<feed xmlns='http://www.w3.org/2005/Atom'>
<title>chango.git/django/utils/http.py, branch devmain</title>
<subtitle>django
</subtitle>
<id>http://cgit.adnoto.dev/chango.git/atom?h=devmain</id>
<link rel='self' href='http://cgit.adnoto.dev/chango.git/atom?h=devmain'/>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/'/>
<updated>2026-06-08T23:06:46Z</updated>
<entry>
<title>Refs CVE-2026-48587 -- Added helper to properly split header values.</title>
<updated>2026-06-08T23:06:46Z</updated>
<author>
<name>Natalia</name>
<email>124304+nessita@users.noreply.github.com</email>
</author>
<published>2026-06-03T00:38:35Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=526b1b414d8e215bf627b5722df12a09346dbf6b'/>
<id>urn:sha1:526b1b414d8e215bf627b5722df12a09346dbf6b</id>
<content type='text'>
Extracted the repeated `split(",")` + per-token `.strip()` pattern into
a `split_header_value()` generator in django/utils/http.py. The previous
`cc_delim_re` regex only stripped whitespace adjacent to the comma
delimiter, leaving leading or trailing whitespace on the first and last
tokens. Now, `split_header_value()` strips every token fully, matching
RFC 9110's optional-whitespace rules.

Thanks to Shai Berger, Jacob Walls, and Sarah Boyce for reviews.
</content>
</entry>
<entry>
<title>Fixed #36991 -- Raised BadRequest for invalid encodings in Content-Type headers.</title>
<updated>2026-04-22T18:25:08Z</updated>
<author>
<name>Dinesh</name>
<email>dineshthumma15@gmail.com</email>
</author>
<published>2026-03-21T17:21:11Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=dc467fdc3b5744cec71fab876c23a14013e2510b'/>
<id>urn:sha1:dc467fdc3b5744cec71fab876c23a14013e2510b</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Refs #35440 -- Optimized parse_header_parameters() for the simplest case.</title>
<updated>2026-04-08T21:30:05Z</updated>
<author>
<name>Pravin Kamble</name>
<email>iampbkamble@gmail.com</email>
</author>
<published>2026-01-13T14:51:50Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=09f27cc373eb1e6e5e8b286204809a79b61d55c3'/>
<id>urn:sha1:09f27cc373eb1e6e5e8b286204809a79b61d55c3</id>
<content type='text'>
Added a fast-path to parse_header_parameters
Benchmark results (50,000 iterations):
- Simple headers: ~73% improvement

Thanks Nick Pope (@ngnpope) for the review.
</content>
</entry>
<entry>
<title>Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase.</title>
<updated>2025-11-26T20:17:46Z</updated>
<author>
<name>varunkasyap</name>
<email>varunkasyap@hotmail.com</email>
</author>
<published>2025-11-26T17:28:24Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=a8cf8c292cfee98fe6cc873ca5221935f1d02271'/>
<id>urn:sha1:a8cf8c292cfee98fe6cc873ca5221935f1d02271</id>
<content type='text'>
Refs CVE-2025-64458.

The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.

Thanks Jacob Walls for report and review.
</content>
</entry>
<entry>
<title>Fixed #36705 -- Avoided string concatenation in utils.</title>
<updated>2025-11-07T19:06:42Z</updated>
<author>
<name>Kasyap Pentamaraju</name>
<email>vpentamaraju@webmd.net</email>
</author>
<published>2025-11-03T17:27:53Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=1c7db70e79dce82f50d5958da64ab8e2807a31df'/>
<id>urn:sha1:1c7db70e79dce82f50d5958da64ab8e2807a31df</id>
<content type='text'>
Repeated string concatenation performs poorly on PyPy.
Thanks Seokchan Yoon for the report.
</content>
</entry>
<entry>
<title>Fixed #36520 -- Reverted "Fixed #35440 -- Simplified parse_header_parameters by leveraging stdlid's Message."</title>
<updated>2025-09-16T01:14:50Z</updated>
<author>
<name>Natalia</name>
<email>124304+nessita@users.noreply.github.com</email>
</author>
<published>2025-09-15T14:45:20Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=424e0d86973d88b402b55f20884938715aad740b'/>
<id>urn:sha1:424e0d86973d88b402b55f20884938715aad740b</id>
<content type='text'>
This partially reverts commit 9aabe7eae3eeb3e64c5a0f3687118cd806158550.

The simplification of parse_header_parameters using stdlib's Message
is reverted due to a performance regression. The check for the header
maximum length remains in place, per Security Team guidance.

Thanks to David Smith for reporting the regression, and Jacob Walls for
the review.
</content>
</entry>
<entry>
<title>Refs #36500 -- Rewrapped long docstrings and block comments via a script.</title>
<updated>2025-07-23T23:17:55Z</updated>
<author>
<name>django-bot</name>
<email>ops@djangoproject.com</email>
</author>
<published>2025-07-23T03:41:41Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=69a93a88edb56ba47f624dac7a21aacc47ea474f'/>
<id>urn:sha1:69a93a88edb56ba47f624dac7a21aacc47ea474f</id>
<content type='text'>
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
</content>
</entry>
<entry>
<title>Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.</title>
<updated>2025-04-02T08:21:33Z</updated>
<author>
<name>Sarah Boyce</name>
<email>42296566+sarahboyce@users.noreply.github.com</email>
</author>
<published>2025-03-06T14:24:56Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=39e2297210d9d2938c75fc911d45f0e863dc4821'/>
<id>urn:sha1:39e2297210d9d2938c75fc911d45f0e863dc4821</id>
<content type='text'>
Thank you sw0rd1ight for the report.
</content>
</entry>
<entry>
<title>Fixed #35440 -- Simplified parse_header_parameters by leveraging stdlid's Message.</title>
<updated>2025-03-27T11:57:03Z</updated>
<author>
<name>Khudyakov Artem</name>
<email>khudyak.artem@gmail.com</email>
</author>
<published>2024-07-29T19:05:10Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=9aabe7eae3eeb3e64c5a0f3687118cd806158550'/>
<id>urn:sha1:9aabe7eae3eeb3e64c5a0f3687118cd806158550</id>
<content type='text'>
The `parse_header_parameters` function historically used Python's `cgi`
module  (now deprecated). In 34e2148fc725e7200050f74130d7523e3cd8507a,
the logic was inlined to work around this deprecation ( #33173). Later,
in d4d5427571b4bf3a21c902276c2a00215c2a37cc, the header parsing logic
was further cleaned up to align with `multipartparser.py` (#33697).

This change takes it a step further by replacing the copied `cgi` logic with
Python's `email.message.Message` API for a more robust and maintainable header
parsing implementation.

Thanks to Raphael Gaschignard for testing, and to Adam Johnson and Shai
Berger for reviews.

Co-authored-by: Ben Cail &lt;bcail@crossway.org&gt;
Co-authored-by: Natalia &lt;124304+nessita@users.noreply.github.com&gt;
</content>
</entry>
<entry>
<title>Refs #36005 -- Used datetime.UTC alias instead of datetime.timezone.utc.</title>
<updated>2025-02-18T07:35:36Z</updated>
<author>
<name>Mariusz Felisiak</name>
<email>felisiak.mariusz@gmail.com</email>
</author>
<published>2025-02-18T07:35:36Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=efb7f9ced2dcf71294353596a265e3fd67faffeb'/>
<id>urn:sha1:efb7f9ced2dcf71294353596a265e3fd67faffeb</id>
<content type='text'>
datetime.UTC was added in Python 3.11.</content>
</entry>
</feed>
