django.git/django/utils/http.py, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2026-04-22T18:25:08Z Fixed #36991 -- Raised BadRequest for invalid encodings in Content-Type headers. 2026-04-22T18:25:08Z Dinesh dineshthumma15@gmail.com 2026-03-21T17:21:11Z urn:sha1:dc467fdc3b5744cec71fab876c23a14013e2510b Refs #35440 -- Optimized parse_header_parameters() for the simplest case. 2026-04-08T21:30:05Z Pravin Kamble iampbkamble@gmail.com 2026-01-13T14:51:50Z urn:sha1:09f27cc373eb1e6e5e8b286204809a79b61d55c3 Added a fast-path to parse_header_parameters Benchmark results (50,000 iterations): - Simple headers: ~73% improvement Thanks Nick Pope (@ngnpope) for the review. Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase. 2025-11-26T20:17:46Z varunkasyap varunkasyap@hotmail.com 2025-11-26T17:28:24Z urn:sha1:a8cf8c292cfee98fe6cc873ca5221935f1d02271 Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Fixed #36705 -- Avoided string concatenation in utils. 2025-11-07T19:06:42Z Kasyap Pentamaraju vpentamaraju@webmd.net 2025-11-03T17:27:53Z urn:sha1:1c7db70e79dce82f50d5958da64ab8e2807a31df Repeated string concatenation performs poorly on PyPy. Thanks Seokchan Yoon for the report. Fixed #36520 -- Reverted "Fixed #35440 -- Simplified parse_header_parameters by leveraging stdlid's Message." 2025-09-16T01:14:50Z Natalia 124304+nessita@users.noreply.github.com 2025-09-15T14:45:20Z urn:sha1:424e0d86973d88b402b55f20884938715aad740b This partially reverts commit 9aabe7eae3eeb3e64c5a0f3687118cd806158550. The simplification of parse_header_parameters using stdlib's Message is reverted due to a performance regression. The check for the header maximum length remains in place, per Security Team guidance. Thanks to David Smith for reporting the regression, and Jacob Walls for the review. Refs #36500 -- Rewrapped long docstrings and block comments via a script. 2025-07-23T23:17:55Z django-bot ops@djangoproject.com 2025-07-23T03:41:41Z urn:sha1:69a93a88edb56ba47f624dac7a21aacc47ea474f Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows. 2025-04-02T08:21:33Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2025-03-06T14:24:56Z urn:sha1:39e2297210d9d2938c75fc911d45f0e863dc4821 Thank you sw0rd1ight for the report. Fixed #35440 -- Simplified parse_header_parameters by leveraging stdlid's Message. 2025-03-27T11:57:03Z Khudyakov Artem khudyak.artem@gmail.com 2024-07-29T19:05:10Z urn:sha1:9aabe7eae3eeb3e64c5a0f3687118cd806158550 The `parse_header_parameters` function historically used Python's `cgi` module (now deprecated). In 34e2148fc725e7200050f74130d7523e3cd8507a, the logic was inlined to work around this deprecation ( #33173). Later, in d4d5427571b4bf3a21c902276c2a00215c2a37cc, the header parsing logic was further cleaned up to align with `multipartparser.py` (#33697). This change takes it a step further by replacing the copied `cgi` logic with Python's `email.message.Message` API for a more robust and maintainable header parsing implementation. Thanks to Raphael Gaschignard for testing, and to Adam Johnson and Shai Berger for reviews. Co-authored-by: Ben Cail <bcail@crossway.org> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Refs #36005 -- Used datetime.UTC alias instead of datetime.timezone.utc. 2025-02-18T07:35:36Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-02-18T07:35:36Z urn:sha1:efb7f9ced2dcf71294353596a265e3fd67faffeb datetime.UTC was added in Python 3.11. Fixed #36023 -- Handled controls chars in content_disposition_header. 2025-01-07T08:22:09Z Alex Vandiver alex@chmrr.net 2024-12-06T15:47:31Z urn:sha1:8914b571eb5f93722b9741b1da9eb69347271b11 To use the simple `filename="..."` form, the value must conform to the official grammar from RFC6266[^1]: filename-parm = "filename" "=" value value = <value, defined in [RFC2616], Section 3.6> ; token | quoted-string The `quoted-string` definition comes from RFC 9110[^2]: ``` quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text The backslash octet ("\") can be used as a single-octet quoting mechanism within quoted-string and comment constructs. Recipients that process the value of a quoted-string MUST handle a quoted-pair as if it were replaced by the octet following the backslash. quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) A sender SHOULD NOT generate a quoted-pair in a quoted-string except where necessary to quote DQUOTE and backslash octets occurring within that string. ``` That is, quoted strings are able to express horizontal tabs, space characters, and everything in the range from 0x21 to 0x7e, expect for 0x22 (`"`) and 0x5C (`\`), which can still be expressed but must be escaped with their own `\`. We ignore the case of `obs-text`, which is defined as the range 0x80-0xFF, since its presence is there for permissive parsing of accidental high-bit characters, and it should not be generated by conforming implementations. Transform this character range into a regex and apply it in addition to the "is ASCII" check. This ensures that all simple filenames are expressed in the simple format, and that all filenames with newlines and other control characters are properly expressed with the percent-encoded `filename*=...`form. [^1]: https://datatracker.ietf.org/doc/html/rfc6266#section-4.1 [^2]: https://datatracker.ietf.org/doc/html/rfc9110#name-quoted-strings