Commit Graph

401 Commits

Author SHA1 Message Date
Collin Anderson 2a5d2eefc7 Fixed #33683 -- Document HttpResponseBase and allow import from django.http 2022-05-17 09:51:16 +02:00
Carlton Gibson 34e2148fc7 Refs #33173 -- Removed use of deprecated cgi module.
https://peps.python.org/pep-0594/#cgi
2022-05-11 14:06:31 +02:00
Carlton Gibson bb61f0186d Refs #32365 -- Removed internal uses of utils.timezone.utc alias.
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
2022-03-24 06:29:50 +01:00
Thomas Schmidt 1cf60ce601 Fixed #33569 -- Added SECURE_PROXY_SSL_HEADER support for list of protocols in the header value. 2022-03-23 19:33:36 +01:00
Luke Plant f3bf6c4218 Refs #33562 -- Made HttpResponse.set_cookie() raise ValueError when both "expires" and "max_age" are passed.
This fixes the case where you might pass set_cookie(expires=val, max_age=val)
and max_age is silently ignored.
2022-03-07 08:04:18 +01:00
Luke Plant ae2da5ba65 Fixed #33562 -- Made HttpResponse.set_cookie() support timedelta for the max_age argument. 2022-03-07 07:57:14 +01:00
Keryn Knight 95b7d01d38 Refs #33546 -- Optimized handling content types in HttpResponseBase.__init__().
This removes an extraneous conditional causing "Content-Type" to be
checked within the ResponseHeaders twice, if a content_type parameter
is provided.
2022-03-02 20:23:39 +01:00
Keryn Knight 4b2f6ace57 Refs #33546 -- Optimized HttpResponseBase.charset a bit.
This avoids scanning the Content-Type if it's empty, allowing the
Content-Type header itself to have a charset assigned without using
the re module.
2022-03-02 20:23:39 +01:00
Keryn Knight 51f896fe25 Refs #33546 -- Optimized ResponseHeaders._convert_to_charset() by reducing the type-checking duplication.
In the common case, where keys and values are be encoded into
ascii/latin-1, defer the checking for newlines until it's been
successfully coerced to a string.

Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2022-03-02 20:23:39 +01:00
Keryn Knight e0b197c63c Refs #33546 -- Avoided unpacking data in ResponseHeaders when not necessary. 2022-03-02 20:23:39 +01:00
Mariusz Felisiak 7119f40c98 Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-07 20:37:05 +01:00
django-bot 9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Mariusz Felisiak fc18f36c4a Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.
Thanks Alan Ryan for the report and initial patch.
2022-02-01 07:41:40 +01:00
Hrushikesh Vaidya 3fadf141e6 Fixed #33062 -- Made MultiPartParser remove non-printable chars from file names. 2022-01-20 07:19:52 +01:00
Ad Timmering bdf3e156b4 Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate. 2022-01-07 12:25:06 +01:00
Mariusz Felisiak 5def7f3f74 Updated various links to HTTPS and new locations.
Co-Authored-By: Nick Pope <nick@nickpope.me.uk>
2021-12-02 11:27:29 +01:00
Carlton Gibson 4a58dfd9db
Refs #30509 -- Adjusted internal FileResponse variable name.
Follow up to dc724c5bf9.
2021-10-15 07:29:55 +02:00
Piotr Kunicki dc724c5bf9 Fixed #30509 -- Made FileResponse better handle buffers and non-zero file offsets. 2021-10-14 15:05:04 +02:00
Illia Volochii bc4c7e5d68 Optimized handling case-insensitive mappings.
Elements yielded by _destruct_iterable_mapping_values are always
unpacked. Since unpacking can be done with any iterable, there is no
need to convert elements to tuples. Also, such elements can be used
directly in for loops, creating a dictionary of them is excessive.

Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2021-09-22 09:26:21 +02:00
Illia Volochii f03ba0ad52
Simplified serializing HTTP response headers.
Since ResponseHeaders was introduced, header names and values are stored
as strings. There is no need to check whether they are bytes.

Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2021-08-02 09:24:48 +02:00
Nicolas Restrepo bbb3965826 Refs #24121 -- Added __repr__() to StreamingHttpResponse and subclasses. 2021-06-22 21:28:48 +02:00
Nick Pope d06c5b3581 Fixed #32366 -- Updated datetime module usage to recommended approach.
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
2021-05-12 11:08:41 +02:00
Florian Apolloner 0b79eb3691 Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-05-04 08:44:42 +02:00
Hasan Ramezani 8bcb00858e Fixed #32698 -- Moved HttpRequest.get_raw_uri() to ExceptionReporter._get_raw_insecure_uri(). 2021-04-30 08:05:42 +02:00
Nick Pope 2161db0792
Fixed capitalization of "ECMAScript" and "JavaScript". 2021-04-29 20:29:08 +02:00
Mariusz Felisiak d4d800ca1a Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.
2021-04-06 08:15:17 +02:00
Mariusz Felisiak ec0ff40631 Fixed #32355 -- Dropped support for Python 3.6 and 3.7 2021-02-10 10:20:54 +01:00
Illia Volochii 3c004075b1 Fixed #32389 -- Fixed ResponseHeaders crash when data is not mapping. 2021-01-28 10:10:08 +01:00
Mariusz Felisiak d08977a0f0 Refs #30997 -- Removed HttpRequest.is_ajax() per deprecation timeline. 2021-01-14 17:50:04 +01:00
ᴙɘɘᴙgYmɘᴙɘj 2c5d6dc447
Fixed grammar in HttpResponse docstring. 2020-12-08 12:18:42 +01:00
Mariusz Felisiak 1fd9b44a6b Refs #32074 -- Fixed handling memoryview content by HttpResponse on Python 3.10+.
An iterator was added to memoryview in Python 3.10,
see https://bugs.python.org/issue41732

Refs #30294
2020-11-10 09:56:15 +01:00
Tom Carrick dcb69043d0 Fixed #32002 -- Added headers parameter to HttpResponse and subclasses. 2020-10-07 09:19:57 +02:00
aryan 11c4a4412b Fixed #30422 -- Made TemporaryFileUploadHandler handle interrupted uploads.
This patch allows upload handlers to handle interrupted uploads.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-09-30 10:30:43 +02:00
Tom Carrick bcc2befd0e Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-09-14 08:41:59 +02:00
Tim Graham 83dea65ed6
Refs #21231 -- Corrected parse_qsl() fallback.
An oversight in fd209f62f1.
2020-09-07 06:25:56 +02:00
Hasan Ramezani d2d08c8cf6 Fixed #31982 -- Made HttpResponse.set_cookie() cast max_age argument to an integer. 2020-09-05 10:07:23 +02:00
Nick Pope fd209f62f1 Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8. 2020-09-03 14:24:42 +02:00
Mariusz Felisiak 240cbb63bf
Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in HttpResponse.delete_cookie().
Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.

This affects sessions and messages cookies.
2020-07-16 08:16:58 +02:00
Michael Brown 36db4dd937 Fixed #28132 -- Made MultiPartParser ignore filenames with trailing slash. 2020-06-11 08:46:59 +02:00
Mariusz Felisiak 7fc317ae73
Refs #30997 -- Improved HttpRequest.is_ajax() warning message with stacklevel=2. 2020-06-03 08:47:19 +02:00
Mariusz Felisiak 0668164b4a
Fixed E128, E741 flake8 warnings. 2020-05-12 08:52:23 +02:00
Jon Dufresne d6aff369ad Refs #30116 -- Simplified regex match group access with Match.__getitem__().
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
2020-05-11 12:01:28 +02:00
007 e65fea9292 Fixed #31293 -- Allowed MultiPartParser to handle double-quoted encoded headers. 2020-02-28 14:43:16 +01:00
Florian Apolloner 41a3b3d186 Fixed #31240 -- Properly closed FileResponse when wsgi.file_wrapper is used.
Thanks to Oskar Persson for the report.
2020-02-11 20:39:12 +01:00
Florian Apolloner 549445519c Reverted "Fixed #30565 -- Closed HttpResponse when wsgi.file_wrapper closes file-like object."
This reverts commit cce47ff65a.
2020-02-11 20:39:12 +01:00
Claude Paroz e348ab0d43 Fixed #30997 -- Deprecated HttpRequest.is_ajax(). 2020-01-27 08:54:32 +01:00
Claude Paroz d66d72f956 Refs #30997 -- Added HttpRequest.accepts(). 2020-01-24 14:24:59 +01:00
Jon Dufresne e42b68debf Fixed #31114 -- Fixed HttpRequest.build_absolute_uri() crash with reverse_lazy() locations. 2019-12-27 09:19:56 +01:00
Osaetin Daniel b33bfc3839 Fixed #30862 -- Allowed setting SameSite cookies flags to 'none'.
Thanks Florian Apolloner and Carlton Gibson for reviews.
2019-12-12 10:52:31 +01:00
Gordon Pendleton adb9661789 Fixed #31010 -- Allowed subdomains of localhost in the Host header by default when DEBUG=True. 2019-12-05 09:44:45 +01:00