summaryrefslogtreecommitdiff
path: root/django/core/handlers
AgeCommit message (Collapse)Author
2026-04-07Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.Jacob Walls
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews.
2026-03-06Fixed #36940 -- Fixed script name edge case in ASGIRequest.path_info.khadyottakale
Paths that happened to begin with the script name were inappropriately stripped, instead of checking that script name preceded a slash.
2026-02-03Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests.Jake Howard
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews.
2026-01-31Refs #34118 -- Removed asgiref coroutine detection shims.Jacob Walls
As Python 3.12 is now the floor, we can drop the shims and use the `inspect` module.
2025-11-07Refs #36315 -- Replaced manual task and cancellation handling with TaskGroup ↵Thomas Grainger
in ASGIHandler.
2025-11-07Refs #36315 -- Used contextlib.closing() in ASGIHandler.handle().Thomas Grainger
2025-08-21Fixed #36399 -- Added support for multiple Cookie headers in HTTP/2 for ↵SaJH
ASGIRequest. Signed-off-by: SaJH <wogur981208@gmail.com>
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Refs #36500 -- Shortened some long docstrings and comments.Mike Edmunds
Manually reformatted some long docstrings and comments that would be damaged by the to-be-applied autofixer script, in cases where editorial judgment seemed necessary for style or wording changes.
2025-06-18Fixed #36467 -- Removed leading whitespaces from Set-Cookie header values in ↵Lukas Komischke
WSGIHandler. This also aligned the Set-Cookie logic in the WSGIHandler and ASGIHandler. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2025-06-06Refs CVE-2025-48432 -- Made SuspiciousOperation logging use log_response() ↵Natalia
for consistency.
2025-05-04Fixed #36281 -- Used async-safe write in ASGIHandler.read_body().신우진
Thanks Carlton Gibson for reviews.
2025-01-18Fixed broken link in django/core/handlers/asgi.py comment.Anders Kaseorg
2024-04-05Fixed #35354 -- Simplified ASGIRequest path handling.Carlton Gibson
Following the ASGI HTTP Connection Scope docs[0], the provided `path` is already the correct value that Django requires. In combination with `root_path`, from which `script_name` is derived, the `path_info` variable is set. It's then redundant to re-calculate `path` from `script_name` and `path_info`. See also, a clarifying discussion on the ASGIref repo[1]. [0]: https://asgi.readthedocs.io/en/latest/specs/www.html#http-connection-scope [1]: https://github.com/django/asgiref/issues/424
2024-01-31Fixed #35059 -- Ensured that ASGIHandler always sends the request_finished ↵James Thorniley
signal. Prior to this work, when async tasks that process the request are cancelled due to receiving an early "http.disconnect" ASGI message, the request_finished signal was not being sent, potentially leading to resource leaks (such as database connections). This branch ensures that the request_finished signal is sent even in the case of early termination of the response. Regression in 64cea1e48f285ea2162c669208d95188b32bbc82. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2023-09-11Fixed #34752 -- Fixed handling ASGI http.disconnect for streaming responses.Sam Toyer
2023-04-12Fixed #34484, Refs #34482 -- Reverted "Fixed #29186 -- Fixed pickling ↵Mariusz Felisiak
HttpRequest and subclasses." This reverts commit 6220c445c40a6a7f4d442de8bde2628346153963. Thanks Adam Johnson and Márton Salomváry for reports.
2023-04-12Fixed #34394 -- Added FORCE_SCRIPT_NAME handling to ASGIRequest.sarahboyce
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2023-04-03Fixed #33738 -- Allowed handling ASGI http.disconnect in long-lived requests.th3nn3ss
2023-03-07Fixed #32172 -- Adapted signals to allow async handlers.Jon Janzen
co-authored-by: kozzztik <kozzztik@mail.ru> co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2023-02-14Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.Markus Holtermann
Thanks to Jakob Ackermann for the report.
2023-01-18Refs #34233 -- Used str.removeprefix()/removesuffix().Mariusz Felisiak
2023-01-18Refs #34233 -- Used aiter() and anext().Nick Pope
Available since Python 3.10.
2023-01-18Fixed #34233 -- Dropped support for Python 3.8 and 3.9.Mariusz Felisiak
2023-01-05Fixed #33865 -- Optimized LimitedStream wrapper.Nick Pope
The current implementation of LimitedStream is slow because .read() performs an extra copy into a buffer and .readline() performs two extra copies. The stream being wrapped is already typically a BytesIO object so this is unnecessary. This implementation has largely been untouched for 12 years and, inspired by a simpler implementation in werkzeug, it was possible to achieve the following performance improvement: LimitedStream.read() (single line): Mean +- std dev: [bench_limitedstream-main] 286 ns +- 6 ns -> [bench_limitedstream-patch] 227 ns +- 6 ns: 1.26x faster LimitedStream.readline() (single line): Mean +- std dev: [bench_limitedstream-main] 507 ns +- 11 ns -> [bench_limitedstream-patch] 232 ns +- 8 ns: 2.18x faster LimitedStream.read(8192) (single line): Mean +- std dev: [bench_limitedstream-main] 360 ns +- 8 ns -> [bench_limitedstream-patch] 297 ns +- 6 ns: 1.21x faster LimitedStream.readline(8192) (single line): Mean +- std dev: [bench_limitedstream-main] 602 ns +- 10 ns -> [bench_limitedstream-patch] 305 ns +- 10 ns: 1.98x faster LimitedStream.read() (multiple lines): Mean +- std dev: [bench_limitedstream-main] 290 ns +- 5 ns -> [bench_limitedstream-patch] 236 ns +- 6 ns: 1.23x faster LimitedStream.readline() (multiple lines): Mean +- std dev: [bench_limitedstream-main] 517 ns +- 19 ns -> [bench_limitedstream-patch] 239 ns +- 7 ns: 2.16x faster LimitedStream.read(8192) (multiple lines): Mean +- std dev: [bench_limitedstream-main] 363 ns +- 8 ns -> [bench_limitedstream-patch] 311 ns +- 11 ns: 1.17x faster LimitedStream.readline(8192) (multiple lines): Mean +- std dev: [bench_limitedstream-main] 601 ns +- 12 ns -> [bench_limitedstream-patch] 308 ns +- 7 ns: 1.95x faster Geometric mean: 1.59x faster
2022-12-22Fixed #33735 -- Added async support to StreamingHttpResponse.Carlton Gibson
Thanks to Florian Vazelle for initial exploratory work, and to Nick Pope and Mariusz Felisiak for review.
2022-12-20Refs #34118 -- Adopted asgiref coroutine detection shims.Carlton Gibson
Thanks to Mariusz Felisiak for review.
2022-11-10Updated documentation and comments for RFC updates.Nick Pope
- Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents
2022-09-14Fixed #29186 -- Fixed pickling HttpRequest and subclasses.Anvesh Mishra
2022-06-09Fixed #33755 -- Moved ASGI body-file cleanup into request class.Jonas Lundberg
2022-05-31Fixed #33754 -- Fixed crash with prematurely closed ASGI request body.Jonas Lundberg
Regression in 441103a04d1d167dc870eaaf90e3fba974f67c93.
2022-05-10Refs #33173, Refs #30451 -- Fixed ResourceWarning from unclosed body files ↵Mariusz Felisiak
in ASGI handler on Python 3.11+.
2022-03-17Prevented initialization of unused database connections.Florian Apolloner
2022-02-09Fixed #33495 -- Improved debug logging message about adapting handlers for ↵Aaron Chong
middlewares. It's the wrapped handler that's adapted to the wrapping middleware.
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2022-01-18Removed unused buf_size argument to LimitedStream().Nick Pope
Unused since its introduction in 269e921756371bee6d35a967bc2ffe84d1ae39eb.
2022-01-12Changed django.utils.log.log_response() to take exception instance.Adam Johnson
There's little point retrieving a fresh reference to the exception in the legacy tuple format, when it's all available via the exception instance we already have.
2022-01-12Added exception to SuspiciousOperation logging.Adam Johnson
This allows better debugging and filtering of errors.
2021-10-18Refs #32956 -- Changed docs to treat the acronym HTTP phonetically.David Smith
2021-07-29Fixed 32956 -- Lowercased spelling of "web" and "web framework" where ↵David Smith
appropriate.
2021-07-01Fixed #32889 -- Allowed per-request sync_to_async context in ASGIHandler .Allan Feldman
By using a asgiref's ThreadSensitiveContext context manager, requests will be able to execute independently of other requests when sync work is involved. Prior to this commit, a single global thread was used to execute any sync work independent of the request from which that work was scheduled. This could result in contention for the global sync thread in the case of a slow sync function. Requests are now isolated to their own sync thread.
2021-01-19Removed unreachable SystemExit check.Adam Johnson
This check dates back to Python <2.5, before Python introduced BaseException to prevent exactly unwarranted catching of SystemExit (and others). response_for_exception() is only called under `except Exception` or `except Http404` so it's now impossible for a SystemExit instance to reach the branch.
2020-12-29Fixed #32299 -- Prevented mutating handlers when processing middlewares ↵Mariusz Felisiak
marking as unused in an async context. Thanks Hubert Bielenia for the report.
2020-10-27Fixed #32128 -- Added asgiref 3.3 compatibility.Carlton Gibson
Thread sensitive parameter is True by default from asgiref v3.3.0. Added an explicit thread_sensitive=False to previously implicit uses.
2020-09-09Fixed #31962 -- Made SessionMiddleware raise SessionInterrupted when session ↵Hasan Ramezani
destroyed while request is processing.
2020-06-22Removed unused param_dict return from URLResolver.resolve_error_handler().Adam Johnson
Unused since its introduction in ed114e15106192b22ebb78ef5bf5bce72b419d13.
2020-05-28Refs #31040, Refs #31224 -- Prevented cycles in exceptions chain.Mariusz Felisiak
Async exception handling was raising an exception that was creating a cycle in the exception chain (by re-raising an exception in sync_to_async that was already being handled). Thanks Chris Jerdonek for detailed analysis.
2020-05-13Updated logging calls to use arguments instead of string interpolation.François Freitag
2020-05-06Fixed #31515 -- Made ASGIHandler dispatch lifecycle signals with thread ↵Carlton Gibson
sensitive.