Claude Paroz
2b281cc35e
Refs #23919 -- Removed most of remaining six usage
...
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
Raphael Michel
ddf169cdac
Refs #16859 -- Allowed storing CSRF tokens in sessions.
...
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-30 08:57:27 -05:00
Krzysztof Urbaniak
b8a815e9df
Fixed #27402 -- Fixed incorrect LocaleMiddleware redirects with prefix_default_language=False.
2016-11-29 13:06:35 -05:00
Sven Engström
f46a838efc
Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a trailing slash.
2016-11-06 10:38:36 +01:00
Adam Malinowski
37809b891e
Fixed #27346 -- Stopped setting the Content-Length header in ConditionalGetMiddleware.
2016-11-05 22:24:54 +01:00
Kevin Christopher Henry
2327fad54e
Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests.
2016-10-17 16:11:53 -04:00
Tim Graham
61f9243e51
Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware.
2016-10-14 12:48:03 -04:00
Kevin Christopher Henry
ad332e5ca9
Refs #19705 -- Made GZipMiddleware make ETags weak.
...
Django's conditional request processing can now produce 304 Not Modified
responses for content that is subject to compression.
2016-10-13 14:22:54 -04:00
Denis Cornehl
a840710e1e
Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ConditionalGetMiddleware.
2016-10-10 14:55:59 -04:00
Rinat Khabibiev
f9702977b7
Fixed #27211 -- Made UpdateCacheMiddleware include caching headers for "304 Not Modified" responses.
2016-09-14 19:37:18 -04:00
Kevin Christopher Henry
4ef0e019b7
Fixed #27083 -- Added support for weak ETags.
2016-09-10 08:14:52 -04:00
Ed Morley
3c2447dd13
Fixed #26947 -- Added an option to enable the HSTS header preload directive.
2016-08-10 20:23:54 -04:00
andrewnester
20d39325ca
Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response has Cache-Control: no-store.
2016-07-15 15:34:00 -04:00
Claude Paroz
9588718cd4
Fixed #5897 -- Added the Content-Length response header in CommonMiddleware
...
Thanks Tim Graham for the review.
2016-06-27 10:44:57 +02:00
Carl Meyer
7d1b69dbe7
Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware exception handling.
2016-06-17 10:00:39 -07:00
Tim Graham
563d534d33
Removed an unused logger in middleware/common.py
2016-06-04 12:01:44 -04:00
Holly Becker
55fec16aaf
Fixed #26628 -- Changed CSRF logger to django.security.csrf.
2016-06-04 10:17:06 -04:00
Tim Graham
546649f2d6
Fixed some newlines in imports per isort.
2016-05-19 11:05:44 -04:00
Shai Berger
5112e65ef2
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
...
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
Florian Apolloner
9baf692a58
Fixed #26601 -- Improved middleware per DEP 0005.
...
Thanks Tim Graham for polishing the patch, updating the tests, and
writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-17 07:22:22 -04:00
Florian Apolloner
05c888ffb8
Refs #26601 -- Refactored BaseHandler to prepare for new-style middleware.
2016-05-17 07:20:56 -04:00
Vasiliy Faronov
ac77c55bc5
Fixed #26567 -- Updated references to obsolete RFC2616.
...
Didn't touch comments where it wasn't obvious that the code adhered to
the newer standard.
2016-05-03 11:14:40 -04:00
Tim Graham
df8d8d4292
Fixed E128 flake8 warnings in django/.
2016-04-08 09:51:06 -04:00
Tim Graham
2cd2d18851
Fixed W503 flake8 warnings.
2016-04-04 17:14:26 -04:00
ieatkittens
9390da7fb6
Fixed #26293 -- Fixed CommonMiddleware to process PREPEND_WWW and APPEND_SLASH independently.
2016-03-23 09:23:19 -04:00
Krzysztof Urbaniak
85a4844f8a
Refs #25933 -- Fixed i18n_patterns() prefix_default_language=False with HTTP_ACCEPT_LANGUAGE header.
2016-03-10 10:51:55 -05:00
harikrishnakanchi
74670498e9
Fixed #25971 -- Made BrokenLinkEmailsMiddleware ignore APPEND_SLASH redirects.
...
If APPEND_SLASH=True and the referer is the URL without a trailing '/', then
BrokenLinkEmailsMiddleware shouldn't send an email.
2016-03-08 09:21:42 -05:00
Krzysztof Urbaniak
839a955d08
Fixed #25933 -- Allowed an unprefixed default language in i18n_patterns().
2016-03-08 08:14:10 -05:00
Simon Charette
d0451e4cad
Fixed #26295 -- Allowed using i18n_patterns() in any root URLconf.
...
Thanks Tim for the review.
2016-03-03 12:08:49 -05:00
Liam Brenner
182f98c4c7
Fixed typo in django/middleware/common.py docstring.
2016-02-09 08:06:26 -05:00
chemary
2d28144c95
Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).
2016-01-20 18:19:24 -05:00
Denis Cornehl
186b6c61bf
Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.
...
Thanks Denis Cornehl for help with the patch.
2016-01-05 09:37:11 -05:00
Marten Kenbeek
16411b8400
Fixed #26013 -- Moved django.core.urlresolvers to django.urls.
...
Thanks to Tim Graham for the review.
2015-12-31 14:21:29 -05:00
Derek J. Curtis
6be9589eb3
Fixed #25900 -- Fixed regression in CommonMiddleware ETag support.
2015-12-10 13:51:07 -05:00
Aymeric Augustin
11f10b70f3
Fixed #25302 (again) -- Ignored scheme when checking for bad referers.
...
The check introduced in 4ce433e
was too strict in real life. The poorly
implemented bots this patch attempted to ignore are sloppy when it comes
to http vs. https.
2015-11-26 21:27:12 +01:00
Matt Robenolt
b0c56b895f
Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
...
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Joshua Kehn
ab26b65b2f
Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
...
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
2015-09-05 09:19:57 -04:00
Maxime Lorant
4ce433e811
Fixed #25302 -- Prevented BrokenLinkEmailsMiddleware from reporting 404s when Referer = URL.
2015-08-24 19:35:49 -04:00
Denis Cornehl
7a40fef17a
Fixed #24935 -- Refactored common conditional GET handling.
2015-08-15 09:08:45 -04:00
Claude Paroz
64982cc2fb
Updated Wikipedia links to use https
2015-08-08 12:02:32 +02:00
Jay Cox
434d309ef6
Fixed #24720 -- Avoided resolving URLs that don't end in a slash twice in CommonMiddleware.
...
This speeds up affected requests by about 5%.
2015-07-31 12:04:06 -04:00
sujayskumar
2e70bf3785
Fixed #25017 -- Allowed customizing the DISALLOWED_USER_AGENTS response
2015-06-27 08:46:23 -04:00
Piotr Jakimiak
4157c502a5
Removed unnecessary arguments in .get method calls
2015-05-13 20:51:18 +02:00
Jay Cox
eef95ea96f
Fixed #24696 -- Made CSRF_COOKIE computation lazy.
...
Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.
Changed result of the “test_token_node_no_csrf_cookie” test: It gets
a valid CSRF token now which seems like the correct behavior.
Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to
use get_token() to trigger CSRF cookie inclusion instead of changing
request.META["CSRF_COOKIE_USED"] directly.
2015-05-02 19:45:14 -04:00
Oliver A Bristow
4cd727095d
Fixed #24681 -- Removed Unicode bug in BrokenLinkEmailMiddleware
2015-04-21 22:02:04 +02:00
Bas Peschier
9128762f16
Fixed #19910 -- Added slash to i18n redirect if APPEND_SLASH is set.
...
This introduces a force_append_slash argument for request.get_full_path()
which is used by RedirectFallbackMiddleware and CommonMiddleware when
handling redirects for settings.APPEND_SLASH.
2015-03-26 09:26:55 -04:00
Claude Paroz
a0c2eb46dd
Fixed #23960 -- Removed http.fix_location_header
...
Thanks Carl Meyer for the report and Tim Graham for the review.
2015-03-18 18:22:50 +01:00
Grzegorz Slusarek
668d53cd12
Fixed #21495 -- Added settings.CSRF_HEADER_NAME
2015-03-05 15:03:40 -05:00
Claude Paroz
80be597a7b
Fixed #24360 -- Delayed internal LocaleMiddleware variable initialization
...
Failing in a middleware `__init__` is preventing proper debug view.
2015-03-02 20:06:24 +01:00