summaryrefslogtreecommitdiff
path: root/django/core/servers
AgeCommit message (Collapse)Author
2025-10-20Fixed #36470 -- Prevented log injection in runserver when handling NOT FOUND.YashRaj1506
Migrated `WSGIRequestHandler.log_message()` to use a more robust `log_message()` helper, which was based of `log_response()` via factoring out the common bits. Refs CVE-2025-48432. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2023-12-31Fixed #35051 -- Prevented runserver from removing non-zero Content-Length ↵Paul Bailey
for HEAD requests.
2023-02-10Fixed #32813 -- Made runserver display port after binding.Dhanush
Thanks Florian Apolloner for the review.
2023-01-27Fixed #28054 -- Made runserver not return response body for HEAD requests.Sarah Boyce
Co-authored-by: jannschu <jannik.schuerg@posteo.de>
2023-01-05Fixed #33865 -- Optimized LimitedStream wrapper.Nick Pope
The current implementation of LimitedStream is slow because .read() performs an extra copy into a buffer and .readline() performs two extra copies. The stream being wrapped is already typically a BytesIO object so this is unnecessary. This implementation has largely been untouched for 12 years and, inspired by a simpler implementation in werkzeug, it was possible to achieve the following performance improvement: LimitedStream.read() (single line): Mean +- std dev: [bench_limitedstream-main] 286 ns +- 6 ns -> [bench_limitedstream-patch] 227 ns +- 6 ns: 1.26x faster LimitedStream.readline() (single line): Mean +- std dev: [bench_limitedstream-main] 507 ns +- 11 ns -> [bench_limitedstream-patch] 232 ns +- 8 ns: 2.18x faster LimitedStream.read(8192) (single line): Mean +- std dev: [bench_limitedstream-main] 360 ns +- 8 ns -> [bench_limitedstream-patch] 297 ns +- 6 ns: 1.21x faster LimitedStream.readline(8192) (single line): Mean +- std dev: [bench_limitedstream-main] 602 ns +- 10 ns -> [bench_limitedstream-patch] 305 ns +- 10 ns: 1.98x faster LimitedStream.read() (multiple lines): Mean +- std dev: [bench_limitedstream-main] 290 ns +- 5 ns -> [bench_limitedstream-patch] 236 ns +- 6 ns: 1.23x faster LimitedStream.readline() (multiple lines): Mean +- std dev: [bench_limitedstream-main] 517 ns +- 19 ns -> [bench_limitedstream-patch] 239 ns +- 7 ns: 2.16x faster LimitedStream.read(8192) (multiple lines): Mean +- std dev: [bench_limitedstream-main] 363 ns +- 8 ns -> [bench_limitedstream-patch] 311 ns +- 11 ns: 1.17x faster LimitedStream.readline(8192) (multiple lines): Mean +- std dev: [bench_limitedstream-main] 601 ns +- 12 ns -> [bench_limitedstream-patch] 308 ns +- 7 ns: 1.95x faster Geometric mean: 1.59x faster
2022-02-14Refs #25684 -- Removed double newline from request/response output of runserver.rafrafek
Follow up to 0bc5cd628042bf0a44df60a93085a4f991a84dfb.
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-04-12Fixed #32416 -- Made ThreadedWSGIServer close connections after each thread.Chris Jerdonek
ThreadedWSGIServer is used by LiveServerTestCase.
2021-01-16Fixed #32265, Refs #32355 -- Removed unnecessary ServerHandler.handle_error().Mariusz Felisiak
ConnectionAbortedError, BrokenPipeError, ConnectionResetError raised from SocketServer.BaseServer.finish_request() are already suppressed by wsgiref.handlers.BaseHandler.run() in Python 3.7+, see https://github.com/python/cpython/commit/47ffc1a9f6fab1c17cdcc325d4af066317369ed7
2020-12-14Fixed #32240 -- Made runserver suppress ↵Petter Strandmark
ConnectionAbortedError/ConnectionResetError errors. See https://bugs.python.org/issue27682 and https://github.com/python/cpython/pull/9713
2019-07-10Fixed #30619 -- Made runserver --nothreading use single threaded WSGIServer.atsuo ishimoto
Browsers often use multiple connections with Connection: keep-alive. If --nothreading is specified, the WSGI server cannot accept new connections until the old connection is closed, causing hangs. Force Connection: close when --nothreading option is used.
2019-01-28Fixed #30137 -- Replaced OSError aliases with the canonical OSError.Jon Dufresne
Used more specific errors (e.g. FileExistsError) as appropriate.
2018-12-20Refs #30015 -- Added 2.1.5 release note and removed 'we' in comments.Carlton Gibson
2018-12-19Fixed #30015 -- Ensured request body is properly consumed for keep-alive ↵Konstantin Alekseev
connections.
2018-11-10Fixed keep-alive support in manage.py runserver.Florian Apolloner
Ticket #25619 changed the default protocol to HTTP/1.1 but did not properly implement keep-alive. As a "fix" keep-alive was disabled in ticket #28440 to prevent clients from hanging (they expect the server to send more data if the connection is not closed and there is no content length set). The combination of those two fixes resulted in yet another problem: HTTP/1.1 by default allows a client to assume that keep-alive is supported unless the server disables it via 'Connection: close' -- see RFC2616 8.1.2.1 for details on persistent connection negotiation. Now if the client receives a response from Django without 'Connection: close' and immediately sends a new request (on the same tcp connection) before our server closes the tcp connection, it will error out at some point because the connection does get closed a few milli seconds later. This patch fixes the mentioned issues by always sending 'Connection: close' if we cannot determine a content length. The code is inefficient in the sense that it does not allow for persistent connections when chunked responses are used, but that should not really cause any problems (Django does not generate those) and it only affects the development server anyways. Refs #25619, #28440.
2017-12-06Fixed #28893 -- Removed unnecessary dict.items() calls.Tim Graham
2017-09-12Fixed #28440 -- Fixed WSGIServer hang on responses without a Content-Length.Tom
Disabled keep-alive to fix the regression in e6065c7b8363202c5eb13ba10c97a8c24d014b45.
2017-02-23Fixed #25619 -- Made runserver serve with HTTP 1.1 protocolClaude Paroz
Thanks Tim Graham for the review.
2017-02-21Refs #27656 -- Updated django.core docstring verbs according to PEP 257.Anton Samarchyan
2017-02-11Removed WSGIServer.server_bind() identical to parent versionClaude Paroz
The method customization was removed in 2ca00faa9137.
2017-02-09Fixed #20238 -- Added threading support to LiveServerTestCase.Nadège Michel
2017-02-01Refs #23919 -- Replaced kwargs.pop() with keyword-only arguments.Vytis Banaitis
2017-01-25Refs #23919 -- Replaced super(ClassName, self) with super().chillaranand
2017-01-22Refs #23919 -- Replaced six.reraise by raiseClaude Paroz
2017-01-21Refs #23919 -- Removed misc references to Python 2.Tim Graham
2017-01-20Refs #23919 -- Removed unneeded str() callsClaude Paroz
2017-01-19Refs #23919 -- Removed str() conversion of type and method __name__.Simon Charette
2017-01-19Refs #23919 -- Stopped inheriting from object to define new style classes.Simon Charette
2017-01-18Refs #23919 -- Removed most of remaining six usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2017-01-09Fixed #27705 -- Added protocol/server_cls attributes to runserver for ↵David Sanders
extensibility.
2016-08-23Fixed #26971 -- Prevented crash with non-UTF-8 incoming PATH_INFOClaude Paroz
Thanks Tim Graham and Loïc Bistuer for the reviews.
2016-01-11Fixed #25684 -- Made runserver use logging for request/response output.Flavio Curella
Thanks andreif for the contributing to the patch.
2015-12-31Fixed #26011 -- Prevented random LiveServerTestCase test failures on Windows.Marten Kenbeek
Prevented LiveServerTestCase from stealing ports used by concurrent processes on Windows.
2015-08-01Fixed #25204 -- Added missing space in runserver logging.Tim Graham
2015-02-19Fixed typo in django.core.servers.basehttp message.Alex Vidal
2015-02-05Removed old import aliases.Tim Graham
2015-01-17Removed FastCGI support per deprecation timeline; refs #20766.Tim Graham
2015-01-13Stripped headers containing underscores to prevent spoofing in WSGI environ.Carl Meyer
This is a security fix. Disclosure following shortly. Thanks to Jedediah Smith for the report.
2015-01-02Fixed #24069 -- Made ServerHandler a new style class to fix super() call.Andreas Pelme
2014-11-28Fixed #4444 - Made runserver suppress 'broken pipe' errorsMatthew Somerville
One handler in WSGIServer, to catch the error when raised from SocketServer.BaseServer's finish_request, and one in WSGIRequestHandler (by creating a subclass of ServerHandler), to catch the error when raised in wsgiref.handlers.BaseHandler's finish_response.
2014-10-16Fixed #19508 -- Implemented uri_to_iri as per RFC.Anubhav Joshi
Thanks Loic Bistuer for helping in shaping the patch and Claude Paroz for the review.
2014-09-09Fixed #23398 -- Added helpful error message when runserver is accessed via HTTPSFlavio Curella
2014-06-05Fixed #21773 -- made daemon threads default in the development server.Moayad Mardini
Thanks clime for the report.
2014-05-28Fixed several typos in DjangoAlex Gaynor
2014-03-30Moved ServerHandler helper class to tests.Ramiro Morales
It has been only used in the builtin_servers tests since Django 1.4.
2014-02-08Fixed #21674 -- Deprecated the import_by_path() function in favor of ↵Berker Peksag
import_string(). Thanks Aymeric Augustin for the suggestion and review.
2013-11-09Fixed #14800 -- Suppressed WSGIRequestHandler message filteringClaude Paroz
Filtering out static file requests in runserver has been judged arbitrary and can hide some debugging-related activity. Thanks Roy Smith for the report and Aymeric Augustin for the review.
2013-11-02More attacking E302 violatorsAlex Gaynor