summaryrefslogtreecommitdiff
path: root/django/http/request.py
AgeCommit message (Collapse)Author
2025-06-16[5.2.x] Fixed #36447 -- Selected preferred media type based on quality.Jake Howard
When matching which entry in the `Accept` header should be used for a given media type, the specificity matters. However once those are resolved, only the quality matters when selecting preference. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead. Thank you to Anders Kaseorg for the report. Backport of 12c1557060fc94fe5e1fbddc4578a4e29d38f77c from main.
2025-06-09[5.2.x] Fixed #36446 -- Restored "q" in internal MediaType.params property.Natalia
The "q" key was removed while addressing ticket #36411. Despite `MediaType.params` is undocumented and considered internal, it was used in third-party projects (Zulip reported breakage), so this work restored the `q` key in `params`. Thanks Anders Kaseorg for the report. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead. Backport of cf5f36bf903a2854f5e395149cee707115b83744 from main.
2025-06-03[5.2.x] Fixed #36411 -- Made HttpRequest.get_preferred_type() consider media ↵Jake Howard
type parameters. HttpRequest.get_preferred_type() did not account for parameters in Accept header media types (e.g., "text/vcard; version=3.0"). This caused incorrect content negotiation when multiple types differed only by parameters, reducing specificity as per RFC 7231 section 5.3.2 (https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2). This fix updates get_preferred_type() to treat media types with parameters as distinct, allowing more precise and standards-compliant matching. Thanks to magicfelix for the report, and to David Sanders and Sarah Boyce for the reviews. Backport of c075508b4de8edf9db553b409f8a8ed2f26ecead from main.
2024-09-09Fixed #35631 -- Added HttpRequest.get_preferred_type().Jake Howard
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-08-25Fixed #34709 -- Raised BadRequest for non-UTF-8 requests with the ↵Mariusz Felisiak
application/x-www-form-urlencoded content type. Thanks Eki Xu for the report.
2023-08-02Simplified django.http.request.split_domain_port().Nick Pope
Use the capture groups from the regular expression that has already been matched to avoid resplitting and the need to special case for IPv6.
2023-04-12Fixed #34484, Refs #34482 -- Reverted "Fixed #29186 -- Fixed pickling ↵Mariusz Felisiak
HttpRequest and subclasses." This reverts commit 6220c445c40a6a7f4d442de8bde2628346153963. Thanks Adam Johnson and Márton Salomváry for reports.
2023-02-14Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.Markus Holtermann
Thanks to Jakob Ackermann for the report.
2023-01-18Refs #34233 -- Used str.removeprefix()/removesuffix().Mariusz Felisiak
2022-11-14Fixed #34074 -- Added headers argument to RequestFactory and Client classes.David Wobrock
2022-09-14Fixed #29186 -- Fixed pickling HttpRequest and subclasses.Anvesh Mishra
2022-06-28Refs #33697 -- Made MediaType use django.utils.http.parse_header_parameters().Mehrdad
2022-06-09Fixed #33755 -- Moved ASGI body-file cleanup into request class.Jonas Lundberg
2022-05-11Refs #33173 -- Removed use of deprecated cgi module.Carlton Gibson
https://peps.python.org/pep-0594/#cgi
2022-03-23Fixed #33569 -- Added SECURE_PROXY_SSL_HEADER support for list of protocols ↵Thomas Schmidt
in the header value.
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2022-01-07Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate.Ad Timmering
2021-04-30Fixed #32698 -- Moved HttpRequest.get_raw_uri() to ↵Hasan Ramezani
ExceptionReporter._get_raw_insecure_uri().
2021-02-10Fixed #32355 -- Dropped support for Python 3.6 and 3.7Mariusz Felisiak
2021-01-14Refs #30997 -- Removed HttpRequest.is_ajax() per deprecation timeline.Mariusz Felisiak
2020-09-07Refs #21231 -- Corrected parse_qsl() fallback.Tim Graham
An oversight in fd209f62f1d83233cc634443cfac5ee4328d98b8.
2020-09-03Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8.Nick Pope
2020-06-03Refs #30997 -- Improved HttpRequest.is_ajax() warning message with stacklevel=2.Mariusz Felisiak
2020-05-12Fixed E128, E741 flake8 warnings.Mariusz Felisiak
2020-01-27Fixed #30997 -- Deprecated HttpRequest.is_ajax().Claude Paroz
2020-01-24Refs #30997 -- Added HttpRequest.accepts().Claude Paroz
2019-12-27Fixed #31114 -- Fixed HttpRequest.build_absolute_uri() crash with ↵Jon Dufresne
reverse_lazy() locations.
2019-12-05Fixed #31010 -- Allowed subdomains of localhost in the Host header by ↵Gordon Pendleton
default when DEBUG=True.
2019-10-29Fixed #30899 -- Lazily compiled import time regular expressions.Hasan Ramezani
2019-07-01Fixed CVE-2019-12781 -- Made HttpRequest always trust ↵Carlton Gibson
SECURE_PROXY_SSL_HEADER if set. An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review.
2019-06-15Refs #30451 -- Added HttpRequest._set_content_type_params() hook.Mariusz Felisiak
2019-05-09Fixed #30310 -- Added support for looking up HttpHeaders.headers using ↵Troon
underscores.
2019-02-06Refs #27753 -- Favored force/smart_str() over force/smart_text().Aymeric Augustin
2019-01-28Fixed #30137 -- Replaced OSError aliases with the canonical OSError.Jon Dufresne
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-17Refs #28137 -- Removed HttpRequest.xreadlines() per deprecation timeline.Tim Graham
2019-01-16Fixed #20147 -- Added HttpRequest.headers.Santiago Basulto
2018-09-25Normalized spelling of "lowercase" and "lowercased".Jon Dufresne
2018-08-02Fixed #29627 -- Fixed QueryDict.urlencode() crash with non-string values.Tim Graham
Regression in 7d96f0c49ab750799860e42716d7105e11de44de.
2018-07-16Fixed django/http/request.py docstring typo.François Freitag
2018-07-10Simplified HttpRequest.__iter__().Sergey Fedoseev
2018-06-07Removed unused HttpRequest._post_parse_error attribute.Josh Schneier
Unused since 8f8c54f70bfa3aa8e311514297f1eeded2c32593.
2018-02-07Refs #27795 -- Replaced force_bytes() usage in django.http.Tim Graham
2018-01-10Fixed #28828 -- Improved performance of HttpRequest.build_absolute_uri().George-Cristian Bîrzan
2018-01-03Fixed #28982 -- Simplified code with and/or.Дилян Палаузов
2017-12-26Fixed #28930 -- Simplified code with any() and all().Дилян Палаузов
2017-11-07Fixed #28720 -- Added HttpRequest.get_full_path_info().Jonas Haag
2017-08-23Removed unneeded iter() calls.Sergey Fedoseev
A few of these were unnecessarily added in 2b281cc35ed9d997614ca3c416928d7fabfef1ad.
2017-04-26Fixed #28137 -- Deprecated HttpRequest.xreadlines().Josh Schneier