innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity
15,610 Commits 25 Branches 361 Tags 501 MiB
Commit Graph

12 Commits

Author SHA1 Message Date
Will Hardy 1c3c21b38d Fixed #19987 -- Disabled host validation when DEBUG=True. 
The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.
 2013-07-31 10:38:59 -04:00
Claude Paroz 5c1143910e Removed most of absolute_import imports 
Should be unneeded with Python 2.7 and up.
Added some unicode_literals along the way.
 2013-07-29 20:28:13 +02:00
Loic Bistuer 48ce167d89 Fixed missing initializations in WSGIRequest. Refs #20619 2013-06-26 14:36:25 +07:00
Claude Paroz de66b56790 Fixed #18481 -- Wrapped request.FILES read error in UnreadablePostError 
Thanks KyleMac for the report, André Cruz for the initial patch and
Hiroki Kiyohara for the tests.
 2013-06-01 10:26:46 +02:00
Preston Holmes d228c1192e Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation. 
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.

Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
 2013-05-25 16:27:34 -07:00
Baptiste Mispelon c250f9c99b Fixed #20038 -- Better error message for host validation. 2013-04-03 14:27:20 -06:00
Aymeric Augustin ce76fbfc5a Fixed #20019 -- Ensured HttpRequest.resolver_match always exists. 
Obviously it isn't set until the URL is resolved.
 2013-03-10 23:28:19 +01:00
Carl Meyer d51fb74360 Added a new required ALLOWED_HOSTS setting for HTTP host header validation. 
This is a security fix; disclosure and advisory coming shortly.
 2013-02-19 11:23:29 -07:00
Aymeric Augustin 4a6490a4a0 Removed HttpRequest.raw_post_data. 2012-12-29 21:59:07 +01:00
Florian Apolloner 27560924ec Fixed a security issue in get_host. 
Full disclosure and new release forthcoming.
 2012-12-10 22:11:40 +01:00
Aymeric Augustin 095eca8dd8 Fixed #19101 -- Decoding of non-ASCII POST data on Python 3. 
Thanks Claude Paroz.
 2012-11-03 13:03:15 +01:00
Alex Gaynor b4066d7d21 Cleaned up the the http module. Moved all of the code from __init__.py to request.py, response.py and utils.py 2012-10-21 11:12:59 -07:00