Michael Manfre
03eec9ff6c
Updated vendored _urlsplit() to strip newline and tabs.
...
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
2022-07-01 08:48:38 +02:00
Mehrdad
d4d5427571
Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams.
...
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
2022-06-28 09:42:47 +02:00
Carlton Gibson
34e2148fc7
Refs #33173 -- Removed use of deprecated cgi module.
...
https://peps.python.org/pep-0594/#cgi
2022-05-11 14:06:31 +02:00
django-bot
9c19aff7c7
Refs #33476 -- Reformatted code with Black.
2022-02-07 20:37:05 +01:00
Ad Timmering
bdf3e156b4
Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate.
2022-01-07 12:25:06 +01:00
Nick Pope
d06c5b3581
Fixed #32366 -- Updated datetime module usage to recommended approach.
...
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
2021-05-12 11:08:41 +02:00
Mariusz Felisiak
ec0ff40631
Fixed #32355 -- Dropped support for Python 3.6 and 3.7
2021-02-10 10:20:54 +01:00
Mariusz Felisiak
9e456f3166
Refs #30747 -- Removed django.utils.http.is_safe_url() per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak
88ed1c8d08
Refs #27753 -- Removed django.utils.http urllib aliases per deprecation timeline.
2021-01-14 17:50:04 +01:00
Nick Pope
fd209f62f1
Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8.
2020-09-03 14:24:42 +02:00
Jon Dufresne
d6aff369ad
Refs #30116 -- Simplified regex match group access with Match.__getitem__().
...
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
2020-05-11 12:01:28 +02:00
Hasan Ramezani
e3d0b4d550
Fixed #30899 -- Lazily compiled import time regular expressions.
2019-10-29 09:22:26 +01:00
Ad Timmering
7b5f8acb9e
Fixed #28690 -- Fixed handling of two-digit years in parse_http_date().
...
Due to RFC7231 ayear that appears to be more than 50 years in the
future are interpreted as representing the past.
2019-09-30 14:42:56 +02:00
Carlton Gibson
4f61810751
Fixed #30747 -- Renamed is_safe_url() to url_has_allowed_host_and_scheme().
2019-09-02 15:32:23 +02:00
swatantra
73ac9e3f04
Fixed #30677 -- Improved error message for urlencode() and Client when None is passed as data.
2019-08-11 20:15:23 +02:00
Simon Charette
df46b329e0
Refs #30485 -- Avoided unnecessary instance checks in urlencode.
...
Given doseq defaults to False it should avoid an unnecessary instance
check in most cases.
2019-05-27 22:00:14 +02:00
Johan Lübcke
0670b1b403
Fixed #30485 -- Adjusted django.utils.http.urlencode for doseq=False case.
2019-05-24 17:15:34 +02:00
Tim Graham
83c2bc52c2
Refs #27753 -- Deprecated django.utils.http urllib aliases.
2019-02-04 18:53:11 -05:00
Tim Graham
958a7b4ca6
Refs #28965 -- Removed utils.http.cookie_date() per deprecation timeline.
2019-01-17 10:52:19 -05:00
Jon Dufresne
6fe9c45b72
Fixed #30024 -- Made urlencode() and Client raise TypeError when None is passed as data.
2018-12-27 11:19:55 -05:00
Jon Dufresne
c82893cb8c
Refs #27795 -- Removed force_bytes() usage from django/utils/http.py.
...
django.utils.http.urlsafe_base64_encode() now returns a string, not a
bytestring. Since URLs are represented as strings,
urlsafe_base64_encode() should return a string. All uses immediately
decoded the bytestring to a string anyway.
As the inverse operation, urlsafe_base64_decode() accepts a string.
2018-10-10 14:38:22 -04:00
Andreas Hug
a656a68127
Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
2018-08-01 09:28:42 -04:00
Przemysław Suliga
d22b90b4ea
Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string.
2018-06-29 10:17:52 -04:00
Jon Dufresne
1e81a4b897
Fixed #28638 -- Made allowed_hosts a required argument of is_safe_url().
2018-01-11 07:03:50 -05:00
Tim Graham
ab7f4c3306
Refs #28965 -- Deprecated unused django.utils.http.cookie_date().
2018-01-02 11:23:04 -05:00
Tim Graham
2b81faab25
Fixed #28906 -- Removed unnecessary bool() calls.
2017-12-07 17:13:07 -05:00
Дилян Палаузов
d2afa5eb23
Fixed #28860 -- Removed unnecessary len() calls.
2017-12-04 10:35:23 -05:00
Tim Graham
f2868f9739
Updated email.Util (Python 2) references to email.utils (Python 3).
2017-10-13 15:36:09 -04:00
François Freitag
41be85862d
Fixed #28679 -- Fixed urlencode()'s handling of bytes.
...
Regression in fee42fd99e
.
Thanks Claude Paroz, Jon Dufresne, and Tim Graham for the guidance.
2017-10-12 09:08:33 -04:00
Tim Graham
96107e2844
Refs #26956 -- Removed the host parameter of django.utils.http.is_safe_url().
...
Per deprecation timeline.
2017-09-22 12:51:18 -04:00
Tim Graham
6e4c6281db
Reverted "Fixed #27818 -- Replaced try/except/pass with contextlib.suppress()."
...
This reverts commit 550cb3a365
because try/except performs better.
2017-09-07 08:16:21 -04:00
Mads Jensen
550cb3a365
Fixed #27818 -- Replaced try/except/pass with contextlib.suppress().
2017-06-28 14:07:55 -04:00
UmanShahzad
856072dd4a
Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs.
2017-05-10 09:02:20 -04:00
Tim Graham
5ea48a70af
Fixed #27912 , CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.
...
This is a security fix.
2017-04-04 10:42:06 -04:00
Anton Samarchyan
9718fa2e8a
Refs #27656 -- Updated django.utils docstring verbs according to PEP 257.
2017-02-11 16:11:08 -05:00
Claude Paroz
fee42fd99e
Refs #23919 -- Replaced usage of django.utils.http utilities with Python equivalents
...
Thanks Tim Graham for the review.
2017-01-26 19:49:03 +01:00
Claude Paroz
6e55e1d88a
Refs #23919 -- Replaced six.reraise by raise
2017-01-22 20:08:04 +01:00
Claude Paroz
042b7350a0
Refs #23919 -- Removed unneeded str() calls
2017-01-20 14:13:55 +01:00
Tim Graham
d29fd3f9a6
Fixed django/utils/http.py comment typo.
2017-01-19 13:21:54 -05:00
Claude Paroz
2b281cc35e
Refs #23919 -- Removed most of remaining six usage
...
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz
c716fe8782
Refs #23919 -- Removed six.PY2/PY3 usage
...
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
Claude Paroz
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
Kevin Christopher Henry
4ef0e019b7
Fixed #27083 -- Added support for weak ETags.
2016-09-10 08:14:52 -04:00
Jon Dufresne
f227b8d15d
Refs #26956 -- Allowed is_safe_url() to validate against multiple hosts
2016-09-07 19:56:25 -07:00
Przemysław Suliga
5e5a17028f
Fixed #26902 -- Allowed is_safe_url() to require an https URL.
...
Thanks Andrew Nester, Berker Peksag, and Tim Graham for reviews.
2016-08-19 18:51:33 -04:00
Andre Cruz
929684d6ee
Fixed #21231 -- Enforced a max size for GET/POST values read into memory.
...
Thanks Tom Christie for review.
2016-05-12 10:17:52 -04:00
Vasiliy Faronov
ac77c55bc5
Fixed #26567 -- Updated references to obsolete RFC2616.
...
Didn't touch comments where it wasn't obvious that the code adhered to
the newer standard.
2016-05-03 11:14:40 -04:00
Tim Graham
3913a56558
Removed unused django.utils.http.PROTOCOL_TO_PORT.
...
Unused since b0c56b895f
.
2016-04-06 12:29:20 -04:00
Claude Paroz
552f03869e
Added safety to URL decoding in is_safe_url() on Python 2
...
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218
and ada7a4aef
.
2016-03-04 23:33:35 +01:00
Claude Paroz
ada7a4aefb
Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
...
This fixes a regression introduced by c5544d2892
.
Thanks John Eskew for the reporti and Tim Graham for the review.
2016-03-04 21:14:14 +01:00