summaryrefslogtreecommitdiff
path: root/django/http/request.py
AgeCommit message (Collapse)Author
2026-06-03Fixed CVE-2026-6873 -- Prevented signed cookie salt namespace collisions.Paul McMillan
Made signed cookies derive their signer namespace from an injective encoding of `(name, salt)` while preserving compatibility with legacy `name + salt` cookies behind SIGNED_COOKIE_LEGACY_SALT_FALLBACK. Thanks Peng Zhou for the report, and Shai Berger, Markus Holterman, Jake Howard, and Paul McMillan for reviews. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-06-02Fixed #37103 -- Made HttpRequest.body handle malformed CONTENT_LENGTH.Lier0102
2026-04-22Fixed #36991 -- Raised BadRequest for invalid encodings in Content-Type headers.Dinesh
2026-04-07Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ↵Natalia
ASGI requests. The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews.
2026-02-10Fixed #36841 -- Made multipart parser class pluggable on HttpRequest.farhan
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce
2025-06-16Fixed #36447 -- Selected preferred media type based on quality.Jake Howard
When matching which entry in the `Accept` header should be used for a given media type, the specificity matters. However once those are resolved, only the quality matters when selecting preference. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead. Thank you to Anders Kaseorg for the report.
2025-06-09Fixed #36446 -- Restored "q" in internal MediaType.params property.Natalia
The "q" key was removed while addressing ticket #36411. Despite `MediaType.params` is undocumented and considered internal, it was used in third-party projects (Zulip reported breakage), so this work restored the `q` key in `params`. Thanks Anders Kaseorg for the report. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
2025-06-03Fixed #36411 -- Made HttpRequest.get_preferred_type() consider media type ↵Jake Howard
parameters. HttpRequest.get_preferred_type() did not account for parameters in Accept header media types (e.g., "text/vcard; version=3.0"). This caused incorrect content negotiation when multiple types differed only by parameters, reducing specificity as per RFC 7231 section 5.3.2 (https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2). This fix updates get_preferred_type() to treat media types with parameters as distinct, allowing more precise and standards-compliant matching. Thanks to magicfelix for the report, and to David Sanders and Sarah Boyce for the reviews.
2024-09-09Fixed #35631 -- Added HttpRequest.get_preferred_type().Jake Howard
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-08-25Fixed #34709 -- Raised BadRequest for non-UTF-8 requests with the ↵Mariusz Felisiak
application/x-www-form-urlencoded content type. Thanks Eki Xu for the report.
2023-08-02Simplified django.http.request.split_domain_port().Nick Pope
Use the capture groups from the regular expression that has already been matched to avoid resplitting and the need to special case for IPv6.
2023-04-12Fixed #34484, Refs #34482 -- Reverted "Fixed #29186 -- Fixed pickling ↵Mariusz Felisiak
HttpRequest and subclasses." This reverts commit 6220c445c40a6a7f4d442de8bde2628346153963. Thanks Adam Johnson and Márton Salomváry for reports.
2023-02-14Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.Markus Holtermann
Thanks to Jakob Ackermann for the report.
2023-01-18Refs #34233 -- Used str.removeprefix()/removesuffix().Mariusz Felisiak
2022-11-14Fixed #34074 -- Added headers argument to RequestFactory and Client classes.David Wobrock
2022-09-14Fixed #29186 -- Fixed pickling HttpRequest and subclasses.Anvesh Mishra
2022-06-28Refs #33697 -- Made MediaType use django.utils.http.parse_header_parameters().Mehrdad
2022-06-09Fixed #33755 -- Moved ASGI body-file cleanup into request class.Jonas Lundberg
2022-05-11Refs #33173 -- Removed use of deprecated cgi module.Carlton Gibson
https://peps.python.org/pep-0594/#cgi
2022-03-23Fixed #33569 -- Added SECURE_PROXY_SSL_HEADER support for list of protocols ↵Thomas Schmidt
in the header value.
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2022-01-07Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate.Ad Timmering
2021-04-30Fixed #32698 -- Moved HttpRequest.get_raw_uri() to ↵Hasan Ramezani
ExceptionReporter._get_raw_insecure_uri().
2021-02-10Fixed #32355 -- Dropped support for Python 3.6 and 3.7Mariusz Felisiak
2021-01-14Refs #30997 -- Removed HttpRequest.is_ajax() per deprecation timeline.Mariusz Felisiak
2020-09-07Refs #21231 -- Corrected parse_qsl() fallback.Tim Graham
An oversight in fd209f62f1d83233cc634443cfac5ee4328d98b8.
2020-09-03Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8.Nick Pope
2020-06-03Refs #30997 -- Improved HttpRequest.is_ajax() warning message with stacklevel=2.Mariusz Felisiak
2020-05-12Fixed E128, E741 flake8 warnings.Mariusz Felisiak
2020-01-27Fixed #30997 -- Deprecated HttpRequest.is_ajax().Claude Paroz
2020-01-24Refs #30997 -- Added HttpRequest.accepts().Claude Paroz
2019-12-27Fixed #31114 -- Fixed HttpRequest.build_absolute_uri() crash with ↵Jon Dufresne
reverse_lazy() locations.
2019-12-05Fixed #31010 -- Allowed subdomains of localhost in the Host header by ↵Gordon Pendleton
default when DEBUG=True.
2019-10-29Fixed #30899 -- Lazily compiled import time regular expressions.Hasan Ramezani
2019-07-01Fixed CVE-2019-12781 -- Made HttpRequest always trust ↵Carlton Gibson
SECURE_PROXY_SSL_HEADER if set. An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review.
2019-06-15Refs #30451 -- Added HttpRequest._set_content_type_params() hook.Mariusz Felisiak
2019-05-09Fixed #30310 -- Added support for looking up HttpHeaders.headers using ↵Troon
underscores.
2019-02-06Refs #27753 -- Favored force/smart_str() over force/smart_text().Aymeric Augustin
2019-01-28Fixed #30137 -- Replaced OSError aliases with the canonical OSError.Jon Dufresne
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-17Refs #28137 -- Removed HttpRequest.xreadlines() per deprecation timeline.Tim Graham
2019-01-16Fixed #20147 -- Added HttpRequest.headers.Santiago Basulto
2018-09-25Normalized spelling of "lowercase" and "lowercased".Jon Dufresne
2018-08-02Fixed #29627 -- Fixed QueryDict.urlencode() crash with non-string values.Tim Graham
Regression in 7d96f0c49ab750799860e42716d7105e11de44de.
2018-07-16Fixed django/http/request.py docstring typo.François Freitag
2018-07-10Simplified HttpRequest.__iter__().Sergey Fedoseev
2018-06-07Removed unused HttpRequest._post_parse_error attribute.Josh Schneier
Unused since 8f8c54f70bfa3aa8e311514297f1eeded2c32593.