Commit Graph

318 Commits

Author SHA1 Message Date
Tomer Chachamu 7ec0fdf62a Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has an invalid host. 2018-02-14 20:24:01 -05:00
shanghui d968788b57 Fixed #28833 -- Prevented CacheMiddleware from caching responses with "Cache-Control: private". 2018-02-06 09:42:05 -05:00
Дилян Палаузов d7b2aa24f7 Fixed #28982 -- Simplified code with and/or. 2018-01-03 20:12:23 -05:00
Дилян Палаузов 23bf4ad87f Fixed #28795 -- Removed 'not in' checks and used dict.setdefault(). 2017-11-14 10:52:52 -05:00
Tim Graham 8f8a4d10d3 Refs #26447 -- Removed outdated ETag comment in CommonMiddleware.
Follow up to 48d57788ee.
2017-11-11 20:45:17 -05:00
Tim Graham 48d57788ee Refs #26447 -- Removed the USE_ETAGS setting per deprecation timeline. 2017-09-22 12:51:18 -04:00
Florian Apolloner c4c128d67c Fixed #28488 -- Reallowed error handlers to access CSRF tokens.
Regression in eef95ea96f.
2017-09-20 16:22:18 -04:00
Anton Samarchyan 86de930f41 Refs #27656 -- Updated remaining docstring verbs according to PEP 257. 2017-03-04 10:02:06 -05:00
Asif Saifuddin Auvi 5f3a689f71 Imported django.http classes instead of django.http. 2017-02-27 14:47:11 -05:00
Claude Paroz c688336ebc Refs #23919 -- Assumed request COOKIES and META are str 2017-01-30 14:13:29 +01:00
Claude Paroz 2b281cc35e Refs #23919 -- Removed most of remaining six usage
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Raphael Michel ddf169cdac Refs #16859 -- Allowed storing CSRF tokens in sessions.
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-30 08:57:27 -05:00
Krzysztof Urbaniak b8a815e9df Fixed #27402 -- Fixed incorrect LocaleMiddleware redirects with prefix_default_language=False. 2016-11-29 13:06:35 -05:00
Sven Engström f46a838efc Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a trailing slash. 2016-11-06 10:38:36 +01:00
Adam Malinowski 37809b891e Fixed #27346 -- Stopped setting the Content-Length header in ConditionalGetMiddleware. 2016-11-05 22:24:54 +01:00
Kevin Christopher Henry 2327fad54e Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests. 2016-10-17 16:11:53 -04:00
Tim Graham 61f9243e51 Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware. 2016-10-14 12:48:03 -04:00
Kevin Christopher Henry ad332e5ca9 Refs #19705 -- Made GZipMiddleware make ETags weak.
Django's conditional request processing can now produce 304 Not Modified
responses for content that is subject to compression.
2016-10-13 14:22:54 -04:00
Denis Cornehl a840710e1e Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ConditionalGetMiddleware. 2016-10-10 14:55:59 -04:00
Rinat Khabibiev f9702977b7 Fixed #27211 -- Made UpdateCacheMiddleware include caching headers for "304 Not Modified" responses. 2016-09-14 19:37:18 -04:00
Kevin Christopher Henry 4ef0e019b7 Fixed #27083 -- Added support for weak ETags. 2016-09-10 08:14:52 -04:00
Ed Morley 3c2447dd13 Fixed #26947 -- Added an option to enable the HSTS header preload directive. 2016-08-10 20:23:54 -04:00
andrewnester 20d39325ca Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response has Cache-Control: no-store. 2016-07-15 15:34:00 -04:00
Claude Paroz 9588718cd4 Fixed #5897 -- Added the Content-Length response header in CommonMiddleware
Thanks Tim Graham for the review.
2016-06-27 10:44:57 +02:00
Carl Meyer 7d1b69dbe7 Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware exception handling. 2016-06-17 10:00:39 -07:00
Tim Graham 563d534d33 Removed an unused logger in middleware/common.py 2016-06-04 12:01:44 -04:00
Holly Becker 55fec16aaf Fixed #26628 -- Changed CSRF logger to django.security.csrf. 2016-06-04 10:17:06 -04:00
Tim Graham 546649f2d6 Fixed some newlines in imports per isort. 2016-05-19 11:05:44 -04:00
Shai Berger 5112e65ef2 Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).

While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).

Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
Florian Apolloner 9baf692a58 Fixed #26601 -- Improved middleware per DEP 0005.
Thanks Tim Graham for polishing the patch, updating the tests, and
writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-17 07:22:22 -04:00
Florian Apolloner 05c888ffb8 Refs #26601 -- Refactored BaseHandler to prepare for new-style middleware. 2016-05-17 07:20:56 -04:00
Vasiliy Faronov ac77c55bc5 Fixed #26567 -- Updated references to obsolete RFC2616.
Didn't touch comments where it wasn't obvious that the code adhered to
the newer standard.
2016-05-03 11:14:40 -04:00
Tim Graham df8d8d4292 Fixed E128 flake8 warnings in django/. 2016-04-08 09:51:06 -04:00
Tim Graham 2cd2d18851 Fixed W503 flake8 warnings. 2016-04-04 17:14:26 -04:00
ieatkittens 9390da7fb6 Fixed #26293 -- Fixed CommonMiddleware to process PREPEND_WWW and APPEND_SLASH independently. 2016-03-23 09:23:19 -04:00
Krzysztof Urbaniak 85a4844f8a Refs #25933 -- Fixed i18n_patterns() prefix_default_language=False with HTTP_ACCEPT_LANGUAGE header. 2016-03-10 10:51:55 -05:00
harikrishnakanchi 74670498e9 Fixed #25971 -- Made BrokenLinkEmailsMiddleware ignore APPEND_SLASH redirects.
If APPEND_SLASH=True and the referer is the URL without a trailing '/', then
BrokenLinkEmailsMiddleware shouldn't send an email.
2016-03-08 09:21:42 -05:00
Krzysztof Urbaniak 839a955d08 Fixed #25933 -- Allowed an unprefixed default language in i18n_patterns(). 2016-03-08 08:14:10 -05:00
Simon Charette d0451e4cad Fixed #26295 -- Allowed using i18n_patterns() in any root URLconf.
Thanks Tim for the review.
2016-03-03 12:08:49 -05:00
Liam Brenner 182f98c4c7 Fixed typo in django/middleware/common.py docstring. 2016-02-09 08:06:26 -05:00
chemary 2d28144c95 Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True). 2016-01-20 18:19:24 -05:00
Denis Cornehl 186b6c61bf Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.
Thanks Denis Cornehl for help with the patch.
2016-01-05 09:37:11 -05:00
Marten Kenbeek 16411b8400 Fixed #26013 -- Moved django.core.urlresolvers to django.urls.
Thanks to Tim Graham for the review.
2015-12-31 14:21:29 -05:00
Derek J. Curtis 6be9589eb3 Fixed #25900 -- Fixed regression in CommonMiddleware ETag support. 2015-12-10 13:51:07 -05:00
Aymeric Augustin 11f10b70f3 Fixed #25302 (again) -- Ignored scheme when checking for bad referers.
The check introduced in 4ce433e was too strict in real life. The poorly
implemented bots this patch attempted to ignore are sloppy when it comes
to http vs. https.
2015-11-26 21:27:12 +01:00
Matt Robenolt b0c56b895f Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Joshua Kehn ab26b65b2f Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
2015-09-05 09:19:57 -04:00
Maxime Lorant 4ce433e811 Fixed #25302 -- Prevented BrokenLinkEmailsMiddleware from reporting 404s when Referer = URL. 2015-08-24 19:35:49 -04:00
Denis Cornehl 7a40fef17a Fixed #24935 -- Refactored common conditional GET handling. 2015-08-15 09:08:45 -04:00
Claude Paroz 64982cc2fb Updated Wikipedia links to use https 2015-08-08 12:02:32 +02:00
Jay Cox 434d309ef6 Fixed #24720 -- Avoided resolving URLs that don't end in a slash twice in CommonMiddleware.
This speeds up affected requests by about 5%.
2015-07-31 12:04:06 -04:00
sujayskumar 2e70bf3785 Fixed #25017 -- Allowed customizing the DISALLOWED_USER_AGENTS response 2015-06-27 08:46:23 -04:00
Piotr Jakimiak 4157c502a5 Removed unnecessary arguments in .get method calls 2015-05-13 20:51:18 +02:00
Jay Cox eef95ea96f Fixed #24696 -- Made CSRF_COOKIE computation lazy.
Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.

Changed result of the “test_token_node_no_csrf_cookie” test:  It gets
a valid CSRF token now which seems like the correct behavior.

Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to
use get_token() to trigger CSRF cookie inclusion instead of changing
request.META["CSRF_COOKIE_USED"] directly.
2015-05-02 19:45:14 -04:00
Oliver A Bristow 4cd727095d Fixed #24681 -- Removed Unicode bug in BrokenLinkEmailMiddleware 2015-04-21 22:02:04 +02:00
Bas Peschier 9128762f16 Fixed #19910 -- Added slash to i18n redirect if APPEND_SLASH is set.
This introduces a force_append_slash argument for request.get_full_path()
which is used by RedirectFallbackMiddleware and CommonMiddleware when
handling redirects for settings.APPEND_SLASH.
2015-03-26 09:26:55 -04:00
Claude Paroz a0c2eb46dd Fixed #23960 -- Removed http.fix_location_header
Thanks Carl Meyer for the report and Tim Graham for the review.
2015-03-18 18:22:50 +01:00
Grzegorz Slusarek 668d53cd12 Fixed #21495 -- Added settings.CSRF_HEADER_NAME 2015-03-05 15:03:40 -05:00
Claude Paroz 80be597a7b Fixed #24360 -- Delayed internal LocaleMiddleware variable initialization
Failing in a middleware `__init__` is preventing proper debug view.
2015-03-02 20:06:24 +01:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Tim Graham 0e60912492 Removed UpdateCacheMiddleware._session_accessed()
This method is unused since f567d04b24
2015-02-01 20:33:22 -05:00
Samuel Colvin 5b74134f27 Fixed #24145 -- Added PUT & PATCH to CommonMiddleware APPEND_SLASH redirect error. 2015-01-29 15:23:01 -05:00
Claude Paroz 27dd7e7271 Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middleware
Thanks codeitloadit for the report, living180 for investigations
and Tim Graham for the review.
2015-01-06 08:42:58 +01:00
Berker Peksag df0523debc Fixed #23531 -- Added CommonMiddleware.response_redirect_class. 2014-11-04 17:56:57 -05:00
Tim Graham 52ef6a4726 Fixed #17101 -- Integrated django-secure and added check --deploy option
Thanks Carl Meyer for django-secure and for reviewing.

Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and
Jorge Carleitao for reviews.
2014-09-12 15:05:23 -04:00
Tim Graham fe38be96c1 Fixed #21579 -- Made LocaleMiddleware respect script prefix.
Thanks buettgenbach at datacollect.com for the report and patch.
2014-08-14 09:36:41 -04:00
Tim Graham 815e7a5721 Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data.
Thanks Walter Doekes.
2014-06-25 07:08:16 -04:00
Mark Lavin 79956d0694 Fixed #22440 -- Updated ConditionalGetMiddleware to comply with RFC 2616. 2014-06-13 20:01:35 -04:00
Aymeric Augustin df09d85482 Fixed #17552 -- Removed a hack for IE6 and earlier.
It prevented the GZipMiddleware from compressing some data types even on
more recent version of IE where the corresponding bug was fixed.

Thanks Aaron Cannon for the report and Tim Graham for the review.
2014-06-10 08:42:31 +02:00
Alex Gaynor 1dcc603eff Fixed several typos in Django 2014-05-28 17:39:14 -07:00
Aymeric Augustin c083e3815a Prevented leaking the CSRF token through caching.
This is a security fix. Disclosure will follow shortly.
2014-04-21 18:11:26 -04:00
Alex Gaynor 778ce245dd Corrected many style guide violations that the newest version of flake8 catches 2014-03-30 12:11:05 -07:00
Aymeric Augustin 253e8ac29f Removed django.middleware.doc. Refs #20126.
Small doc changes missed in 66076268.
2014-03-21 22:07:39 +01:00
Aymeric Augustin 0f9560855e Removed legacy transaction management per the deprecation timeline. 2014-03-21 21:06:50 +01:00
Tim Graham f567d04b24 Removed settings.CACHE_MIDDLEWARE_ANONYMOUS_ONLY per deprecation timeline.
refs #15201.
2014-03-21 09:46:17 -04:00
Tim Graham 11e22129d5 Removed settings.SEND_BROKEN_LINK_EMAILS per deprecation timeline. 2014-03-21 07:15:58 -04:00
Claude Paroz 210d0489c5 Fixed #21188 -- Introduced subclasses for to-be-removed-in-django-XX warnings
Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.
2014-03-08 09:57:40 +01:00
Roger Hu 9b729ddd8f Fixed #22185 -- Added settings.CSRF_COOKIE_AGE
Thanks Paul McMillan for the review.
2014-03-06 08:28:43 -05:00
Bouke Haarsma 2bab9d6d9e Fixed #21389 -- Accept most valid language codes
By removing the 'supported' keyword from the detection methods and only relying
on a cached settings.LANGUAGES, the speed of said methods has been improved;
around 4x raw performance. This allows us to stop checking Python's incomplete
list of locales, and rely on a less restrictive regular expression for
accepting certain locales.

HTTP Accept-Language is defined as being case-insensitive, based on this fact
extra performance improvements have been made; it wouldn't make sense to
check for case differences.
2014-02-26 16:58:04 +01:00
Ludwik Trammer 9922ed46e2 Fixed #21473 -- Limited language preservation to logout
Current language is no longer saved to session by LocaleMiddleware
on  every response (the behavior introduced in #14825).
Instead language stored in session is reintroduced into new session
after logout.

Forward port of c558a43fd6 to master.
2013-12-12 10:24:43 +01:00
Christopher Medrela 7477a4ffde Fixed E125 pep8 warnings 2013-11-28 08:50:11 -05:00
Curtis Maloney ffc37e2343 Fixed #21012 -- New API to access cache backends.
Thanks Curtis Malony and Florian Apolloner.

Squashed commit of the following:

commit 3380495e93
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 14:18:07 2013 +0100

    Looked up the template_fragments cache at runtime.

commit 905a74f52b
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 14:19:48 2013 +0100

    Removed all uses of create_cache.

    Refactored the cache tests significantly.

    Made it safe to override the CACHES setting.

commit 35e289fe92
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 12:23:57 2013 +0100

    Removed create_cache function.

commit 8e274f747a
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sat Nov 23 12:04:52 2013 +0100

    Updated docs to describe a simplified cache backend API.

commit ee7eb0f73e
Author: Curtis Maloney <curtis@tinbrain.net>
Date:   Sat Oct 19 09:49:24 2013 +1100

    Fixed #21012 -- Thread-local caches, like databases.
2013-11-23 15:06:59 +01:00
Milton Mazzarri cbc7cbbc5b Fixed flake8 E251 violations 2013-11-03 03:22:11 -06:00
coagulant 3bc0d46a84 Fixed all E261 warnings 2013-11-02 18:20:39 -04:00
Alex Gaynor 7548aa8ffd More attacking E302 violators 2013-11-02 13:12:09 -07:00
Tim Graham 36ded01527 Fixed #21302 -- Fixed unused imports and import *. 2013-11-02 15:24:56 -04:00
Bouke Haarsma 6107435386 Fixed #21324 -- Translate CSRF failure view
Thanks to Claude Paroz for the original patch.
2013-11-02 11:22:30 +01:00
Bouke Haarsma 0d0f4f020a Fixed #5789 -- Changed LocaleMiddleware session variable to '_language'.
The old 'django_language' variable will still be read from in order
to migrate users. The backwards-compatability shim will be removed in
Django 1.8.

Thanks to jdunck for the report and stugots for the initial patch.
2013-10-22 09:24:42 -04:00
Alasdair Nicol b289fcf1bf Fixed #21288 -- Fixed E126 pep8 warnings 2013-10-21 08:31:30 -04:00
Tim Graham ac4fec5ca2 Fixed bug causing CSRF token not to rotate on login.
Thanks Gavin McQuillan for the report.
2013-10-18 08:31:19 -04:00
Unai Zalakain c7634cd7fe Fixed #7603 -- Added a 'scheme' property to the HttpRequest object
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is
appropriately set and falls back to `HttpRequest._get_scheme()` (a hook
for subclasses to implement) otherwise.

`WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI
environ variable to determine the request scheme.

`HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is
`https`.

This provides a way to check the current scheme in templates, for example.
It also allows us to deal with other schemes.

Thanks nslater for the suggestion.
2013-10-15 09:04:12 -04:00
Tim Graham cec11a3336 Used "is" for comparisons with None. 2013-10-10 09:35:56 -04:00
Emil Stenström 7a97df190c Fixed #19277 -- Added LocaleMiddleware.response_redirect_class
Thanks ppetrid at yawd.eu for the suggestion.
2013-10-03 16:15:29 -04:00
Curtis Maloney 07876cf02b Deprecated SortedDict (replaced with collections.OrderedDict)
Thanks Loic Bistuer for the review.
2013-08-04 07:09:39 -04:00
Aymeric Augustin acd7b34aaf Advanced deprecation warnings for Django 1.7. 2013-06-29 18:49:37 +02:00
Aymeric Augustin ffcf24c9ce Removed several unused imports. 2013-06-19 17:18:40 +02:00
Ramiro Morales 0fa8d43e74 Replaced `and...or...` constructs with PEP 308 conditional expressions. 2013-05-26 23:47:50 -03:00
Claude Paroz f940e564e4 Fixed #20099 -- Eased subclassing of BrokenLinkEmailsMiddleware
Thanks Ram Rachum for the report and the initial patch, and Simon
Charette for the review.
2013-05-25 12:10:53 +02:00
Vlastimil Zíma 6de81d65f4 Fixed #14825 -- LocaleMiddleware keeps language
* LocaleMiddleware stores language into session if it is not present there.
2013-05-25 10:52:54 +02:00