| Age | Commit message (Collapse) | Author |
|
|
|
20472aa827669d2b83b74e521504e88e18d086a1.
Also added some tests for HttpRequest.__repr__.
Note that the added tests don't actually catch the accidental code
removal (see ticket) but they do cover a codepath that wasn't tested
before.
Thanks to Tom Christie for the report and the original patch.
|
|
|
|
Thanks manfre for the report and Timo Graham for the review.
|
|
|
|
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is
appropriately set and falls back to `HttpRequest._get_scheme()` (a hook
for subclasses to implement) otherwise.
`WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI
environ variable to determine the request scheme.
`HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is
`https`.
This provides a way to check the current scheme in templates, for example.
It also allows us to deal with other schemes.
Thanks nslater for the suggestion.
|
|
Thanks jaylett for the patch.
|
|
Thanks to berkerpeksag for the report and to claudep
for the review.
|
|
The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.
Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.
|
|
Should be unneeded with Python 2.7 and up.
Added some unicode_literals along the way.
|
|
|
|
Thanks KyleMac for the report, André Cruz for the initial patch and
Hiroki Kiyohara for the tests.
|
|
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.
Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
|
|
|
|
Obviously it isn't set until the URL is resolved.
|
|
This is a security fix; disclosure and advisory coming shortly.
|
|
|
|
Full disclosure and new release forthcoming.
|
|
Thanks Claude Paroz.
|
|
request.py, response.py and utils.py
|