-07-21 13:30:34 -07:00
Claude Paroz 4a103086d5 Fixed #18269 -- Applied unicode_literals for Python 3 compatibility.
Thanks Vinay Sajip for the support of his django3 branch and
Jannis Leidel for the review.
2012-06-07 18:08:47 +02:00
Claude Paroz 2daf1ae8b9 Stopped converting match dict keys to bytestrings when resolving URLs.
Test suite is passing, but if any regression would be detected,
we might replace smart_str by force_unicode.
2012-05-24 13:51:18 +02:00
Claude Paroz 3904b74a3f Fixed #18013 -- Use the new 'as' syntax for exceptions.
Thanks Clueless for the initial patch.
Note that unittest has been purposely left out (external package only used by Python 2.6).
2012-04-29 20:57:15 +02:00
Jannis Leidel 746987f916 Fixed #17734 -- Made sure to only redirect translated URLs if they can actually be resolved to prevent unwanted redirects. Many thanks to Orne Brocaar and Anssi Kääriäinen for input.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17621 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-02 11:07:36 +00:00
Gabriel Hurley a0721a3017 Fixed #15900 -- Calls to reverse with nested namespaced urls are escaped properly and capture parameters as expected.
Thanks to teolicy for the report, and dmclain for the patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@17251 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-22 23:03:48 +00:00