Refs #36560, CVE-2026-35193 -- Replaced substring check on cache-control directives in UpdateCacheMiddleware.

Avoid false positives from hypothetical extension directives
that could be superstrings of the ones we are checking.

1 files changed, 4 insertions, 2 deletions

diff --git a/django/middleware/cache.py b/django/middleware/cache.py
index 8ac1178b12..60c219064a 100644
--- a/django/middleware/cache.py
+++ b/django/middleware/cache.py
@@ -56,6 +56,7 @@ from django.utils.cache import (
     learn_cache_key,
     patch_response_headers,
     patch_vary_headers,
+    split_header_value,
 )
 from django.utils.deprecation import MiddlewareMixin
 from django.utils.http import parse_http_date_safe
@@ -106,8 +107,9 @@ class UpdateCacheMiddleware(MiddlewareMixin):
         # Don't cache responses when the Cache-Control header is set to
         # private, no-cache, or no-store.
         cache_control = response.get("Cache-Control", "").lower()
+        cache_control_parts = list(split_header_value(cache_control))
         if cache_control and any(
-            directive in cache_control
+            directive in cache_control_parts
             for directive in (
                 "private",
                 "no-cache",
@@ -137,7 +139,7 @@ class UpdateCacheMiddleware(MiddlewareMixin):
         # header, unless allowed by "public" per RFC 9111, Section 3.5. No
         # exceptions are made for "s-maxage" and "must-revalidate" since these
         # are not currently implemented by Django.
-        if request.headers.get("Authorization") and "public" not in cache_control:
+        if request.headers.get("Authorization") and "public" not in cache_control_parts:
             patch_vary_headers(response, ("Authorization",))
         if timeout and response.status_code == 200:
             cache_key = learn_cache_key(