Commit Graph

72 Commits

Author SHA1 Message Date
Anton Samarchyan 9718fa2e8a Refs #27656 -- Updated django.utils docstring verbs according to PEP 257. 2017-02-11 16:11:08 -05:00
Claude Paroz fee42fd99e Refs #23919 -- Replaced usage of django.utils.http utilities with Python equivalents
Thanks Tim Graham for the review.
2017-01-26 19:49:03 +01:00
Claude Paroz 6e55e1d88a Refs #23919 -- Replaced six.reraise by raise 2017-01-22 20:08:04 +01:00
Claude Paroz 042b7350a0 Refs #23919 -- Removed unneeded str() calls 2017-01-20 14:13:55 +01:00
Tim Graham d29fd3f9a6 Fixed django/utils/http.py comment typo. 2017-01-19 13:21:54 -05:00
Claude Paroz 2b281cc35e Refs #23919 -- Removed most of remaining six usage
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz c716fe8782 Refs #23919 -- Removed six.PY2/PY3 usage
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
Claude Paroz d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Kevin Christopher Henry 4ef0e019b7 Fixed #27083 -- Added support for weak ETags. 2016-09-10 08:14:52 -04:00
Jon Dufresne f227b8d15d Refs #26956 -- Allowed is_safe_url() to validate against multiple hosts 2016-09-07 19:56:25 -07:00
Przemysław Suliga 5e5a17028f Fixed #26902 -- Allowed is_safe_url() to require an https URL.
Thanks Andrew Nester, Berker Peksag, and Tim Graham for reviews.
2016-08-19 18:51:33 -04:00
Andre Cruz 929684d6ee Fixed #21231 -- Enforced a max size for GET/POST values read into memory.
Thanks Tom Christie for review.
2016-05-12 10:17:52 -04:00
Vasiliy Faronov ac77c55bc5 Fixed #26567 -- Updated references to obsolete RFC2616.
Didn't touch comments where it wasn't obvious that the code adhered to
the newer standard.
2016-05-03 11:14:40 -04:00
Tim Graham 3913a56558 Removed unused django.utils.http.PROTOCOL_TO_PORT.
Unused since b0c56b895f.
2016-04-06 12:29:20 -04:00
Claude Paroz 552f03869e Added safety to URL decoding in is_safe_url() on Python 2
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef.
2016-03-04 23:33:35 +01:00
Claude Paroz ada7a4aefb Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
This fixes a regression introduced by c5544d2892.
Thanks John Eskew for the reporti and Tim Graham for the review.
2016-03-04 21:14:14 +01:00
Mark Striemer c5544d2892 Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
2016-03-01 11:25:28 -05:00
Denis Cornehl 186b6c61bf Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.
Thanks Denis Cornehl for help with the patch.
2016-01-05 09:37:11 -05:00
Iacopo Spalletti d693074d43 Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy().
Thanks to bmispelon and uruz for the initial patch.
2015-12-12 14:46:48 -05:00
Matt Robenolt b0c56b895f Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Tim Graham 011a54315e Made is_safe_url() reject URLs that start with control characters.
This is a security fix; disclosure to follow shortly.
2015-03-18 19:20:07 -04:00
Lukas Klein 93b3ef9b2e Fixed #24321 -- Improved `utils.http.same_origin` compliance with RFC6454 2015-02-12 08:58:35 +01:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Tim Graham 69b5e66738 Fixed is_safe_url() to handle leading whitespace.
This is a security fix. Disclosure following shortly.
2015-01-13 13:03:06 -05:00
Tim Graham 2508be35ca Fixed #23399 -- Optimized django.utils.http.int_to_bas36()
Thanks liminspace for the patch and Keryn Knight for benchmarking.
2014-09-08 19:31:21 -04:00
Ian Foote 03d89168a2 Fixed #23333 -- Made urlsafe_base64_decode() return proper type on Python 3. 2014-08-22 20:07:12 -04:00
Claude Paroz e167e96cfe Fixed #22223 -- Prevented over-escaping URLs in reverse()
And follow more closely the class of characters defined in the
RFC 3986.
Thanks Erik van Zijst for the report and the initial patch, and
Tim Graham for the review.
2014-07-09 09:54:34 +02:00
Collin Anderson 8a2f04db91 typo: urlaprse -> urlparse 2014-05-14 15:00:57 -04:00
Erik Romijn 255449c1ee Added additional checks in is_safe_url to account for flexible parsing.
This is a security fix. Disclosure following shortly.
2014-05-14 10:19:48 +02:00
Ray Ashman Jr e2ae8b048e Correct flake8 E302 violations 2013-11-02 19:53:29 -04:00
Ray Ashman Jr dcfc8fa972 Correct flake8 violation E261 2013-11-02 15:27:47 -04:00
Alex Gaynor f2d8027c9a Fixed up some more flake8 violations (this particular violation still has many occurrences in the tests/ dir so it can't be removed from setup.cfg yet) 2013-10-26 10:50:40 -07:00
Alasdair Nicol b289fcf1bf Fixed #21288 -- Fixed E126 pep8 warnings 2013-10-21 08:31:30 -04:00
Aymeric Augustin a5b062576b Removed a few trailing backslashes.
We have always been at war with trailing backslashes.
2013-09-22 14:04:10 +02:00
Aymeric Augustin 6a6428a36f Took advantage of django.utils.six.moves.urllib.*. 2013-09-05 14:39:23 -05:00
Aymeric Augustin 365c3e8b73 Replaced "not PY3" by "PY2", new in six 1.4.0. 2013-09-02 12:11:02 +02:00
Jacob Kaplan-Moss ae3535169a Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S.
This is a security fix; disclosure to follow shortly.
2013-08-13 11:06:22 -05:00
David Evans 8a160d5de1 Use `usegmt` flag in formatdate
Slightly cleaner and faster than string manipulation.
 
This flag has been available since Python 2.4:
http://docs.python.org/2/library/email.util.html#email.utils.formatdate
2013-08-07 12:00:39 +01:00
Tim Graham 1184d07789 Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.
uid is now base64 encoded in password reset URLs/views. A backwards compatible
password_reset_confirm view/URL will allow password reset links generated before
this change to continue to work. This view will be removed in Django 1.7.

Thanks jonash for the initial patch and claudep for the review.
2013-06-26 13:11:47 -04:00
Marc Tamlyn 413735b239 Fix a typo in a comment. 2013-05-19 11:24:36 +02:00
Florian Apolloner 051cb1f4c6 Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks.
Thanks to edevil for the report and saz for the patch.
2013-05-18 12:32:47 +02:00
Gavin Wahl ec04fd1344 Fixed spelling errors 2013-03-28 11:16:53 -06:00
konarkmodi bc4111ba68 Fixed #18003 -- Preserved tracebacks when re-raising errors.
Thanks jrothenbuhler for draft patch, Konark Modi for updates.
2013-03-19 15:42:39 -07:00
Florian Apolloner a2f2a39956 Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users. 2012-12-10 22:11:39 +01:00
Claude Paroz b3ee80a0cf Fixed parse_http_date docstring and moved related tests
Refs #18675.
2012-09-26 21:10:17 +02:00
Claude Paroz ae88e73fa6 Replaced some smart_xxx by force_xxx equivalent
smart_str/smart_text should only be used when a potential lazy
string should be preserved in the result of the function call.
2012-08-30 15:46:16 +02:00
Claude Paroz 928baee747 [py3] Fixed conditional_processing tests 2012-08-14 23:35:12 +02:00
Aymeric Augustin c5ef65bcf3 [py3] Ported django.utils.encoding.
* Renamed smart_unicode to smart_text (but kept the old name under
  Python 2 for backwards compatibility).
* Renamed smart_str to smart_bytes.
* Re-introduced smart_str as an alias for smart_text under Python 3
  and smart_bytes under Python 2 (which is backwards compatible).
  Thus smart_str always returns a str objects.
* Used the new smart_str in a few places where both Python 2 and 3
  want a str.
2012-08-07 12:00:22 +02:00
Aymeric Augustin d01eaf7104 [py3] Removed uses of sys.maxint under Python 3.
Also fixed #18706: improved exceptions raised by int_to_base36.
2012-08-03 18:51:28 +02:00
Aymeric Augustin 0d914d08a0 [py3] Updated urllib/urllib2/urlparse imports.
Lots of functions were moved. Use explicit imports in all cases
to keey it easy to identify where the functions come from.
2012-07-22 09:29:55 +02:00