Commit Graph

21 Commits

Author SHA1 Message Date
Russell Keith-Magee 1070c57b83 Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings to DeprecationWarnings, and removed 1.1 deprecated code.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:20:07 +00:00
Luke Plant 7230a995ce Moved contrib.csrf.* to core code.
There is stub code for backwards compatiblity with Django 1.1 imports.

The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
Luke Plant 8e70cef9b6 Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django.  It includes:

 * removing the dependency on the session framework.
 * deprecating CsrfResponseMiddleware, and replacing with a core template tag.
 * turning on CSRF protection by default by adding CsrfViewMiddleware to
   the default value of MIDDLEWARE_CLASSES.
 * protecting all contrib apps (whatever is in settings.py)
   using a decorator.

For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.

Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.

Details of the rationale for these changes is found here:

http://code.djangoproject.com/wiki/CsrfProtection

As of this commit, the CSRF code is mainly in 'contrib'.  The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
Luke Plant a02a6fab66 Fixed #9163 - CsrfMiddleware needs to reset ETag header
Thanks to carljm for report and patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11650 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24 10:45:58 +00:00
Karen Tracey 50745cc31e Fixed #11066 -- Corrected 15 duplicate "the"s found in docs and code comments. Thanks kaikuehne.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10801 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-17 16:45:28 +00:00
Luke Plant 71233bcdf3 Fixed #10884 - more lenient regexp for matching forms in CSRF post-processing
Thanks to Ryszard Szopa for the report and fix


git-svn-id: http://code.djangoproject.com/svn/django/trunk@10617 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-21 23:31:01 +00:00
Luke Plant 0326574d0e Fixed tabs in source, stupid emacs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9817 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-07 19:32:37 +00:00
Luke Plant 95ed07e888 Fixed some function name errors in code doc.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9816 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-07 18:06:32 +00:00
Luke Plant 9a2e338107 Made CSRF middleware skip post-processing for 'csrf_exempt' decorated views.
This commit also decomposes the decorator into two decorators which can be
used separately, adds some tests, updates docs and fixes some code comments.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@9815 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-07 17:47:02 +00:00
Luke Plant 9c33d74f1d Added some explanatory comments in CsrfMiddleware
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9561 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-03 13:23:23 +00:00
Luke Plant 9eedc7bd0b New CsrfMiddleware features: automatic exceptions for known AJAX and decorator for manual exceptions
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9554 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-03 00:34:18 +00:00
Luke Plant c0f9e85fbe Split CsrfMiddleware into two to make it more reusable.
Also converted it to be a view middleware instead of request,
as this allows more options.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9553 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-03 00:31:31 +00:00
Luke Plant 01ec6d0085 More tests for the other half of CsrfMiddleware
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9552 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-02 23:00:06 +00:00
Luke Plant f7242bb778 Added tests for CsrfMiddleware.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9551 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-02 22:40:00 +00:00
Gary Wilson Jr c85c8f8891 Fixed #7919 -- md5 and sha modules are deprecated since Python 2.5, use hashlib module when available. Patch from Karen Tracey.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-02 05:56:57 +00:00
Malcolm Tredinnick 356662cf74 Implemented auto-escaping of variable output in templates. Fully controllable by template authors and it's possible to write filters and templates that simulataneously work in both auto-escaped and non-auto-escaped environments if you need to. Fixed #2359
See documentation in templates.txt and templates_python.txt for how everything
works.

Backwards incompatible if you're inserting raw HTML output via template variables.

Based on an original design from Simon Willison and with debugging help from Michael Radziej.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6671 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-11-14 12:58:53 +00:00
Adrian Holovaty afc6985267 Fixed #5292 -- Changed CSRF middleware to check for request.method == 'POST' instead of request.POST dictionary not being empty. Thanks, Jakub Wilk
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6038 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-03 06:18:48 +00:00
Adrian Holovaty d9ce900e13 Fixed #3157 -- Made error message XHTML-friendly in CSRF middleware. Thanks, mir@noris.de
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4225 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-12-18 15:37:52 +00:00
Luke Plant 5c0e4f3908 Fixed CsrfMiddleware post processing so that it in the presence of multiple
POST <form>s, only one <input> tag is added with an id, for HTML validity.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@2900 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-11 22:32:47 +00:00
Luke Plant c26553c4f9 Fixed #1827 - added 'id' attribute to generated CSRF hidden field. Good call, Ian Holsman.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@2899 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-11 21:55:53 +00:00
Luke Plant 8eecb95ec8 Added CsrfMiddleware to contrib, and documentation.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@2868 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-08 23:03:08 +00:00