django.git/tests/utils_tests/test_http.py, branch stable/5.2.x

[5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.

2025-04-02T08:23:46Z

Thank you sw0rd1ight for the report. Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.

Fixed #36023 -- Handled controls chars in content_disposition_header.

2025-01-07T08:22:09Z

To use the simple `filename="..."` form, the value must conform to the official grammar from RFC6266[^1]: filename-parm = "filename" "=" value value = ; token | quoted-string The `quoted-string` definition comes from RFC 9110[^2]: ``` quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text The backslash octet ("\") can be used as a single-octet quoting mechanism within quoted-string and comment constructs. Recipients that process the value of a quoted-string MUST handle a quoted-pair as if it were replaced by the octet following the backslash. quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) A sender SHOULD NOT generate a quoted-pair in a quoted-string except where necessary to quote DQUOTE and backslash octets occurring within that string. ``` That is, quoted strings are able to express horizontal tabs, space characters, and everything in the range from 0x21 to 0x7e, expect for 0x22 (`"`) and 0x5C (`\`), which can still be expressed but must be escaped with their own `\`. We ignore the case of `obs-text`, which is defined as the range 0x80-0xFF, since its presence is there for permissive parsing of accidental high-bit characters, and it should not be generated by conforming implementations. Transform this character range into a regex and apply it in addition to the "is ASCII" check. This ensures that all simple filenames are expressed in the simple format, and that all filenames with newlines and other control characters are properly expressed with the percent-encoded `filename*=...`form. [^1]: https://datatracker.ietf.org/doc/html/rfc6266#section-4.1 [^2]: https://datatracker.ietf.org/doc/html/rfc9110#name-quoted-strings

Refs #34986 -- Fixed mocking in utils_tests.test_http.HttpDateProcessingTests.test_parsing_rfc850.

2023-11-28T05:19:38Z

Mocking in the `datetime` module can be tricky. In CPython the datetime C module is used, but PyPy uses a pure Python implementation. This caused issues with the prior approach to mocking `datetime.datetime`. See https://docs.python.org/3/library/unittest.mock-examples.html#partial-mocking

Refs #30116 -- Simplified tests related with dictionary order.

2023-07-12T09:06:59Z

Dicts preserve order since Python 3.6.

Fixed #34194 -- Added django.utils.http.content_disposition_header().

2022-12-05T12:08:00Z

Updated documentation and comments for RFC updates.

2022-11-10T12:52:17Z

- Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents

Updated vendored _urlsplit() to strip newline and tabs.

2022-07-01T06:48:38Z

Refs Python CVE-2022-0391. Django is not affected, but others who incorrectly use internal function url_has_allowed_host_and_scheme() with unsanitized input could be at risk.

Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams.

2022-06-28T07:42:47Z

This also removes unused parse_header() and _parse_header_params() helpers in django.http.multipartparser.

Refs #33173 -- Removed use of deprecated cgi module.

2022-05-11T12:06:31Z

https://peps.python.org/pep-0594/#cgi

Refs #33476 -- Reformatted code with Black.

2022-02-07T19:37:05Z