<feed xmlns='http://www.w3.org/2005/Atom'>
<title>chango.git/django/http/request.py, branch devmain</title>
<subtitle>django
</subtitle>
<id>http://cgit.adnoto.dev/chango.git/atom?h=devmain</id>
<link rel='self' href='http://cgit.adnoto.dev/chango.git/atom?h=devmain'/>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/'/>
<updated>2026-06-03T11:37:26Z</updated>
<entry>
<title>Fixed CVE-2026-6873 -- Prevented signed cookie salt namespace collisions.</title>
<updated>2026-06-03T11:37:26Z</updated>
<author>
<name>Paul McMillan</name>
<email>paul@mcmillan.ws</email>
</author>
<published>2026-05-08T20:13:58Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=70d36515b9cc71700105a14b275583070d48b689'/>
<id>urn:sha1:70d36515b9cc71700105a14b275583070d48b689</id>
<content type='text'>
Made signed cookies derive their signer namespace from an injective
encoding of `(name, salt)` while preserving compatibility with legacy
`name + salt` cookies behind SIGNED_COOKIE_LEGACY_SALT_FALLBACK.

Thanks Peng Zhou for the report, and Shai Berger, Markus Holterman,
Jake Howard, and Paul McMillan for reviews.

Co-authored-by: Jacob Walls &lt;jacobtylerwalls@gmail.com&gt;
Co-authored-by: Natalia &lt;124304+nessita@users.noreply.github.com&gt;
</content>
</entry>
<entry>
<title>Fixed #37103 -- Made HttpRequest.body handle malformed CONTENT_LENGTH.</title>
<updated>2026-06-02T09:06:28Z</updated>
<author>
<name>Lier0102</name>
<email>minehammer26@gmail.com</email>
</author>
<published>2026-05-17T11:15:39Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=ba70e1bcdd8dc879c7d5fc7a3d12b5831eb08540'/>
<id>urn:sha1:ba70e1bcdd8dc879c7d5fc7a3d12b5831eb08540</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Fixed #36991 -- Raised BadRequest for invalid encodings in Content-Type headers.</title>
<updated>2026-04-22T18:25:08Z</updated>
<author>
<name>Dinesh</name>
<email>dineshthumma15@gmail.com</email>
</author>
<published>2026-03-21T17:21:11Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=dc467fdc3b5744cec71fab876c23a14013e2510b'/>
<id>urn:sha1:dc467fdc3b5744cec71fab876c23a14013e2510b</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ASGI requests.</title>
<updated>2026-04-07T11:12:27Z</updated>
<author>
<name>Natalia</name>
<email>124304+nessita@users.noreply.github.com</email>
</author>
<published>2026-03-11T13:26:18Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=953c238058c0ce387a1a41cb491bfc1875d73ad0'/>
<id>urn:sha1:953c238058c0ce387a1a41cb491bfc1875d73ad0</id>
<content type='text'>
The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.

This work adds a new check on the actual number of bytes consumed.

Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.
</content>
</entry>
<entry>
<title>Fixed #36841 -- Made multipart parser class pluggable on HttpRequest.</title>
<updated>2026-02-10T22:59:02Z</updated>
<author>
<name>farhan</name>
<email>farhanalirazaazeemi@gmail.com</email>
</author>
<published>2026-01-05T19:34:39Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=7732f942a98a709750fc1fed2c69741183844a3c'/>
<id>urn:sha1:7732f942a98a709750fc1fed2c69741183844a3c</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Refs #36500 -- Rewrapped long docstrings and block comments via a script.</title>
<updated>2025-07-23T23:17:55Z</updated>
<author>
<name>django-bot</name>
<email>ops@djangoproject.com</email>
</author>
<published>2025-07-23T03:41:41Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=69a93a88edb56ba47f624dac7a21aacc47ea474f'/>
<id>urn:sha1:69a93a88edb56ba47f624dac7a21aacc47ea474f</id>
<content type='text'>
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
</content>
</entry>
<entry>
<title>Removed double spaces after periods and within phrases.</title>
<updated>2025-07-23T13:09:43Z</updated>
<author>
<name>Sarah Boyce</name>
<email>42296566+sarahboyce@users.noreply.github.com</email>
</author>
<published>2025-07-18T13:37:14Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=1ecf6889cabc9f3f60d3fdd651468cddd8f4da6e'/>
<id>urn:sha1:1ecf6889cabc9f3f60d3fdd651468cddd8f4da6e</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Fixed #36447 -- Selected preferred media type based on quality.</title>
<updated>2025-06-16T07:25:25Z</updated>
<author>
<name>Jake Howard</name>
<email>git@theorangeone.net</email>
</author>
<published>2025-06-10T22:00:25Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=12c1557060fc94fe5e1fbddc4578a4e29d38f77c'/>
<id>urn:sha1:12c1557060fc94fe5e1fbddc4578a4e29d38f77c</id>
<content type='text'>
When matching which entry in the `Accept` header should be used for
a given media type, the specificity matters. However once those are
resolved, only the quality matters when selecting preference.

Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.

Thank you to Anders Kaseorg for the report.
</content>
</entry>
<entry>
<title>Fixed #36446 -- Restored "q" in internal MediaType.params property.</title>
<updated>2025-06-09T20:37:40Z</updated>
<author>
<name>Natalia</name>
<email>124304+nessita@users.noreply.github.com</email>
</author>
<published>2025-06-09T12:59:11Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=cf5f36bf903a2854f5e395149cee707115b83744'/>
<id>urn:sha1:cf5f36bf903a2854f5e395149cee707115b83744</id>
<content type='text'>
The "q" key was removed while addressing ticket #36411. Despite
`MediaType.params` is undocumented and considered internal, it was used
in third-party projects (Zulip reported breakage), so this work restored
the `q` key in `params`.

Thanks Anders Kaseorg for the report.

Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
</content>
</entry>
<entry>
<title>Fixed #36411 -- Made HttpRequest.get_preferred_type() consider media type parameters.</title>
<updated>2025-06-03T19:10:41Z</updated>
<author>
<name>Jake Howard</name>
<email>git@theorangeone.net</email>
</author>
<published>2025-05-27T16:00:29Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=c075508b4de8edf9db553b409f8a8ed2f26ecead'/>
<id>urn:sha1:c075508b4de8edf9db553b409f8a8ed2f26ecead</id>
<content type='text'>
HttpRequest.get_preferred_type() did not account for parameters in
Accept header media types (e.g., "text/vcard; version=3.0"). This caused
incorrect content negotiation when multiple types differed only by
parameters, reducing specificity as per RFC 7231 section 5.3.2
(https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2).

This fix updates get_preferred_type() to treat media types with
parameters as distinct, allowing more precise and standards-compliant
matching.

Thanks to magicfelix for the report, and to David Sanders and Sarah
Boyce for the reviews.
</content>
</entry>
</feed>
