Commit Graph

277 Commits

Author SHA1 Message Date
Luke Plant 8cbcf1d3a6 Fixed #14134 - ability to set cookie 'path' and 'secure' attributes of CSRF cookie
Thanks to cfattarsi for the report and initial patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:00:22 +00:00
Luke Plant 171df93170 Fixed #15954 - New IGNORABLE_404_URLS setting that allows more powerful filtering of 404s to ignore
Thanks to aaugustin for implementing this.

(Technically this doesn't fix the original report, as we've decided against
having *any* default values, but the new feature makes it possible, and the
docs have an example addressing #15954).

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16160 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-05 20:49:26 +00:00
Luke Plant 8823021625 Removed deprecated CsrfResponseMiddleware, and corresponding tests and docs
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15949 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:26 +00:00
Luke Plant 21ef64e34c Removed Django 1.1 fallback for CSRF checks.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15948 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:14 +00:00
Adrian Holovaty 13864703bc Removed a bunch more Python 2.4 workarounds now that we don't support that version. Refs #15702 -- thanks to jonash for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15927 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28 02:11:19 +00:00
Adrian Holovaty 3e18969bcb Fixed #15635 -- Converted two legacy old-style raise statements. Thanks, DaNmarner
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15917 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-26 03:30:48 +00:00
Luke Plant 243d0bec19 Fixed #15617 - CSRF referer checking too strict
Thanks to adam for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15 20:37:09 +00:00
Jannis Leidel f6c991667f Fixed #4992 -- Respect the GET request query string when creating cache keys. Thanks PeterKz and guettli for the initial patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15705 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-02 12:47:36 +00:00
Luke Plant dbe6ced0d6 Fixed #717 - If-Modified-Since handling should compare dates according to RFC 2616
Thanks to Maniac for the report, julienb for the initial patch, and
especially to aaugustin for the final patch and tests.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15696 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-01 14:28:06 +00:00
Luke Plant e57e296167 Corrected logging call in CSRF middleware
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15623 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-21 23:00:44 +00:00
Carl Meyer 969217d455 Fixed #15260 -- Ensured that CACHE_MIDDLEWARE_ANONYMOUS_ONLY is effective with the cache_page decorator, not only the middleware. Thanks to brodie for report and draft patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15559 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-17 04:35:26 +00:00
Alex Gaynor 208630aa4b Fixed a security issue in the CSRF component. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:06:27 +00:00
Carl Meyer 00fda7f45d Fixed #13283 -- Corrected CACHE_MIDDLEWARE_ANONYMOUS_ONLY's bad habit of setting Vary: Cookie on all responses and destroying cache efficiency. Thanks to natrius for the fix.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15381 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-01 00:20:31 +00:00
Russell Keith-Magee 4bb1b2304d Fixed #15187 -- Ensure that missing page emails aren't sent when running under debug. Thanks to Dan Carroll for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15363 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-30 13:11:45 +00:00
Russell Keith-Magee 3f528e10d5 Fixed #15012 -- Added post-rendering callbacks to TemplateResponse so that decorators (in particular, the cache decorator) can defer processing until after rendering has occurred. Thanks to Joshua Ginsberg for the draft patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15295 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-24 14:24:35 +00:00
Russell Keith-Magee fe581013b0 Fixed #15144 -- Corrected some problems with the Cache middleware when used with multiple cache settings. Thanks to Jim Dalton for the report, and to Jim and Joshua Ginsberg for the work on the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15285 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-24 06:36:31 +00:00
Luke Plant c0dd2babb1 Fixed sending mail on 404s to fail silently.
A failure in the e-mail system should not turn a 404 into a 500.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15145 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-04 04:01:37 +00:00
Russell Keith-Magee b22415214a Beefed up the tests for multi-cache handling of the cache middleware and view decorators, and made a couple of tweaks for edge cases as a result.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15021 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-22 07:52:44 +00:00
Russell Keith-Magee 673e6fc7fb Fixed #11675 -- Added support for the PyLibMC cache library. In order to support this, and clean up some other 1.3 caching additions, this patch also includes some changes to the way caches are defined. This means you can now have multiple caches, in the same way you have multiple databases. A huge thanks to Jacob Burch for the work on the PyLibMC backend, and to Jannis for his work on the cache definition changes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15005 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-21 15:19:19 +00:00
Alex Gaynor 352deb0915 Fixed #14559 -- corrected some typos and misleading docstrings. Thanks to Gabriel Hurley for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14441 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-02 18:30:00 +00:00
Honza Král cb17f7ca22 Fixed #14560 -- Enable HEAD requests to be cached properly. Thanks, codemonkey!
Introducing ability to cache HEAD requests and GET requests separately by
adding the method to the cache key while preserving the functionality that HEAD
requests can use cached reponses generated by a GET request.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14391 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-29 01:31:15 +00:00
Luke Plant 90ac02300e Fixed #14565 - No csrf_token on 404 page.
This solution doesn't have the negative side-effects of [14356].

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-28 11:47:15 +00:00
Luke Plant 45c7f427ce Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.

In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.

All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.

There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
Russell Keith-Magee 1070c57b83 Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings to DeprecationWarnings, and removed 1.1 deprecated code.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:20:07 +00:00
Russell Keith-Magee fea159282b Fixed #14406 -- Added a Python 2.4 compatibility to the logging interface. Thanks to Łukasz Rekucki for the report, and to Luke Plant for original patch this was based on.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13989 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-06 15:02:26 +00:00
Russell Keith-Magee 24acca4139 Fixed #12012 -- Added support for logging. Thanks to Vinay Sajip for his draft patch, and to the many people who gave feedback during development of the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13981 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 15:12:39 +00:00
Luke Plant 364583b894 Fixed #14235 - UnicodeDecodeError in CSRF middleware
Thanks to jbg for the report.

This changeset essentially backs out [13698] in favour of a method that
sanitizes the token rather than escaping it.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13732 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-10 22:56:56 +00:00
James Bennett 9e3b327aca Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-09 00:34:54 +00:00
Luke Plant e8cff0b8f3 Added explanatory note on CSRF failure page for the case of a missing Referer header.
This is intended to help power users who have disabled Referer headers, or
installed add-ons which have done so, and to help web site administrators
with debugging, since this problem will be browser specific and not a
programming error.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-03 16:28:10 +00:00
Luke Plant f92a21daa7 Added proper code comments for the HTTPS CSRF protection.
Refs #13489 which noticed a vague comment - thanks pmclanahan



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13405 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-06-30 22:30:37 +00:00
Luke Plant ac8b7ff021 Fixed #13716 - the CSRF get_token function stopped working for views with csrf_view_exempt
This was a regression caused by the the CSRF changes in 1.2.

Thanks to edevil for the report.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13336 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-06-08 14:35:48 +00:00
Karen Tracey 8b2c1a484e Fixed #6228: Changed common middleware to respect request-specific urlconf. Thanks trey, skevy, and mikexstudios.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12704 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-07 20:03:04 +00:00
Adrian Holovaty 92568d31b8 Removed an 'assert False' I stupidly committed in [12165]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12166 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 17:37:48 +00:00
Adrian Holovaty ca6f64a43f Fixed #6094 -- Middleware exceptions are now caught by the core handler. Thanks, isagalaev
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12165 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 17:35:01 +00:00
Adrian Holovaty 19b72077f7 Fixed #8049 -- Fixed inconsistency in admin site is_active checks. Thanks for patch and tests, isagalaev
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12159 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 16:51:13 +00:00
Adrian Holovaty 933b9e8de7 Fixed #6991 -- Removed some redundant user.is_authenticated() calls in various places. Thanks, alexkoshelev, Liang Feng and Ivan Sagalaev
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12142 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-09 20:11:01 +00:00
Luke Plant 905dba3694 Misc clarifications in csrf middleware comments
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 21:31:20 +00:00
Luke Plant d0b900e6f5 Slight change to CSRF error messages to make debugging easier.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11669 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 14:04:21 +00:00
Luke Plant c2ffe94d9a Removed unused import.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11664 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:49:33 +00:00
Luke Plant 7230a995ce Moved contrib.csrf.* to core code.
There is stub code for backwards compatiblity with Django 1.1 imports.

The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
Jacob Kaplan-Moss d78cf61c99 BACKWARDS-INCOMPATIBLE CHANGE: Removed SetRemoteAddrFromForwardedFor middleware.
In a nutshell, it's been demonstrated that this middleware can never be made reliable enough for general-purpose use, and that (despite documentation to the contrary) its inclusion in Django may lead application developers to assume that the value of ``REMOTE_ADDR`` is "safe" or in some way reliable as a source of authentication. So it's gone.

See the Django 1.1 release notes for full details, as well as upgrade instructions.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11363 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-07-29 05:35:51 +00:00
Malcolm Tredinnick 499a8ac331 Fixed #10630 -- Be even more conservative in GZipMiddleware for IE.
Patch from sebastien_noack.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10541 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-12 04:14:23 +00:00
Malcolm Tredinnick 30b568226f Fixed #9199 -- We were erroneously only prepending "www" to the domain if we
also needed to append a slash (when PREPEND_WWW=True).

Based on a patch and tests from gonz. Thanks.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9184 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-07 08:22:50 +00:00
Malcolm Tredinnick ba59295068 Fixed #9221 -- Small optimisation to caching middleware handling.
In the slightly unusual case that CACHE_MIDDLEWARE_SECONDS is set to 0, don't
bother storing a copy in the local cache.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9098 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-30 03:58:09 +00:00
Jacob Kaplan-Moss 40e5cde1c5 Fixed #7379: fixed a subtle corner case involving URL encoding in `CommonMiddleware`
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8635 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-27 20:29:58 +00:00
Malcolm Tredinnick 1e1f7c58bc Fixed #8381 -- Fixed a problem with appending slashes in the common middleware
when SCRIPT_NAME contains something other than '/'. Patch from jcassee.

Also fixed the middleware tests to work with this patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8456 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-21 01:32:18 +00:00
Gary Wilson Jr c0d862d638 Fixed a typo and added a bit more ReST markup to cache middleware docstring.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8387 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 17:47:03 +00:00
Jacob Kaplan-Moss 7526590376 Split CacheMiddleware up into two parts -- an update-cache and a fetch-from-cache middleware. This lets you run each half of the cache middleware at the correct time to avoid bad interactions between the cache middleware and other middleware that must modify the cache key (like the locale middleware).
CacheMiddleware itself is still around for backwards-compatibility and as a hook point for the cache decorator, but the documentation has been updated to point people towards the two-part caching middleware.

Refs #730.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8260 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-09 15:07:45 +00:00
Malcolm Tredinnick e8f18643cf Fixed #8121 -- Don't override the Content-Language HTTP header in the locale
middleware if it's already been set. Thanks, jcassee.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8259 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-09 15:04:45 +00:00
Gary Wilson Jr c85c8f8891 Fixed #7919 -- md5 and sha modules are deprecated since Python 2.5, use hashlib module when available. Patch from Karen Tracey.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-02 05:56:57 +00:00
Malcolm Tredinnick 94beaa6ebb Fixed #7046 -- set the response status code correctly in ConditionalGetMiddleware.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7793 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-30 07:03:58 +00:00
Adrian Holovaty 02bbd9a9b2 Fixed #7228 -- Fixed our ETag header creation to meet the HTTP spec, by quoting it. Thanks, skjohn@us.ibm.com
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7659 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-16 04:13:04 +00:00
Malcolm Tredinnick 5f477760ac Fixed #6480 -- Added application/pdf the list of content types we don't compress when sending to Internet Explorer. Thanks, Bastien Kleineidam.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7080 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-02-04 01:40:53 +00:00
Malcolm Tredinnick 1f629bff99 Fixed #3228 -- Added new APPEND_SLASH handling behaviour in the common middleware. Makes customisation a bit easier. Thanks, Mihai Preda and Andy Gayton.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6852 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-02 23:25:55 +00:00
Malcolm Tredinnick f2f6e70b08 Fixed #5813 -- Taught the CacheMiddleware to respect any max-age HTTP header
when setting the expiry time. Thanks, SmileyChris.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6736 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-11-29 16:57:18 +00:00
Gary Wilson Jr 5870ffd4b0 Made some stylistic changes in `GZipMiddleware` and added some notes about IE, refs #5313.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6697 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-11-19 03:41:46 +00:00
Malcolm Tredinnick 3ee3d6b5f3 Fixed #5898 -- Changed a few response processing paths to make things harder to get wrong and easier to get right. Previous behaviour wasn't buggy, but it was harder to use than necessary.
We now have automatic HEAD processing always (previously required ConditionalGetMiddleware), middleware benefits from the Location header rewrite, so they can use relative URLs as well, and responses with response codes 1xx, 204 or 304 will always have their content removed, in accordance with the HTTP spec (so it's much harder to indavertently deliver invalid responses).

Based on a patch and diagnosis from regexbot@gmail.com.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6662 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-11-11 03:55:44 +00:00
Gary Wilson Jr 5997cb8ad4 Removed unused variable.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6635 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-31 04:04:07 +00:00
Gary Wilson Jr 8c442f21dc Fixed #5816 -- Fixed a regression from [6333] that generates incorrect cookie "expires" dates when using a locale other than English. Introduced `http_date` and `cookie_date` utility functions. Thanks for the report Michael Lemaire. Thanks for the patch Karen Tracey and `SmileyChris`.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6634 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-31 03:59:40 +00:00
Malcolm Tredinnick 5ef7c4c525 Fixed #5762 -- Quoted the portions that make up the URL when appending
"www." or adding a trailing slash in common middleware.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6553 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-20 08:31:05 +00:00
Malcolm Tredinnick c4cdb214a6 Fixed #5313 -- Only avoid compressing Javascript when the user agent says it's Internet Explorer. Thanks, mgiger@earthbrowser.com.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6538 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-20 03:45:48 +00:00
Jacob Kaplan-Moss 5ae6fafad7 Fixed #3872, which turns out to not have been a bug in the first place, by reverting [6364].
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6397 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-20 17:03:14 +00:00
Adrian Holovaty 0f4fb9755c Fixed #3872 -- Fixed incorrect handling of HTTP_X_FORWARDED_FOR in SetRemoteAddrFromForwardedFor. Thanks, Simon Willison and gregorth
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6364 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-16 16:54:16 +00:00
Malcolm Tredinnick 4b610f42d3 Added a get_host() method to HttpRequest. There is still an http.get_host() version in place, so this is fully backwards compatible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6296 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-15 17:46:03 +00:00
Jacob Kaplan-Moss ca9388cdaf Added more dict-like methods to HttpResponse as part of the response.headers -> response._headers move, and fixed a few direct uses of response.headers in Django itself. Thanks to PhiR for tracking down and slaying these bugs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6235 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-14 22:33:56 +00:00
Malcolm Tredinnick 0e7299e10a Fixed #4994 -- Send back set-cookie headers in "not modified" responses. Well spotted, colin@owlfish.com.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5878 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-08-12 13:10:45 +00:00
Malcolm Tredinnick c050b6a25a Fixed #4946 -- Added some small improvements to Gzip middleware. Thanks, colin@owlfish.com.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5875 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-08-12 12:29:25 +00:00
Malcolm Tredinnick 5dd9a2ab38 Fixed #4199 -- Changed date formatting in HTTP expires header to be spec
compliant. Thanks, Chris Bennett.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5712 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-16 03:50:22 +00:00
Malcolm Tredinnick 50a3cea8b6 Fixed #4484 -- Fixed APPEND_SLASH handling to handle an empty path value.
Thanks, VesselinK.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5688 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-13 14:33:46 +00:00
Malcolm Tredinnick 9b397ee50d Changed ETag computation to first check if an ETag header already exists in the
response.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5483 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-06-17 07:21:09 +00:00
Malcolm Tredinnick 7de9f79969 Fixed #3206 -- Fixed typo in [5407]. This time with bonus testing. Thanks,
Manuel Saelices.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5417 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-06-02 07:55:41 +00:00
Malcolm Tredinnick 63a1304f54 Fixed #3206 -- Changed ETag comparison to only return 304 when the normal
status code would be in the range 200 - 299. This matches RFC 2616
requirements. Based on a patch from Vinay Sajip.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5407 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-06-01 11:47:54 +00:00
Malcolm Tredinnick 439cb4047f Fixed #4040 -- Changed uses of has_key() to "in". Slight performance
improvement and forward-compatible with future Python releases. Patch from Gary
Wilson.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5091 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-04-26 13:30:48 +00:00
Luke Plant 9f180a1bc5 Added client IP address to the e-mail that is sent when an internal
broken link is detected.  This is to help with filtering out
misbehaving bots.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5043 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-04-20 11:24:53 +00:00
Adrian Holovaty 6481cf43f9 Fixed #3808 -- Fixed some typos in comments. Thanks, Collin Grady
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4816 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-03-25 18:05:01 +00:00
Jacob Kaplan-Moss 5bafb499e7 Fixed #3052: GZIP middleware now correctly reports Content-Length. Thanks, simonbun.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4089 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-11-22 20:31:09 +00:00
Luke Plant 8b216eb865 Improved detection of whether a URL is internal or not for the purpose
of broken link e-mails (referred links from images.google were being
misclassified).


git-svn-id: http://code.djangoproject.com/svn/django/trunk@3870 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-09-26 18:49:28 +00:00
Adrian Holovaty 33a9a8f21a Altered [3778] change to match our coding/text style (django.middleware.common)
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3834 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-09-25 17:25:39 +00:00
Malcolm Tredinnick 0fee26935d Fixed #2747 -- Make X-Headers work for staff members. Admins with dyanmic IP
addresses can now use bookmarklets. Thanks, Maximillian Dornseif.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@3786 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-09-22 03:17:28 +00:00
Malcolm Tredinnick 3efd4dcd2d Fixed #2602 -- Include User Agent in broken link emails. Thanks, Ian Holsman.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3778 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-09-22 01:28:47 +00:00
Adrian Holovaty d592ca487a Fixed #2541 -- Added helpful error message for CacheMiddleware in the case of CACHE_ANONYMOUS_ONLY=True and uninstalled/unordered AuthenticationMiddleware. Thanks, dummy@habmalnefrage.de
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3603 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-08-18 03:31:13 +00:00
Adrian Holovaty 8f065bba6b Fixed #2552 -- Added SetRemoteAddrFromForwardedFor middleware and documentation. Thanks, Ian Holsman
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3602 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-08-18 03:12:36 +00:00
Jacob Kaplan-Moss 77f1b8a50d Fixed #2449 -- gzip middleware no longer gzips Javascript. Thanks for the prob, ubernostrum
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3503 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-31 21:31:35 +00:00
Jacob Kaplan-Moss a926046ba6 Second half of little cleanup tweaks suggested by pyflakes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3414 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-21 20:39:17 +00:00
Jacob Kaplan-Moss e9a236d86c Fixed #2092: added a "is_secure()" method to HttpRequest which correctly handles the subtleties of mod_python's interaction with os.environ. This one's been bugging me for about a *year*, so many many thanks to k.shaposhnikov@gmail.com for figuring it out, and Tim Shaffer for pointing out this ticket.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3410 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-21 16:20:22 +00:00
Adrian Holovaty 27c49b69b8 Fixed #2392 -- Fixed CACHE_MIDDLEWARE_ANONYMOUS_ONLY to use attribute access to django.conf.settings
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3406 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-21 14:41:38 +00:00
Adrian Holovaty 6ab20c5475 Small style fixes to docs from [3395]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3397 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-20 15:45:16 +00:00
Jacob Kaplan-Moss 3e95ef5374 Oops, fixed small typo in [3395]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3396 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-20 15:37:51 +00:00
Jacob Kaplan-Moss 2a8a32c449 Added a CACHE_MIDDLEWARE_ANONYMOUS_ONLY setting which makes the cache ignore pages served to authenticated users. Fixes #1509 (thanks, Matt).
Also added a FAQ entry about using this setting to avoid caching of the admin interface. 


git-svn-id: http://code.djangoproject.com/svn/django/trunk@3395 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-20 15:37:12 +00:00
Adrian Holovaty 37addba352 Converted request.META['REQUEST_METHOD'] calls to request.method, throughout the Django codebase
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3171 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-20 04:34:13 +00:00
Adrian Holovaty 2abfd5dd58 Fixed #2109 -- Convert old-style classes to new-style classes throughout Django. Thanks, Nicola Larosa
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3113 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-08 05:00:13 +00:00
Adrian Holovaty 3aa6b0556f Solved the POST-data-lost-after-redirect problem by raising RuntimeError when DEBUG=True in the CommonMiddleware
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3109 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-08 03:47:18 +00:00
Adrian Holovaty 503a27d212 Fixed #1707 -- LocaleMiddleware now sets Content-Language header. Thanks, ubernostrum
git-svn-id: http://code.djangoproject.com/svn/django/trunk@2843 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-05 03:19:16 +00:00
Adrian Holovaty f69cf70ed8 MERGED MAGIC-REMOVAL BRANCH TO TRUNK. This change is highly backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-02 01:31:56 +00:00
Adrian Holovaty bc4638d722 Fixed #1569 -- HttpResponse now accepts iterators. Thanks, Maniac
git-svn-id: http://code.djangoproject.com/svn/django/trunk@2639 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-04-09 23:54:34 +00:00
Adrian Holovaty bf16befc43 Fixed #1339 -- Added keys() and items() methods to session objects. Thanks, Ned Batchelder
git-svn-id: http://code.djangoproject.com/svn/django/trunk@2300 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-02-10 21:33:07 +00:00
Adrian Holovaty 44e6ce6552 Fixed #1048 -- Fixed AttributeError in sessions framework when SESSION_SAVE_EVERY_REQUEST is True and no cookie has been set yet. Thanks, Jiri Barton
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1978 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-01-15 06:18:03 +00:00
Adrian Holovaty 3234a932b2 Fixed #1117 -- Added HttpResponsePermanentRedirect
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1816 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-01-03 23:57:14 +00:00
Adrian Holovaty f7f812cd70 Fixed #1137 -- Added a _contains_() method to SessionWrapper. Thanks, Brant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1793 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-12-29 19:17:32 +00:00
Adrian Holovaty 79be9b2e7d Changed CommonMiddleware so it doesn't assume HTTP_HOST is set.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1548 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-12-05 15:25:55 +00:00
Adrian Holovaty cc3660c07d Fixed #878 -- URLconf regex captures no longer have to be named groups. Old URLconfs (with named groups) still work. This is backwards-incompatible if you've defined custom middleware with a process_view function. See http://code.djangoproject.com/wiki/BackwardsIncompatibleChanges
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1470 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-11-27 22:08:51 +00:00
Adrian Holovaty 3895a825a9 Added SESSION_SAVE_EVERY_REQUEST setting.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1303 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-11-20 17:16:13 +00:00
Adrian Holovaty 1b035c35d9 BACKWARDS-INCOMPATIBLE CHANGE -- Moved flatpages and redirects to standalone apps in django.contrib that are NOT installed by default. See http://code.djangoproject.com/wiki/BackwardsIncompatibleChanges for full migration information.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1166 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-11-11 04:45:05 +00:00
Adrian Holovaty 7e28ba0b4c Tiny docstring cleanup in middleware/common.py
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1096 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-11-06 21:55:57 +00:00
Jacob Kaplan-Moss 5cf8f68423 Merged i18n branch into the trunk! Fixes #65, and perhaps some others. NB: this means that the i18n branch is now obsolete and will be made read-only.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1068 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-11-04 04:59:46 +00:00
Adrian Holovaty 390666ac2b Fixed #508 -- Added support for 'expires' in cookies and changed session middleware to set 'expires' in addition to 'max_age'. Thanks, mark@junklight.com
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1035 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-11-01 01:02:07 +00:00
Adrian Holovaty ed2f2419a1 Fixed #647 -- Fixed cache middleware not to expect _cache_update_cache, in case of 404s and 500s. Thanks, Eugene
git-svn-id: http://code.djangoproject.com/svn/django/trunk@954 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-10-19 13:44:55 +00:00
Adrian Holovaty f07e5d4f5d Fixed #627 -- BACKWARDS-INCOMPATIBLE CHANGE. Admin is now an app, not a middleware. See BackwardsIncompatibleChanges for a full list of changes and information on how to update your code.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@948 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-10-19 01:09:05 +00:00
Adrian Holovaty f71f854628 Fixed #626 -- Moved template modules to django.core.template package. django.core.template_loader is deprecated, in favor of django.core.template.loader.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@867 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-10-14 20:10:13 +00:00
Adrian Holovaty b4e2d12b1f Fixed #599 -- locmem cache now uses deepcopy() to prevent aliasing. Thanks, Hugo
git-svn-id: http://code.djangoproject.com/svn/django/trunk@821 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-10-10 13:56:39 +00:00
Adrian Holovaty d65526d688 Fixed #580 -- Added mega support for generating Vary headers, including some view decorators, and changed the CacheMiddleware to account for the Vary header. Also added GZipMiddleware and ConditionalGetMiddleware, which are no longer handled by CacheMiddleware itself. Also updated the cache.txt and middleware.txt docs. Thanks to Hugo and Sune for the excellent patches
git-svn-id: http://code.djangoproject.com/svn/django/trunk@810 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-10-09 00:55:08 +00:00
Adrian Holovaty ab9aacd4db Fixed #333 and #440 -- Split DEFAULT_MIME_TYPE setting into DEFAULT_CONTENT_TYPE and DEFAULT_CHARSET. Thanks, Maniac.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@786 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-10-06 02:27:08 +00:00
Adrian Holovaty c3fa47edb8 Added USE_FLAT_PAGES setting, which defaults to True.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@782 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-10-05 23:36:17 +00:00
Adrian Holovaty 39a907a051 Added request.session.delete_test_cookie()
git-svn-id: http://code.djangoproject.com/svn/django/trunk@669 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-09-23 01:28:44 +00:00
Adrian Holovaty 8df0df620f Removed a legacy 'TODO' from django.middleware.sessions
git-svn-id: http://code.djangoproject.com/svn/django/trunk@667 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-09-23 00:21:35 +00:00
Adrian Holovaty 5bdf1da730 Fixed #394 -- Trailing-slash redirects now retain duplicate name-value query-string pairs, instead of the first of each pair. Added a QueryDict.urlencode() method to accomplish this. Updated the docs. Thanks for the good catch, mlambert
git-svn-id: http://code.djangoproject.com/svn/django/trunk@613 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-09-02 19:39:47 +00:00
Adrian Holovaty cb6aa1035b Fixed #407 -- Code no longer assumes request.META['REMOTE_ADDR'] exists. Thanks, sune.kirkeby@gmail.com
git-svn-id: http://code.djangoproject.com/svn/django/trunk@580 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-08-31 16:27:59 +00:00
Adrian Holovaty 928832d6e0 Changed SessionMiddleware to use process_request instead of process_view -- that way it always gets called, even for 404s
git-svn-id: http://code.djangoproject.com/svn/django/trunk@545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-08-22 19:19:54 +00:00
Adrian Holovaty 2972e8b5d5 Improved session code to force creation of a new session key if the given session key doesn't exist -- for extra security
git-svn-id: http://code.djangoproject.com/svn/django/trunk@536 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-08-18 16:45:15 +00:00
Adrian Holovaty b1d9682a38 Fixed #335 -- Admin login form now checks that cookies are enabled.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@529 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-08-17 22:04:53 +00:00
Adrian Holovaty 07889c13a6 Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-08-16 22:54:05 +00:00
Adrian Holovaty 00da60e932 Removed special-case test for '_files' URL in common middleware -- thanks, Jeremy Dunck
git-svn-id: http://code.djangoproject.com/svn/django/trunk@513 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-08-16 00:47:53 +00:00
Adrian Holovaty fe91881e35 Fixed #159 -- Admin users no longer have to log in to go to the 'log out' page. Thanks, Manuzhai
git-svn-id: http://code.djangoproject.com/svn/django/trunk@325 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-07-26 22:48:04 +00:00
Adrian Holovaty 897d24b220 Fixed #95 -- Added SECRET_KEY setting instead of hard-coding keys that are shared for every Django installation. 'django-admin.py startproject' now creates a random SECRET_KEY. The auth and comments modules, and the admin middleware, all use SECRET_KEY now, instead of hard-coded values.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@230 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-07-20 00:37:45 +00:00
Adrian Holovaty 8fd94405b5 Added django.middleware.cache, which lets you cache an entire Django-powered site by adding a line to your settings
git-svn-id: http://code.djangoproject.com/svn/django/trunk@178 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-07-18 19:07:37 +00:00
Adrian Holovaty f4c581158d Renamed CMSRequest to DjangoRequest, and CMSContext to DjangoContext. Old code will still work.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@57 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-07-15 17:09:01 +00:00
Adrian Holovaty ed114e1510 Imported Django from private SVN repository (created from r. 8825)
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2005-07-13 01:25:57 +00:00