summaryrefslogtreecommitdiff
path: root/django/http/response.py
AgeCommit message (Collapse)Author
2025-11-05[4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in ↵Jacob Walls
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
2023-04-12[4.2.x] Refs #34482 -- Reverted "Fixed #32969 -- Fixed pickling HttpResponse ↵Mariusz Felisiak
and subclasses." This reverts commit d7f5bfd241666c0a76e90208da1e9ef81aec44db. Thanks Márton Salomváry for the report. Backport of 173034b00589c083793d495e8b07e35be2cb1cf0 from main
2023-04-12[4.2.x] Fixed #34484, Refs #34482 -- Reverted "Fixed #29186 -- Fixed ↵Mariusz Felisiak
pickling HttpRequest and subclasses." This reverts commit 6220c445c40a6a7f4d442de8bde2628346153963. Thanks Adam Johnson and Márton Salomváry for reports. Backport of 280ca147af9cdfce1ca9cb14cc3c5527ff6c7a02 from main
2022-12-22Fixed #33735 -- Added async support to StreamingHttpResponse.Carlton Gibson
Thanks to Florian Vazelle for initial exploratory work, and to Nick Pope and Mariusz Felisiak for review.
2022-12-05Fixed #34194 -- Added django.utils.http.content_disposition_header().Alex Vandiver
2022-10-31Used more augmented assignment statements.Nick Pope
Identified using the following command: $ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
2022-09-14Fixed #29186 -- Fixed pickling HttpRequest and subclasses.Anvesh Mishra
2022-08-03Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.Carlton Gibson
Thanks to Motoyasu Saburi for the report.
2022-06-20Fixed #32969 -- Fixed pickling HttpResponse and subclasses.Anv3sh
2022-03-24Refs #32365 -- Removed internal uses of utils.timezone.utc alias.Carlton Gibson
Remaining test case ensures that uses of the alias are mapped canonically by the migration writer.
2022-03-07Refs #33562 -- Made HttpResponse.set_cookie() raise ValueError when both ↵Luke Plant
"expires" and "max_age" are passed. This fixes the case where you might pass set_cookie(expires=val, max_age=val) and max_age is silently ignored.
2022-03-07Fixed #33562 -- Made HttpResponse.set_cookie() support timedelta for the ↵Luke Plant
max_age argument.
2022-03-02Refs #33546 -- Optimized handling content types in HttpResponseBase.__init__().Keryn Knight
This removes an extraneous conditional causing "Content-Type" to be checked within the ResponseHeaders twice, if a content_type parameter is provided.
2022-03-02Refs #33546 -- Optimized HttpResponseBase.charset a bit.Keryn Knight
This avoids scanning the Content-Type if it's empty, allowing the Content-Type header itself to have a charset assigned without using the re module.
2022-03-02Refs #33546 -- Optimized ResponseHeaders._convert_to_charset() by reducing ↵Keryn Knight
the type-checking duplication. In the common case, where keys and values are be encoded into ascii/latin-1, defer the checking for newlines until it's been successfully coerced to a string. Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2022-03-02Refs #33546 -- Avoided unpacking data in ResponseHeaders when not necessary.Keryn Knight
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-10-15Refs #30509 -- Adjusted internal FileResponse variable name.Carlton Gibson
Follow up to dc724c5bf9d3b8d59c9571aa751c3cd001cdeced.
2021-10-14Fixed #30509 -- Made FileResponse better handle buffers and non-zero file ↵Piotr Kunicki
offsets.
2021-09-22Optimized handling case-insensitive mappings.Illia Volochii
Elements yielded by _destruct_iterable_mapping_values are always unpacked. Since unpacking can be done with any iterable, there is no need to convert elements to tuples. Also, such elements can be used directly in for loops, creating a dictionary of them is excessive. Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2021-08-02Simplified serializing HTTP response headers.Illia Volochii
Since ResponseHeaders was introduced, header names and values are stored as strings. There is no need to check whether they are bytes. Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2021-06-22Refs #24121 -- Added __repr__() to StreamingHttpResponse and subclasses.Nicolas Restrepo
2021-05-12Fixed #32366 -- Updated datetime module usage to recommended approach.Nick Pope
- Replaced datetime.utcnow() with datetime.now(). - Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp(). - Replaced datetime.utctimetuple() with datetime.timetuple(). - Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
2021-04-29Fixed capitalization of "ECMAScript" and "JavaScript".Nick Pope
2021-01-28Fixed #32389 -- Fixed ResponseHeaders crash when data is not mapping.Illia Volochii
2020-12-08Fixed grammar in HttpResponse docstring.ᴙɘɘᴙgYmɘᴙɘj
2020-11-10Refs #32074 -- Fixed handling memoryview content by HttpResponse on Python ↵Mariusz Felisiak
3.10+. An iterator was added to memoryview in Python 3.10, see https://bugs.python.org/issue41732 Refs #30294
2020-10-07Fixed #32002 -- Added headers parameter to HttpResponse and subclasses.Tom Carrick
2020-09-14Fixed #31789 -- Added a new headers interface to HttpResponse.Tom Carrick
2020-09-05Fixed #31982 -- Made HttpResponse.set_cookie() cast max_age argument to an ↵Hasan Ramezani
integer.
2020-07-16Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in ↵Mariusz Felisiak
HttpResponse.delete_cookie(). Cookies with the "SameSite" flag set to None and without the "secure" flag will be soon rejected by latest browser versions. This affects sessions and messages cookies.
2020-05-11Refs #30116 -- Simplified regex match group access with Match.__getitem__().Jon Dufresne
The method has been available since Python 3.6. The shorter syntax is also marginally faster.
2020-02-11Fixed #31240 -- Properly closed FileResponse when wsgi.file_wrapper is used.Florian Apolloner
Thanks to Oskar Persson for the report.
2020-02-11Reverted "Fixed #30565 -- Closed HttpResponse when wsgi.file_wrapper closes ↵Florian Apolloner
file-like object." This reverts commit cce47ff65a4dd3786c049ec14ee889e128ca7de9.
2019-12-12Fixed #30862 -- Allowed setting SameSite cookies flags to 'none'.Osaetin Daniel
Thanks Florian Apolloner and Carlton Gibson for reviews.
2019-10-29Fixed #30899 -- Lazily compiled import time regular expressions.Hasan Ramezani
2019-06-20Fixed #30565 -- Closed HttpResponse when wsgi.file_wrapper closes file-like ↵Chris Jerdonek
object.
2019-05-17Fixed #30196 -- Made FileResponse set Content-Disposition inline if filename ↵ShingenPizza
is available.
2019-03-29Fixed #30294 -- Allowed HttpResponse to accept memoryview content.sage
2019-01-28Fixed #30137 -- Replaced OSError aliases with the canonical OSError.Jon Dufresne
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-17Refs #27829 -- Removed settings.DEFAULT_CONTENT_TYPE per deprecation timeline.Tim Graham
2018-09-25Normalized spelling of "lowercase" and "lowercased".Jon Dufresne
2018-09-25Refs #29784 -- Normalized Python docs links to omit the version.Jon Dufresne
2018-05-15Fixed #16470 -- Allowed FileResponse to auto-set some Content headers.Claude Paroz
Thanks Simon Charette, Jon Dufresne, and Tim Graham for the reviews.
2018-04-13Fixed #27863 -- Added support for the SameSite cookie flag.Alex Gaynor
Thanks Alex Gaynor for contributing to the patch.
2018-02-07Refs #27795 -- Replaced force_bytes() usage in django.http.Tim Graham
2018-01-08Fixed #28989 -- Fixed HttpResponse.delete_cookie() for cookies that use ↵Alvin Lindstam
__Secure/Host prefixes.
2018-01-02Fixed #28965 -- Updated Set-Cookie's Expires date format to follow RFC 7231.Alexey
2017-11-14Fixed #28795 -- Removed 'not in' checks and used dict.setdefault().Дилян Палаузов
2017-11-06Fixed #28776 -- Fixed a/an/and typos in docs and comments.Дилян Палаузов