test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #31029 -- Used more specific links to RFCs.

This commit is contained in:
Baptiste Mispelon 2019-11-23 13:42:57 +01:00
parent 42df1b178b
commit ff1b19da67
7 changed files with 24 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/ref/csrf.txt
View File

@ -298,10 +298,11 @@ This ensures that only forms that have originated from trusted domains can be
used to POST data back. used to POST data back.
It deliberately ignores GET requests (and other requests that are defined as It deliberately ignores GET requests (and other requests that are defined as
'safe' by :rfc:`7231`). These requests ought never to have any potentially 'safe' by :rfc:`7231#section-4.2.1`). These requests ought never to have any
dangerous side effects , and so a CSRF attack with a GET request ought to be potentially dangerous side effects, and so a CSRF attack with a GET request
harmless. :rfc:`7231` defines POST, PUT, and DELETE as 'unsafe', and all other ought to be harmless. :rfc:`7231#section-4.2.1` defines POST, PUT, and DELETE
methods are also assumed to be unsafe, for maximum protection. as 'unsafe', and all other methods are also assumed to be unsafe, for maximum
protection.
The CSRF protection cannot protect against man-in-the-middle attacks, so use The CSRF protection cannot protect against man-in-the-middle attacks, so use
:ref:`HTTPS <security-recommendation-ssl>` with :ref:`HTTPS <security-recommendation-ssl>` with

4
docs/ref/models/instances.txt
View File

@ -755,8 +755,8 @@ track down every place that the URL might be created. Specify it once, in
.. note:: .. note::
The string you return from ``get_absolute_url()`` **must** contain only The string you return from ``get_absolute_url()`` **must** contain only
ASCII characters (required by the URI specification, :rfc:`2396`) and be ASCII characters (required by the URI specification, :rfc:`2396#section-2`)
URL-encoded, if necessary. and be URL-encoded, if necessary.
Code and templates calling ``get_absolute_url()`` should be able to use the Code and templates calling ``get_absolute_url()`` should be able to use the
result directly without any further processing. You may wish to use the result directly without any further processing. You may wish to use the

16
docs/ref/request-response.txt
View File

@ -823,9 +823,9 @@ Methods
JavaScript from having access to the cookie. JavaScript from having access to the cookie.
HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's
part of the :rfc:`6265` standard for cookies and can be a useful way to part of the :rfc:`RFC 6265 <6265#section-4.1.2.6>` standard for cookies
mitigate the risk of a client-side script accessing the protected cookie and can be a useful way to mitigate the risk of a client-side script
data. accessing the protected cookie data.
* Use ``samesite='Strict'`` or ``samesite='Lax'`` to tell the browser not * Use ``samesite='Strict'`` or ``samesite='Lax'`` to tell the browser not
to send this cookie when performing a cross-origin request. `SameSite`_ to send this cookie when performing a cross-origin request. `SameSite`_
isn't supported by all browsers, so it's not a replacement for Django's isn't supported by all browsers, so it's not a replacement for Django's
@ -836,11 +836,11 @@ Methods
.. warning:: .. warning::
:rfc:`6265` states that user agents should support cookies of at least :rfc:`RFC 6265 <6265#section-6.1>` states that user agents should
4096 bytes. For many browsers this is also the maximum size. Django support cookies of at least 4096 bytes. For many browsers this is also
will not raise an exception if there's an attempt to store a cookie of the maximum size. Django will not raise an exception if there's an
more than 4096 bytes, but many browsers will not set the cookie attempt to store a cookie of more than 4096 bytes, but many browsers
correctly. will not set the cookie correctly.
.. method:: HttpResponse.set_signed_cookie(key, value, salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False, samesite=None) .. method:: HttpResponse.set_signed_cookie(key, value, salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False, samesite=None)

6
docs/ref/settings.txt
View File

@ -2759,7 +2759,7 @@ preference to the ``Host`` header. This should only be enabled if a proxy
which sets this header is in use. which sets this header is in use.
This setting takes priority over :setting:`USE_X_FORWARDED_PORT`. Per This setting takes priority over :setting:`USE_X_FORWARDED_PORT`. Per
:rfc:`7239#page-7`, the ``X-Forwarded-Host`` header can include the port :rfc:`7239#section-5.3`, the ``X-Forwarded-Host`` header can include the port
number, in which case you shouldn't use :setting:`USE_X_FORWARDED_PORT`. number, in which case you shouldn't use :setting:`USE_X_FORWARDED_PORT`.
.. setting:: USE_X_FORWARDED_PORT .. setting:: USE_X_FORWARDED_PORT
@ -3108,8 +3108,8 @@ Whether to use ``HttpOnly`` flag on the session cookie. If this is set to
cookie. cookie.
HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's part of HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's part of
the :rfc:`6265` standard for cookies and can be a useful way to mitigate the the :rfc:`6265#section-4.1.2.6` standard for cookies and can be a useful way to
risk of a client-side script accessing the protected cookie data. mitigate the risk of a client-side script accessing the protected cookie data.
This makes it less trivial for an attacker to escalate a cross-site scripting This makes it less trivial for an attacker to escalate a cross-site scripting
vulnerability into full hijacking of a user's session. There aren't many good vulnerability into full hijacking of a user's session. There aren't many good

3
docs/ref/templates/builtins.txt
View File

@ -1417,7 +1417,8 @@ Format character Description Example output
the "c" formatter will not add timezone the "c" formatter will not add timezone
offset if value is a naive datetime offset if value is a naive datetime
(see :class:`datetime.tzinfo`). (see :class:`datetime.tzinfo`).
``r`` :rfc:`5322` formatted date. ``'Thu, 21 Dec 2000 16:01:07 +0200'`` ``r`` :rfc:`RFC 5322 <5322#section-3.3>` ``'Thu, 21 Dec 2000 16:01:07 +0200'``
formatted date.
``U`` Seconds since the Unix Epoch ``U`` Seconds since the Unix Epoch
(January 1 1970 00:00:00 UTC). (January 1 1970 00:00:00 UTC).
================ ======================================== ===================== ================ ======================================== =====================

4
docs/ref/utils.txt
View File

@ -713,8 +713,8 @@ escaping HTML.
.. function:: http_date(epoch_seconds=None) .. function:: http_date(epoch_seconds=None)
Formats the time to match the :rfc:`1123` date format as specified by HTTP Formats the time to match the :rfc:`1123#section-5.2.14` date format as
:rfc:`7231#section-7.1.1.1`. specified by HTTP :rfc:`7231#section-7.1.1.1`.
Accepts a floating point number expressed in seconds since the epoch in Accepts a floating point number expressed in seconds since the epoch in
UTC--such as that outputted by ``time.time()``. If set to ``None``, UTC--such as that outputted by ``time.time()``. If set to ``None``,

3
docs/ref/validators.txt
View File

@ -154,7 +154,8 @@ to, or in lieu of custom ``field.clean()`` methods.
an error code of ``'invalid'`` if it doesn't. an error code of ``'invalid'`` if it doesn't.
Loopback addresses and reserved IP spaces are considered valid. Literal Loopback addresses and reserved IP spaces are considered valid. Literal
IPv6 addresses (:rfc:`2732`) and unicode domains are both supported. IPv6 addresses (:rfc:`3986#section-3.2.2`) and unicode domains are both
supported.
In addition to the optional arguments of its parent :class:`RegexValidator` In addition to the optional arguments of its parent :class:`RegexValidator`
class, ``URLValidator`` accepts an extra optional attribute: class, ``URLValidator`` accepts an extra optional attribute: