| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-06-03 | Fixed CVE-2026-6873 -- Prevented signed cookie salt namespace collisions. | Paul McMillan | |
| Made signed cookies derive their signer namespace from an injective encoding of `(name, salt)` while preserving compatibility with legacy `name + salt` cookies behind SIGNED_COOKIE_LEGACY_SALT_FALLBACK. Thanks Peng Zhou for the report, and Shai Berger, Markus Holterman, Jake Howard, and Paul McMillan for reviews. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
| 2026-06-02 | Fixed #37103 -- Made HttpRequest.body handle malformed CONTENT_LENGTH. | Lier0102 | |
| 2026-04-22 | Fixed #36991 -- Raised BadRequest for invalid encodings in Content-Type headers. | Dinesh | |
| 2026-04-07 | Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ↵ | Natalia | |
| ASGI requests. The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews. | |||
| 2026-02-10 | Fixed #36841 -- Made multipart parser class pluggable on HttpRequest. | farhan | |
| 2025-07-23 | Refs #36500 -- Rewrapped long docstrings and block comments via a script. | django-bot | |
| Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. | |||
| 2025-07-23 | Removed double spaces after periods and within phrases. | Sarah Boyce | |
| 2025-06-16 | Fixed #36447 -- Selected preferred media type based on quality. | Jake Howard | |
| When matching which entry in the `Accept` header should be used for a given media type, the specificity matters. However once those are resolved, only the quality matters when selecting preference. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead. Thank you to Anders Kaseorg for the report. | |||
| 2025-06-09 | Fixed #36446 -- Restored "q" in internal MediaType.params property. | Natalia | |
| The "q" key was removed while addressing ticket #36411. Despite `MediaType.params` is undocumented and considered internal, it was used in third-party projects (Zulip reported breakage), so this work restored the `q` key in `params`. Thanks Anders Kaseorg for the report. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead. | |||
| 2025-06-03 | Fixed #36411 -- Made HttpRequest.get_preferred_type() consider media type ↵ | Jake Howard | |
| parameters. HttpRequest.get_preferred_type() did not account for parameters in Accept header media types (e.g., "text/vcard; version=3.0"). This caused incorrect content negotiation when multiple types differed only by parameters, reducing specificity as per RFC 7231 section 5.3.2 (https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2). This fix updates get_preferred_type() to treat media types with parameters as distinct, allowing more precise and standards-compliant matching. Thanks to magicfelix for the report, and to David Sanders and Sarah Boyce for the reviews. | |||
| 2024-09-09 | Fixed #35631 -- Added HttpRequest.get_preferred_type(). | Jake Howard | |
| 2024-01-26 | Applied Black's 2024 stable style. | Mariusz Felisiak | |
| https://github.com/psf/black/releases/tag/24.1.0 | |||
| 2023-08-25 | Fixed #34709 -- Raised BadRequest for non-UTF-8 requests with the ↵ | Mariusz Felisiak | |
| application/x-www-form-urlencoded content type. Thanks Eki Xu for the report. | |||
| 2023-08-02 | Simplified django.http.request.split_domain_port(). | Nick Pope | |
| Use the capture groups from the regular expression that has already been matched to avoid resplitting and the need to special case for IPv6. | |||
| 2023-04-12 | Fixed #34484, Refs #34482 -- Reverted "Fixed #29186 -- Fixed pickling ↵ | Mariusz Felisiak | |
| HttpRequest and subclasses." This reverts commit 6220c445c40a6a7f4d442de8bde2628346153963. Thanks Adam Johnson and Márton Salomváry for reports. | |||
| 2023-02-14 | Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files. | Markus Holtermann | |
| Thanks to Jakob Ackermann for the report. | |||
| 2023-01-18 | Refs #34233 -- Used str.removeprefix()/removesuffix(). | Mariusz Felisiak | |
| 2022-11-14 | Fixed #34074 -- Added headers argument to RequestFactory and Client classes. | David Wobrock | |
| 2022-09-14 | Fixed #29186 -- Fixed pickling HttpRequest and subclasses. | Anvesh Mishra | |
| 2022-06-28 | Refs #33697 -- Made MediaType use django.utils.http.parse_header_parameters(). | Mehrdad | |
| 2022-06-09 | Fixed #33755 -- Moved ASGI body-file cleanup into request class. | Jonas Lundberg | |
| 2022-05-11 | Refs #33173 -- Removed use of deprecated cgi module. | Carlton Gibson | |
| https://peps.python.org/pep-0594/#cgi | |||
| 2022-03-23 | Fixed #33569 -- Added SECURE_PROXY_SSL_HEADER support for list of protocols ↵ | Thomas Schmidt | |
| in the header value. | |||
| 2022-02-07 | Refs #33476 -- Refactored code to strictly match 88 characters line length. | Mariusz Felisiak | |
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2022-01-07 | Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate. | Ad Timmering | |
| 2021-04-30 | Fixed #32698 -- Moved HttpRequest.get_raw_uri() to ↵ | Hasan Ramezani | |
| ExceptionReporter._get_raw_insecure_uri(). | |||
| 2021-02-10 | Fixed #32355 -- Dropped support for Python 3.6 and 3.7 | Mariusz Felisiak | |
| 2021-01-14 | Refs #30997 -- Removed HttpRequest.is_ajax() per deprecation timeline. | Mariusz Felisiak | |
| 2020-09-07 | Refs #21231 -- Corrected parse_qsl() fallback. | Tim Graham | |
| An oversight in fd209f62f1d83233cc634443cfac5ee4328d98b8. | |||
| 2020-09-03 | Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8. | Nick Pope | |
| 2020-06-03 | Refs #30997 -- Improved HttpRequest.is_ajax() warning message with stacklevel=2. | Mariusz Felisiak | |
| 2020-05-12 | Fixed E128, E741 flake8 warnings. | Mariusz Felisiak | |
| 2020-01-27 | Fixed #30997 -- Deprecated HttpRequest.is_ajax(). | Claude Paroz | |
| 2020-01-24 | Refs #30997 -- Added HttpRequest.accepts(). | Claude Paroz | |
| 2019-12-27 | Fixed #31114 -- Fixed HttpRequest.build_absolute_uri() crash with ↵ | Jon Dufresne | |
| reverse_lazy() locations. | |||
| 2019-12-05 | Fixed #31010 -- Allowed subdomains of localhost in the Host header by ↵ | Gordon Pendleton | |
| default when DEBUG=True. | |||
| 2019-10-29 | Fixed #30899 -- Lazily compiled import time regular expressions. | Hasan Ramezani | |
| 2019-07-01 | Fixed CVE-2019-12781 -- Made HttpRequest always trust ↵ | Carlton Gibson | |
| SECURE_PROXY_SSL_HEADER if set. An HTTP request would not be redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings were used if the proxy connected to Django via HTTPS. HttpRequest.scheme will now always trust the SECURE_PROXY_SSL_HEADER if set, rather than falling back to the request scheme when the SECURE_PROXY_SSL_HEADER did not have the secure value. Thanks to Gavin Wahl for the report and initial patch suggestion, and Shai Berger for review. | |||
| 2019-06-15 | Refs #30451 -- Added HttpRequest._set_content_type_params() hook. | Mariusz Felisiak | |
| 2019-05-09 | Fixed #30310 -- Added support for looking up HttpHeaders.headers using ↵ | Troon | |
| underscores. | |||
| 2019-02-06 | Refs #27753 -- Favored force/smart_str() over force/smart_text(). | Aymeric Augustin | |
| 2019-01-28 | Fixed #30137 -- Replaced OSError aliases with the canonical OSError. | Jon Dufresne | |
| Used more specific errors (e.g. FileExistsError) as appropriate. | |||
| 2019-01-17 | Refs #28137 -- Removed HttpRequest.xreadlines() per deprecation timeline. | Tim Graham | |
| 2019-01-16 | Fixed #20147 -- Added HttpRequest.headers. | Santiago Basulto | |
| 2018-09-25 | Normalized spelling of "lowercase" and "lowercased". | Jon Dufresne | |
| 2018-08-02 | Fixed #29627 -- Fixed QueryDict.urlencode() crash with non-string values. | Tim Graham | |
| Regression in 7d96f0c49ab750799860e42716d7105e11de44de. | |||
| 2018-07-16 | Fixed django/http/request.py docstring typo. | François Freitag | |
| 2018-07-10 | Simplified HttpRequest.__iter__(). | Sergey Fedoseev | |
| 2018-06-07 | Removed unused HttpRequest._post_parse_error attribute. | Josh Schneier | |
| Unused since 8f8c54f70bfa3aa8e311514297f1eeded2c32593. | |||
