Commit Graph

60 Commits

Author SHA1 Message Date
Michael Manfre 03eec9ff6c Updated vendored _urlsplit() to strip newline and tabs.
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
2022-07-01 08:48:38 +02:00
Mehrdad d4d5427571 Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams.
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
2022-06-28 09:42:47 +02:00
Carlton Gibson 34e2148fc7 Refs #33173 -- Removed use of deprecated cgi module.
https://peps.python.org/pep-0594/#cgi
2022-05-11 14:06:31 +02:00
django-bot 9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Ad Timmering bdf3e156b4 Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate. 2022-01-07 12:25:06 +01:00
Nick Pope d06c5b3581 Fixed #32366 -- Updated datetime module usage to recommended approach.
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
2021-05-12 11:08:41 +02:00
Mariusz Felisiak ec0ff40631 Fixed #32355 -- Dropped support for Python 3.6 and 3.7 2021-02-10 10:20:54 +01:00
Mariusz Felisiak 9e456f3166 Refs #30747 -- Removed django.utils.http.is_safe_url() per deprecation timeline. 2021-01-14 17:50:04 +01:00
Mariusz Felisiak 88ed1c8d08 Refs #27753 -- Removed django.utils.http urllib aliases per deprecation timeline. 2021-01-14 17:50:04 +01:00
Nick Pope fd209f62f1 Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8. 2020-09-03 14:24:42 +02:00
Hasan Ramezani f121621073 Fixed #31521 -- Skipped test_parsing_rfc850 test on 32-bit systems. 2020-04-30 06:51:47 +02:00
Ad Timmering 7b5f8acb9e Fixed #28690 -- Fixed handling of two-digit years in parse_http_date().
Due to RFC7231 ayear that appears to be more than 50 years in the
future are interpreted as representing the past.
2019-09-30 14:42:56 +02:00
Ad Timmering 7cbd25a06e Refs #28690 -- Added more tests for parse_http_date(). 2019-09-30 14:42:51 +02:00
Carlton Gibson 4f61810751 Fixed #30747 -- Renamed is_safe_url() to url_has_allowed_host_and_scheme(). 2019-09-02 15:32:23 +02:00
swatantra 73ac9e3f04 Fixed #30677 -- Improved error message for urlencode() and Client when None is passed as data. 2019-08-11 20:15:23 +02:00
Jon Dufresne b903bb438f Refs #30485 -- Removed non-representative test that emitted a warning.
Previously, when running the Django test suite with warnings enabled,
the following was emitted:

    /usr/lib64/python3.7/urllib/parse.py:915: BytesWarning: str() on a bytearray instance
      v = quote_via(str(v), safe, encoding, errors)

This occurred due to the bytearray() being passed to
urllib.parse.urlencode() which eventually calls str() on it. The test
does not represent desired real world behavior. Rather than test for and
assert strange unspecified behavior that emits a warning, remove it.

This was also discussed in PR #11374.
2019-06-19 13:03:52 +02:00
Johan Lübcke 0670b1b403 Fixed #30485 -- Adjusted django.utils.http.urlencode for doseq=False case. 2019-05-24 17:15:34 +02:00
Mariusz Felisiak c9888bc8ec
Fixed #30264 -- Fixed crash of test_parsing_year_less_than_70() on 32-bit systems.
Thanks Andreas Beckmann and Chris Lamb for the report.
2019-03-20 13:44:30 +01:00
Tim Graham 83c2bc52c2
Refs #27753 -- Deprecated django.utils.http urllib aliases. 2019-02-04 18:53:11 -05:00
Tim Graham 958a7b4ca6 Refs #28965 -- Removed utils.http.cookie_date() per deprecation timeline. 2019-01-17 10:52:19 -05:00
Jon Dufresne 6fe9c45b72 Fixed #30024 -- Made urlencode() and Client raise TypeError when None is passed as data. 2018-12-27 11:19:55 -05:00
Hasan Ramezani 6b7f1c2530 Increased test coverage of django.utils.http. 2018-11-03 11:13:28 -04:00
Andreas Hug a656a68127 Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware. 2018-08-01 09:28:42 -04:00
Przemysław Suliga d22b90b4ea Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string. 2018-06-29 10:17:52 -04:00
Jon Dufresne 1e81a4b897 Fixed #28638 -- Made allowed_hosts a required argument of is_safe_url(). 2018-01-11 07:03:50 -05:00
Tim Graham ab7f4c3306 Refs #28965 -- Deprecated unused django.utils.http.cookie_date(). 2018-01-02 11:23:04 -05:00
François Freitag 41be85862d Fixed #28679 -- Fixed urlencode()'s handling of bytes.
Regression in fee42fd99e.

Thanks Claude Paroz, Jon Dufresne, and Tim Graham for the guidance.
2017-10-12 09:08:33 -04:00
François Freitag 0e212a705e Split django.utils.http tests into separate test classes. 2017-10-10 08:53:01 -04:00
Tim Graham 96107e2844 Refs #26956 -- Removed the host parameter of django.utils.http.is_safe_url().
Per deprecation timeline.
2017-09-22 12:51:18 -04:00
Mads Jensen 41a7876991 Added test for too large input to django.utils.http.base36_to_int(). 2017-09-21 10:21:02 -04:00
UmanShahzad 856072dd4a Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs. 2017-05-10 09:02:20 -04:00
Tim Graham 5ea48a70af Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.
This is a security fix.
2017-04-04 10:42:06 -04:00
Claude Paroz c716fe8782 Refs #23919 -- Removed six.PY2/PY3 usage
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
Claude Paroz d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Tim Graham 8119b679eb Refs #27025 -- Fixed "invalid escape sequence" warnings in Python 3.6.
http://bugs.python.org/issue27364
2016-09-17 15:44:06 -04:00
Kevin Christopher Henry 4ef0e019b7 Fixed #27083 -- Added support for weak ETags. 2016-09-10 08:14:52 -04:00
Jon Dufresne f227b8d15d Refs #26956 -- Allowed is_safe_url() to validate against multiple hosts 2016-09-07 19:56:25 -07:00
Przemysław Suliga 5e5a17028f Fixed #26902 -- Allowed is_safe_url() to require an https URL.
Thanks Andrew Nester, Berker Peksag, and Tim Graham for reviews.
2016-08-19 18:51:33 -04:00
Tim Graham 92053acbb9 Fixed E128 flake8 warnings in tests/. 2016-04-08 10:12:33 -04:00
Claude Paroz 552f03869e Added safety to URL decoding in is_safe_url() on Python 2
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef.
2016-03-04 23:33:35 +01:00
Claude Paroz ada7a4aefb Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
This fixes a regression introduced by c5544d2892.
Thanks John Eskew for the reporti and Tim Graham for the review.
2016-03-04 21:14:14 +01:00
Mark Striemer c5544d2892 Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
2016-03-01 11:25:28 -05:00
Hasan 3d0dcd7f5a Refs #26022 -- Used context manager version of assertRaises in tests. 2016-01-29 12:32:18 -05:00
Denis Cornehl 186b6c61bf Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.
Thanks Denis Cornehl for help with the patch.
2016-01-05 09:37:11 -05:00
Josh Soref 93452a70e8 Fixed many spelling mistakes in code, comments, and docs. 2015-12-03 12:48:24 -05:00
Matt Robenolt b0c56b895f Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
2015-09-16 12:21:50 -04:00
Tim Graham 011a54315e Made is_safe_url() reject URLs that start with control characters.
This is a security fix; disclosure to follow shortly.
2015-03-18 19:20:07 -04:00
Lukas Klein 93b3ef9b2e Fixed #24321 -- Improved `utils.http.same_origin` compliance with RFC6454 2015-02-12 08:58:35 +01:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Tim Graham 69b5e66738 Fixed is_safe_url() to handle leading whitespace.
This is a security fix. Disclosure following shortly.
2015-01-13 13:03:06 -05:00