Michael Manfre
03eec9ff6c
Updated vendored _urlsplit() to strip newline and tabs.
...
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
2022-07-01 08:48:38 +02:00
Mehrdad
d4d5427571
Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams.
...
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
2022-06-28 09:42:47 +02:00
Carlton Gibson
34e2148fc7
Refs #33173 -- Removed use of deprecated cgi module.
...
https://peps.python.org/pep-0594/#cgi
2022-05-11 14:06:31 +02:00
django-bot
9c19aff7c7
Refs #33476 -- Reformatted code with Black.
2022-02-07 20:37:05 +01:00
Ad Timmering
bdf3e156b4
Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate.
2022-01-07 12:25:06 +01:00
Nick Pope
d06c5b3581
Fixed #32366 -- Updated datetime module usage to recommended approach.
...
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
2021-05-12 11:08:41 +02:00
Mariusz Felisiak
ec0ff40631
Fixed #32355 -- Dropped support for Python 3.6 and 3.7
2021-02-10 10:20:54 +01:00
Mariusz Felisiak
9e456f3166
Refs #30747 -- Removed django.utils.http.is_safe_url() per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak
88ed1c8d08
Refs #27753 -- Removed django.utils.http urllib aliases per deprecation timeline.
2021-01-14 17:50:04 +01:00
Nick Pope
fd209f62f1
Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8.
2020-09-03 14:24:42 +02:00
Hasan Ramezani
f121621073
Fixed #31521 -- Skipped test_parsing_rfc850 test on 32-bit systems.
2020-04-30 06:51:47 +02:00
Ad Timmering
7b5f8acb9e
Fixed #28690 -- Fixed handling of two-digit years in parse_http_date().
...
Due to RFC7231 ayear that appears to be more than 50 years in the
future are interpreted as representing the past.
2019-09-30 14:42:56 +02:00
Ad Timmering
7cbd25a06e
Refs #28690 -- Added more tests for parse_http_date().
2019-09-30 14:42:51 +02:00
Carlton Gibson
4f61810751
Fixed #30747 -- Renamed is_safe_url() to url_has_allowed_host_and_scheme().
2019-09-02 15:32:23 +02:00
swatantra
73ac9e3f04
Fixed #30677 -- Improved error message for urlencode() and Client when None is passed as data.
2019-08-11 20:15:23 +02:00
Jon Dufresne
b903bb438f
Refs #30485 -- Removed non-representative test that emitted a warning.
...
Previously, when running the Django test suite with warnings enabled,
the following was emitted:
/usr/lib64/python3.7/urllib/parse.py:915: BytesWarning: str() on a bytearray instance
v = quote_via(str(v), safe, encoding, errors)
This occurred due to the bytearray() being passed to
urllib.parse.urlencode() which eventually calls str() on it. The test
does not represent desired real world behavior. Rather than test for and
assert strange unspecified behavior that emits a warning, remove it.
This was also discussed in PR #11374 .
2019-06-19 13:03:52 +02:00
Johan Lübcke
0670b1b403
Fixed #30485 -- Adjusted django.utils.http.urlencode for doseq=False case.
2019-05-24 17:15:34 +02:00
Mariusz Felisiak
c9888bc8ec
Fixed #30264 -- Fixed crash of test_parsing_year_less_than_70() on 32-bit systems.
...
Thanks Andreas Beckmann and Chris Lamb for the report.
2019-03-20 13:44:30 +01:00
Tim Graham
83c2bc52c2
Refs #27753 -- Deprecated django.utils.http urllib aliases.
2019-02-04 18:53:11 -05:00
Tim Graham
958a7b4ca6
Refs #28965 -- Removed utils.http.cookie_date() per deprecation timeline.
2019-01-17 10:52:19 -05:00
Jon Dufresne
6fe9c45b72
Fixed #30024 -- Made urlencode() and Client raise TypeError when None is passed as data.
2018-12-27 11:19:55 -05:00
Hasan Ramezani
6b7f1c2530
Increased test coverage of django.utils.http.
2018-11-03 11:13:28 -04:00
Andreas Hug
a656a68127
Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.
2018-08-01 09:28:42 -04:00
Przemysław Suliga
d22b90b4ea
Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string.
2018-06-29 10:17:52 -04:00
Jon Dufresne
1e81a4b897
Fixed #28638 -- Made allowed_hosts a required argument of is_safe_url().
2018-01-11 07:03:50 -05:00
Tim Graham
ab7f4c3306
Refs #28965 -- Deprecated unused django.utils.http.cookie_date().
2018-01-02 11:23:04 -05:00
François Freitag
41be85862d
Fixed #28679 -- Fixed urlencode()'s handling of bytes.
...
Regression in fee42fd99e
.
Thanks Claude Paroz, Jon Dufresne, and Tim Graham for the guidance.
2017-10-12 09:08:33 -04:00
François Freitag
0e212a705e
Split django.utils.http tests into separate test classes.
2017-10-10 08:53:01 -04:00
Tim Graham
96107e2844
Refs #26956 -- Removed the host parameter of django.utils.http.is_safe_url().
...
Per deprecation timeline.
2017-09-22 12:51:18 -04:00
Mads Jensen
41a7876991
Added test for too large input to django.utils.http.base36_to_int().
2017-09-21 10:21:02 -04:00
UmanShahzad
856072dd4a
Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs.
2017-05-10 09:02:20 -04:00
Tim Graham
5ea48a70af
Fixed #27912 , CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.
...
This is a security fix.
2017-04-04 10:42:06 -04:00
Claude Paroz
c716fe8782
Refs #23919 -- Removed six.PY2/PY3 usage
...
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
Claude Paroz
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
Tim Graham
8119b679eb
Refs #27025 -- Fixed "invalid escape sequence" warnings in Python 3.6.
...
http://bugs.python.org/issue27364
2016-09-17 15:44:06 -04:00
Kevin Christopher Henry
4ef0e019b7
Fixed #27083 -- Added support for weak ETags.
2016-09-10 08:14:52 -04:00
Jon Dufresne
f227b8d15d
Refs #26956 -- Allowed is_safe_url() to validate against multiple hosts
2016-09-07 19:56:25 -07:00
Przemysław Suliga
5e5a17028f
Fixed #26902 -- Allowed is_safe_url() to require an https URL.
...
Thanks Andrew Nester, Berker Peksag, and Tim Graham for reviews.
2016-08-19 18:51:33 -04:00
Tim Graham
92053acbb9
Fixed E128 flake8 warnings in tests/.
2016-04-08 10:12:33 -04:00
Claude Paroz
552f03869e
Added safety to URL decoding in is_safe_url() on Python 2
...
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218
and ada7a4aef
.
2016-03-04 23:33:35 +01:00
Claude Paroz
ada7a4aefb
Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
...
This fixes a regression introduced by c5544d2892
.
Thanks John Eskew for the reporti and Tim Graham for the review.
2016-03-04 21:14:14 +01:00
Mark Striemer
c5544d2892
Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
...
This is a security fix.
2016-03-01 11:25:28 -05:00
Hasan
3d0dcd7f5a
Refs #26022 -- Used context manager version of assertRaises in tests.
2016-01-29 12:32:18 -05:00
Denis Cornehl
186b6c61bf
Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.
...
Thanks Denis Cornehl for help with the patch.
2016-01-05 09:37:11 -05:00
Josh Soref
93452a70e8
Fixed many spelling mistakes in code, comments, and docs.
2015-12-03 12:48:24 -05:00
Matt Robenolt
b0c56b895f
Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
...
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Tim Graham
011a54315e
Made is_safe_url() reject URLs that start with control characters.
...
This is a security fix; disclosure to follow shortly.
2015-03-18 19:20:07 -04:00
Lukas Klein
93b3ef9b2e
Fixed #24321 -- Improved `utils.http.same_origin` compliance with RFC6454
2015-02-12 08:58:35 +01:00
Tim Graham
0ed7d15563
Sorted imports with isort; refs #23860 .
2015-02-06 08:16:28 -05:00
Tim Graham
69b5e66738
Fixed is_safe_url() to handle leading whitespace.
...
This is a security fix. Disclosure following shortly.
2015-01-13 13:03:06 -05:00