From ff1b19da6761217ed1b14cc7e94c6438903565d8 Mon Sep 17 00:00:00 2001 From: Baptiste Mispelon Date: Sat, 23 Nov 2019 13:42:57 +0100 Subject: [PATCH] Fixed #31029 -- Used more specific links to RFCs. --- docs/ref/csrf.txt | 9 +++++---- docs/ref/models/instances.txt | 4 ++-- docs/ref/request-response.txt | 16 ++++++++-------- docs/ref/settings.txt | 6 +++--- docs/ref/templates/builtins.txt | 3 ++- docs/ref/utils.txt | 4 ++-- docs/ref/validators.txt | 3 ++- 7 files changed, 24 insertions(+), 21 deletions(-) diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index e2f9d30703..ee6d0643fe 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -298,10 +298,11 @@ This ensures that only forms that have originated from trusted domains can be used to POST data back. It deliberately ignores GET requests (and other requests that are defined as -'safe' by :rfc:`7231`). These requests ought never to have any potentially -dangerous side effects , and so a CSRF attack with a GET request ought to be -harmless. :rfc:`7231` defines POST, PUT, and DELETE as 'unsafe', and all other -methods are also assumed to be unsafe, for maximum protection. +'safe' by :rfc:`7231#section-4.2.1`). These requests ought never to have any +potentially dangerous side effects, and so a CSRF attack with a GET request +ought to be harmless. :rfc:`7231#section-4.2.1` defines POST, PUT, and DELETE +as 'unsafe', and all other methods are also assumed to be unsafe, for maximum +protection. The CSRF protection cannot protect against man-in-the-middle attacks, so use :ref:`HTTPS ` with diff --git a/docs/ref/models/instances.txt b/docs/ref/models/instances.txt index 5f8f389506..9345bc0fe0 100644 --- a/docs/ref/models/instances.txt +++ b/docs/ref/models/instances.txt @@ -755,8 +755,8 @@ track down every place that the URL might be created. Specify it once, in .. note:: The string you return from ``get_absolute_url()`` **must** contain only - ASCII characters (required by the URI specification, :rfc:`2396`) and be - URL-encoded, if necessary. + ASCII characters (required by the URI specification, :rfc:`2396#section-2`) + and be URL-encoded, if necessary. Code and templates calling ``get_absolute_url()`` should be able to use the result directly without any further processing. You may wish to use the diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt index a7e73ba1f5..44d59b5f9a 100644 --- a/docs/ref/request-response.txt +++ b/docs/ref/request-response.txt @@ -823,9 +823,9 @@ Methods JavaScript from having access to the cookie. HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's - part of the :rfc:`6265` standard for cookies and can be a useful way to - mitigate the risk of a client-side script accessing the protected cookie - data. + part of the :rfc:`RFC 6265 <6265#section-4.1.2.6>` standard for cookies + and can be a useful way to mitigate the risk of a client-side script + accessing the protected cookie data. * Use ``samesite='Strict'`` or ``samesite='Lax'`` to tell the browser not to send this cookie when performing a cross-origin request. `SameSite`_ isn't supported by all browsers, so it's not a replacement for Django's @@ -836,11 +836,11 @@ Methods .. warning:: - :rfc:`6265` states that user agents should support cookies of at least - 4096 bytes. For many browsers this is also the maximum size. Django - will not raise an exception if there's an attempt to store a cookie of - more than 4096 bytes, but many browsers will not set the cookie - correctly. + :rfc:`RFC 6265 <6265#section-6.1>` states that user agents should + support cookies of at least 4096 bytes. For many browsers this is also + the maximum size. Django will not raise an exception if there's an + attempt to store a cookie of more than 4096 bytes, but many browsers + will not set the cookie correctly. .. method:: HttpResponse.set_signed_cookie(key, value, salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False, samesite=None) diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index d493b76aa0..e04d211885 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2759,7 +2759,7 @@ preference to the ``Host`` header. This should only be enabled if a proxy which sets this header is in use. This setting takes priority over :setting:`USE_X_FORWARDED_PORT`. Per -:rfc:`7239#page-7`, the ``X-Forwarded-Host`` header can include the port +:rfc:`7239#section-5.3`, the ``X-Forwarded-Host`` header can include the port number, in which case you shouldn't use :setting:`USE_X_FORWARDED_PORT`. .. setting:: USE_X_FORWARDED_PORT @@ -3108,8 +3108,8 @@ Whether to use ``HttpOnly`` flag on the session cookie. If this is set to cookie. HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's part of -the :rfc:`6265` standard for cookies and can be a useful way to mitigate the -risk of a client-side script accessing the protected cookie data. +the :rfc:`6265#section-4.1.2.6` standard for cookies and can be a useful way to +mitigate the risk of a client-side script accessing the protected cookie data. This makes it less trivial for an attacker to escalate a cross-site scripting vulnerability into full hijacking of a user's session. There aren't many good diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index ea6ae5aeeb..cc572583ee 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -1417,7 +1417,8 @@ Format character Description Example output the "c" formatter will not add timezone offset if value is a naive datetime (see :class:`datetime.tzinfo`). -``r`` :rfc:`5322` formatted date. ``'Thu, 21 Dec 2000 16:01:07 +0200'`` +``r`` :rfc:`RFC 5322 <5322#section-3.3>` ``'Thu, 21 Dec 2000 16:01:07 +0200'`` + formatted date. ``U`` Seconds since the Unix Epoch (January 1 1970 00:00:00 UTC). ================ ======================================== ===================== diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt index 33afbac36a..d8af302c0e 100644 --- a/docs/ref/utils.txt +++ b/docs/ref/utils.txt @@ -713,8 +713,8 @@ escaping HTML. .. function:: http_date(epoch_seconds=None) - Formats the time to match the :rfc:`1123` date format as specified by HTTP - :rfc:`7231#section-7.1.1.1`. + Formats the time to match the :rfc:`1123#section-5.2.14` date format as + specified by HTTP :rfc:`7231#section-7.1.1.1`. Accepts a floating point number expressed in seconds since the epoch in UTC--such as that outputted by ``time.time()``. If set to ``None``, diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt index 4fd2a37cbc..7b7a184b1a 100644 --- a/docs/ref/validators.txt +++ b/docs/ref/validators.txt @@ -154,7 +154,8 @@ to, or in lieu of custom ``field.clean()`` methods. an error code of ``'invalid'`` if it doesn't. Loopback addresses and reserved IP spaces are considered valid. Literal - IPv6 addresses (:rfc:`2732`) and unicode domains are both supported. + IPv6 addresses (:rfc:`3986#section-3.2.2`) and unicode domains are both + supported. In addition to the optional arguments of its parent :class:`RegexValidator` class, ``URLValidator`` accepts an extra optional attribute: