django http://cgit.adnoto.dev/django.git/atom?h=6.0.2 2025-11-26T20:19:18Z 2025-11-26T20:19:18Z varunkasyap varunkasyap@hotmail.com 2025-11-26T17:28:24Z urn:sha1:ce7d65fc8156e6b1e2163c3988eecbf214a8b031 Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main. 2025-09-16T01:14:50Z Natalia 124304+nessita@users.noreply.github.com 2025-09-15T14:45:20Z urn:sha1:424e0d86973d88b402b55f20884938715aad740b This partially reverts commit 9aabe7eae3eeb3e64c5a0f3687118cd806158550. The simplification of parse_header_parameters using stdlib's Message is reverted due to a performance regression. The check for the header maximum length remains in place, per Security Team guidance. Thanks to David Smith for reporting the regression, and Jacob Walls for the review. 2025-07-23T23:17:55Z django-bot ops@djangoproject.com 2025-07-23T03:41:41Z urn:sha1:69a93a88edb56ba47f624dac7a21aacc47ea474f Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. 2025-04-02T08:21:33Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2025-03-06T14:24:56Z urn:sha1:39e2297210d9d2938c75fc911d45f0e863dc4821 Thank you sw0rd1ight for the report. 2025-03-27T11:57:03Z Khudyakov Artem khudyak.artem@gmail.com 2024-07-29T19:05:10Z urn:sha1:9aabe7eae3eeb3e64c5a0f3687118cd806158550 The `parse_header_parameters` function historically used Python's `cgi` module (now deprecated). In 34e2148fc725e7200050f74130d7523e3cd8507a, the logic was inlined to work around this deprecation ( #33173). Later, in d4d5427571b4bf3a21c902276c2a00215c2a37cc, the header parsing logic was further cleaned up to align with `multipartparser.py` (#33697). This change takes it a step further by replacing the copied `cgi` logic with Python's `email.message.Message` API for a more robust and maintainable header parsing implementation. Thanks to Raphael Gaschignard for testing, and to Adam Johnson and Shai Berger for reviews. Co-authored-by: Ben Cail <bcail@crossway.org> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> 2025-02-18T07:35:36Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-02-18T07:35:36Z urn:sha1:efb7f9ced2dcf71294353596a265e3fd67faffeb datetime.UTC was added in Python 3.11. 2025-01-07T08:22:09Z Alex Vandiver alex@chmrr.net 2024-12-06T15:47:31Z urn:sha1:8914b571eb5f93722b9741b1da9eb69347271b11 To use the simple `filename="..."` form, the value must conform to the official grammar from RFC6266[^1]: filename-parm = "filename" "=" value value = <value, defined in [RFC2616], Section 3.6> ; token | quoted-string The `quoted-string` definition comes from RFC 9110[^2]: ``` quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text The backslash octet ("\") can be used as a single-octet quoting mechanism within quoted-string and comment constructs. Recipients that process the value of a quoted-string MUST handle a quoted-pair as if it were replaced by the octet following the backslash. quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) A sender SHOULD NOT generate a quoted-pair in a quoted-string except where necessary to quote DQUOTE and backslash octets occurring within that string. ``` That is, quoted strings are able to express horizontal tabs, space characters, and everything in the range from 0x21 to 0x7e, expect for 0x22 (`"`) and 0x5C (`\`), which can still be expressed but must be escaped with their own `\`. We ignore the case of `obs-text`, which is defined as the range 0x80-0xFF, since its presence is there for permissive parsing of accidental high-bit characters, and it should not be generated by conforming implementations. Transform this character range into a regex and apply it in addition to the "is ASCII" check. This ensures that all simple filenames are expressed in the simple format, and that all filenames with newlines and other control characters are properly expressed with the percent-encoded `filename*=...`form. [^1]: https://datatracker.ietf.org/doc/html/rfc6266#section-4.1 [^2]: https://datatracker.ietf.org/doc/html/rfc9110#name-quoted-strings 2024-05-29T13:48:27Z Jake Howard RealOrangeOne@users.noreply.github.com 2024-05-29T13:48:27Z urn:sha1:ff308a06047cd60806d604a7cf612e5656ee2ac9 This work should not generate any change of functionality, and `urlsplit` is approximately 6x faster. Most use cases of `urlparse` didn't touch the path, so they can be converted to `urlsplit` without any issue. Most of those which do use `.path`, simply parse the URL, mutate the querystring, then put them back together, which is also fine (so long as urlunsplit is used). 2023-11-28T05:19:38Z Nick Pope nick@nickpope.me.uk 2023-11-21T17:13:08Z urn:sha1:6089230d3ec580f2f44e85f23962c14905fefcfd Mocking in the `datetime` module can be tricky. In CPython the datetime C module is used, but PyPy uses a pure Python implementation. This caused issues with the prior approach to mocking `datetime.datetime`. See https://docs.python.org/3/library/unittest.mock-examples.html#partial-mocking 2023-01-18T18:11:18Z Mariusz Felisiak felisiak.mariusz@gmail.com 2023-01-18T18:11:18Z urn:sha1:23e886886249ebe8f80a48b0d25fbb5308eeb06f