django.git/tests/asgi/tests.py, branch 6.0.4 django http://cgit.adnoto.dev/django.git/atom?h=6.0.4 2026-04-07T11:22:54Z [6.0.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ASGI requests. 2026-04-07T11:22:54Z Natalia 124304+nessita@users.noreply.github.com 2026-03-11T13:26:18Z urn:sha1:393dbc53e848876fdba92fbf02e10ee6a6eace6b The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews. Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main. [6.0.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest. 2026-04-07T11:20:07Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-22T22:01:46Z urn:sha1:a623c3982857e80324448f85c7faf9a6710330ef Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews. Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main. [6.0.x] Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests. 2026-02-03T13:00:14Z Jake Howard git@theorangeone.net 2026-01-14T15:25:45Z urn:sha1:972dbdd4f7f69e9c405e6fe12a1b90e4713c1611 Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews. Backport of eb22e1d6d643360e952609ef562c139a100ea4eb from main. Fixed #36399 -- Added support for multiple Cookie headers in HTTP/2 for ASGIRequest. 2025-08-21T14:48:54Z SaJH wogur981208@gmail.com 2025-08-20T13:54:46Z urn:sha1:f2a6c0477fd95518ffb4fcea8e655a9062874bd2 Signed-off-by: SaJH <wogur981208@gmail.com> Refs #36467 -- Added test for Set-Cookie header values in ASGIHandler. 2025-06-18T09:25:14Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2025-06-18T06:55:15Z urn:sha1:1cd91d5d4bfb65ea7b5c7177310f849d05037609 Fixed #36281 -- Used async-safe write in ASGIHandler.read_body(). 2025-05-04T12:53:08Z 신우진 zebra0345@naver.com 2025-04-08T07:20:37Z urn:sha1:1fb3f57e81239a75eb8f873b392e11534c041fdc Thanks Carlton Gibson for reviews. Fixed warnings per flake8 7.2.0. 2025-03-30T15:54:15Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-03-30T15:54:15Z urn:sha1:281910ff8e9ae98fa78ee5d26ae3f0b713ccf418 https://github.com/PyCQA/flake8/releases/tag/7.2.0 Refs #33735 -- Captured stderr during ASGITest.test_file_response. 2024-11-27T10:00:05Z Jacob Walls jacobtylerwalls@gmail.com 2024-11-23T21:43:38Z urn:sha1:a5bc0cfd35c50d3446215c0674e60786d9e498d1 Refs #35059 -- Used asyncio.Event in ASGITest.test_asyncio_cancel_error to enforce specific interleaving. 2024-05-28T17:36:34Z Carlton Gibson carlton.gibson@noumenal.es 2024-05-28T17:36:34Z urn:sha1:f4a08b6ddfcacadfe9ff8364bf1c6c54f5dd370f Sleep call leads to a hard to trace error in CI. Using an Event is more deterministic, and should be less prone to environment variations. Bug in 11393ab1316f973c5fbb534305750740d909b4e4. Fixed #35059 -- Ensured that ASGIHandler always sends the request_finished signal. 2024-01-31T17:40:57Z James Thorniley james.thorniley@mixcloud.com 2024-01-04T13:14:30Z urn:sha1:11393ab1316f973c5fbb534305750740d909b4e4 Prior to this work, when async tasks that process the request are cancelled due to receiving an early "http.disconnect" ASGI message, the request_finished signal was not being sent, potentially leading to resource leaks (such as database connections). This branch ensures that the request_finished signal is sent even in the case of early termination of the response. Regression in 64cea1e48f285ea2162c669208d95188b32bbc82. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>