summaryrefslogtreecommitdiff
path: root/django/http
diff options
context:
space:
mode:
authorAymeric Augustin <aymeric.augustin@m4x.org>2014-05-12 07:28:07 -0400
committerFlorian Apolloner <florian@apolloner.eu>2014-05-14 10:18:26 +0200
commit7fef18ba9e5a8b47bc24b5bb259c8bf3d3879f2a (patch)
tree69c1ede3b8a3d552f56618132ac6186c7a17b14f /django/http
parent50f228ae7c7d5eb68c1544423dcb3dfa31f2dc74 (diff)
[1.7.x] Dropped fix_IE_for_vary/attach.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'django/http')
-rw-r--r--django/http/__init__.py5
-rw-r--r--django/http/utils.py55
2 files changed, 2 insertions, 58 deletions
diff --git a/django/http/__init__.py b/django/http/__init__.py
index 5895c5e3ce..fc5bd180ad 100644
--- a/django/http/__init__.py
+++ b/django/http/__init__.py
@@ -6,8 +6,7 @@ from django.http.response import (HttpResponse, StreamingHttpResponse,
HttpResponseNotModified, HttpResponseBadRequest, HttpResponseForbidden,
HttpResponseNotFound, HttpResponseNotAllowed, HttpResponseGone,
HttpResponseServerError, Http404, BadHeaderError, JsonResponse)
-from django.http.utils import (fix_location_header,
- conditional_content_removal, fix_IE_for_attach, fix_IE_for_vary)
+from django.http.utils import fix_location_header, conditional_content_removal
__all__ = [
'SimpleCookie', 'parse_cookie', 'HttpRequest', 'QueryDict',
@@ -17,5 +16,5 @@ __all__ = [
'HttpResponseBadRequest', 'HttpResponseForbidden', 'HttpResponseNotFound',
'HttpResponseNotAllowed', 'HttpResponseGone', 'HttpResponseServerError',
'Http404', 'BadHeaderError', 'fix_location_header', 'JsonResponse',
- 'conditional_content_removal', 'fix_IE_for_attach', 'fix_IE_for_vary',
+ 'conditional_content_removal',
]
diff --git a/django/http/utils.py b/django/http/utils.py
index 68011ab253..90155cd2ed 100644
--- a/django/http/utils.py
+++ b/django/http/utils.py
@@ -39,58 +39,3 @@ def conditional_content_removal(request, response):
else:
response.content = b''
return response
-
-
-def fix_IE_for_attach(request, response):
- """
- This function will prevent Django from serving a Content-Disposition header
- while expecting the browser to cache it (only when the browser is IE). This
- leads to IE not allowing the client to download.
- """
- useragent = request.META.get('HTTP_USER_AGENT', '').upper()
- if 'MSIE' not in useragent and 'CHROMEFRAME' not in useragent:
- return response
-
- offending_headers = ('no-cache', 'no-store')
- if response.has_header('Content-Disposition'):
- try:
- del response['Pragma']
- except KeyError:
- pass
- if response.has_header('Cache-Control'):
- cache_control_values = [value.strip() for value in
- response['Cache-Control'].split(',')
- if value.strip().lower() not in offending_headers]
-
- if not len(cache_control_values):
- del response['Cache-Control']
- else:
- response['Cache-Control'] = ', '.join(cache_control_values)
-
- return response
-
-
-def fix_IE_for_vary(request, response):
- """
- This function will fix the bug reported at
- http://support.microsoft.com/kb/824847/en-us?spid=8722&sid=global
- by clearing the Vary header whenever the mime-type is not safe
- enough for Internet Explorer to handle. Poor thing.
- """
- useragent = request.META.get('HTTP_USER_AGENT', '').upper()
- if 'MSIE' not in useragent and 'CHROMEFRAME' not in useragent:
- return response
-
- # These mime-types that are decreed "Vary-safe" for IE:
- safe_mime_types = ('text/html', 'text/plain', 'text/sgml')
-
- # The first part of the Content-Type field will be the MIME type,
- # everything after ';', such as character-set, can be ignored.
- mime_type = response.get('Content-Type', '').partition(';')[0]
- if mime_type not in safe_mime_types:
- try:
- del response['Vary']
- except KeyError:
- pass
-
- return response