3a42c0447b
[3.1.x] Fixed #31928 -- Fixed detecting an async get_response in various middlewares.
...
SecurityMiddleware and the three cache middlewares were not calling
super().__init__() during their initialization or calling the required
MiddlewareMixin._async_check() method.
This made the middlewares not properly present as coroutine and
confused the middleware chain when used in a fully async context.
Thanks Kordian Kowalski for the report.
Backport of 825ce75fae
2020-08-28 12:35:53 +02:00
d17b380653
Refs #30573 -- Rephrased "Of Course" and "Obvious(ly)" in documentation and comments.
2020-05-04 12:10:47 +02:00
f283ffaa84
Fixed #28699 -- Fixed CSRF validation with remote user middleware.
...
Ensured process_view() always accesses the CSRF token from the session
or cookie, rather than the request, as rotate_token() may have been called
by an authentication middleware during the process_request() phase.
2020-02-26 17:25:20 +01:00
5b09354954
Fixed #31291 -- Renamed salt to mask for CSRF tokens.
2020-02-25 14:16:19 +01:00
4d973f5939
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes.
...
This is the new contract since middleware refactoring in Django 1.10.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
d08d4f464a
Fixed #30765 -- Made cache_page decorator take precedence over max-age Cache-Control directive.
2020-01-16 13:39:16 +01:00
e3d0b4d550
Fixed #30899 -- Lazily compiled import time regular expressions.
2019-10-29 09:22:26 +01:00
0315c18fe1
Refs #26601 -- Removed obsolete workarounds for MIDDLEWARE_CLASSES setting.
2019-10-23 08:18:48 +02:00
406dba04e1
Fixed #29406 -- Added support for Referrer-Policy header.
...
Thanks to James Bennett for the initial implementation.
2019-09-09 13:35:41 +02:00
05d0eca635
Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.
2019-09-09 08:15:26 +02:00
8b3f1c35dd
Removed unnecessary assignments in various code.
2019-04-24 13:09:29 +02:00
ad72895c60
Optimized CommonMiddleware's check for DISALLOWED_USER_AGENTS.
...
Avoided getattribute + getitem for each DISALLOWED_USER_AGENTS.
2019-03-30 09:02:57 -04:00
7785e03ba8
Fixed #30137 -- Replaced OSError aliases with the canonical OSError.
...
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-28 11:15:06 -05:00
817c6cdf0e
Capitalized SecurityMiddleware headers for consistency with other headers.
...
(No behavior change since HTTP headers are case insensitive.)
2018-10-30 18:30:51 -04:00
22e8ab0286
Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged.
2018-09-08 11:46:13 -04:00
a656a68127
Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
2018-08-01 09:28:42 -04:00
10b44e4525
Fixed #26688 -- Fixed HTTP request logging inconsistencies.
...
* Added logging of 500 responses for instantiated responses.
* Added logging of all 4xx and 5xx responses.
2018-05-04 20:55:03 -04:00
9a56b4b13e
Fixed #27863 -- Added support for the SameSite cookie flag.
...
Thanks Alex Gaynor for contributing to the patch.
2018-04-13 20:58:31 -04:00
362813d628
Fixed hanging indentation in various code.
2018-03-16 10:54:34 +01:00
7ec0fdf62a
Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has an invalid host.
2018-02-14 20:24:01 -05:00
d968788b57
Fixed #28833 -- Prevented CacheMiddleware from caching responses with "Cache-Control: private".
2018-02-06 09:42:05 -05:00
d7b2aa24f7
Fixed #28982 -- Simplified code with and/or.
2018-01-03 20:12:23 -05:00
23bf4ad87f
Fixed #28795 -- Removed 'not in' checks and used dict.setdefault().
2017-11-14 10:52:52 -05:00
8f8a4d10d3
Refs #26447 -- Removed outdated ETag comment in CommonMiddleware.
...
Follow up to 48d57788ee
2017-11-11 20:45:17 -05:00
48d57788ee
Refs #26447 -- Removed the USE_ETAGS setting per deprecation timeline.
2017-09-22 12:51:18 -04:00
c4c128d67c
Fixed #28488 -- Reallowed error handlers to access CSRF tokens.
...
Regression in eef95ea96f
2017-09-20 16:22:18 -04:00
86de930f41
Refs #27656 -- Updated remaining docstring verbs according to PEP 257.
2017-03-04 10:02:06 -05:00
5f3a689f71
Imported django.http classes instead of django.http.
2017-02-27 14:47:11 -05:00
c688336ebc
Refs #23919 -- Assumed request COOKIES and META are str
2017-01-30 14:13:29 +01:00
2b281cc35e
Refs #23919 -- Removed most of remaining six usage
...
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
ddf169cdac
Refs #16859 -- Allowed storing CSRF tokens in sessions.
...
Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-30 08:57:27 -05:00
b8a815e9df
Fixed #27402 -- Fixed incorrect LocaleMiddleware redirects with prefix_default_language=False.
2016-11-29 13:06:35 -05:00
f46a838efc
Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a trailing slash.
2016-11-06 10:38:36 +01:00
37809b891e
Fixed #27346 -- Stopped setting the Content-Length header in ConditionalGetMiddleware.
2016-11-05 22:24:54 +01:00
2327fad54e
Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests.
2016-10-17 16:11:53 -04:00
61f9243e51
Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware.
2016-10-14 12:48:03 -04:00
ad332e5ca9
Refs #19705 -- Made GZipMiddleware make ETags weak.
...
Django's conditional request processing can now produce 304 Not Modified
responses for content that is subject to compression.
2016-10-13 14:22:54 -04:00
a840710e1e
Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ConditionalGetMiddleware.
2016-10-10 14:55:59 -04:00
f9702977b7
Fixed #27211 -- Made UpdateCacheMiddleware include caching headers for "304 Not Modified" responses.
2016-09-14 19:37:18 -04:00
4ef0e019b7
Fixed #27083 -- Added support for weak ETags.
2016-09-10 08:14:52 -04:00
3c2447dd13
Fixed #26947 -- Added an option to enable the HSTS header preload directive.
2016-08-10 20:23:54 -04:00
20d39325ca
Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response has Cache-Control: no-store.
2016-07-15 15:34:00 -04:00
9588718cd4
Fixed #5897 -- Added the Content-Length response header in CommonMiddleware
...
Thanks Tim Graham for the review.
2016-06-27 10:44:57 +02:00
7d1b69dbe7
Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware exception handling.
2016-06-17 10:00:39 -07:00
563d534d33
Removed an unused logger in middleware/common.py
2016-06-04 12:01:44 -04:00
55fec16aaf
Fixed #26628 -- Changed CSRF logger to django.security.csrf.
2016-06-04 10:17:06 -04:00
546649f2d6
Fixed some newlines in imports per isort.
2016-05-19 11:05:44 -04:00
5112e65ef2
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
...
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
9baf692a58
Fixed #26601 -- Improved middleware per DEP 0005.
...
Thanks Tim Graham for polishing the patch, updating the tests, and
writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-17 07:22:22 -04:00
Kevin Michel
Adam Johnson
Colton Hicks
Ram Rachum
Claude Paroz
Flavio Curella
Hasan Ramezani
Sergey Fedoseev
Nick Pope
Jon Dufresne
Brad
Artur Juraszek
Michal Čihař
Andreas Hug
Samir Shah
Alex Gaynor
Mariusz Felisiak
Tomer Chachamu
shanghui
Дилян Палаузов
Дилян Палаузов
Tim Graham
Florian Apolloner
Anton Samarchyan
Asif Saifuddin Auvi
Raphael Michel
Krzysztof Urbaniak
Sven Engström
Adam Malinowski
Kevin Christopher Henry
Denis Cornehl
Rinat Khabibiev
Ed Morley
andrewnester
Carl Meyer
Holly Becker
Shai Berger