| Age | Commit message (Collapse) | Author |
|
|
|
Follow-up to 6e15ac8066312328de279e3e072667416c205bfc.
|
|
Made signed cookies derive their signer namespace from an injective
encoding of `(name, salt)` while preserving compatibility with legacy
`name + salt` cookies behind SIGNED_COOKIE_LEGACY_SALT_FALLBACK.
Thanks Peng Zhou for the report, and Shai Berger, Markus Holterman,
Jake Howard, and Paul McMillan for reviews.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Peer frameworks have long since dropped their analogous checks for this
vulnerability that was fixed in ES5.
|
|
|
|
|
|
HttpResponseRedirect.
|
|
Refs CVE-2025-64458.
The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.
Thanks Jacob Walls for report and review.
|
|
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.
Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821.
|
|
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
|
|
datetime.UTC was added in Python 3.11.
|
|
HttpResponseRedirectBase.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
StreamingHttpResponse.__iter__()/__aiter__().
|
|
This work should not generate any change of functionality, and
`urlsplit` is approximately 6x faster.
Most use cases of `urlparse` didn't touch the path, so they can be
converted to `urlsplit` without any issue. Most of those which do use
`.path`, simply parse the URL, mutate the querystring, then put them
back together, which is also fine (so long as urlunsplit is used).
|
|
subclasses."
This reverts commit d7f5bfd241666c0a76e90208da1e9ef81aec44db.
Thanks Márton Salomváry for the report.
|
|
HttpRequest and subclasses."
This reverts commit 6220c445c40a6a7f4d442de8bde2628346153963.
Thanks Adam Johnson and Márton Salomváry for reports.
|
|
compress and brotli.
Thanks Chamal De Silva for the report.
|
|
Available since Python 3.10.
|
|
Thanks to Florian Vazelle for initial exploratory work, and to Nick
Pope and Mariusz Felisiak for review.
|
|
|
|
Identified using the following command:
$ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
|
|
|
|
Thanks to Motoyasu Saburi for the report.
|
|
|
|
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
|
|
"expires" and "max_age" are passed.
This fixes the case where you might pass set_cookie(expires=val, max_age=val)
and max_age is silently ignored.
|
|
max_age argument.
|
|
This removes an extraneous conditional causing "Content-Type" to be
checked within the ResponseHeaders twice, if a content_type parameter
is provided.
|
|
This avoids scanning the Content-Type if it's empty, allowing the
Content-Type header itself to have a charset assigned without using
the re module.
|
|
the type-checking duplication.
In the common case, where keys and values are be encoded into
ascii/latin-1, defer the checking for newlines until it's been
successfully coerced to a string.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
|
|
|
|
Follow up to dc724c5bf9d3b8d59c9571aa751c3cd001cdeced.
|
|
offsets.
|
|
Elements yielded by _destruct_iterable_mapping_values are always
unpacked. Since unpacking can be done with any iterable, there is no
need to convert elements to tuples. Also, such elements can be used
directly in for loops, creating a dictionary of them is excessive.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
Since ResponseHeaders was introduced, header names and values are stored
as strings. There is no need to check whether they are bytes.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
|
|
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
|
|
|
|
|
|
|
|
3.10+.
An iterator was added to memoryview in Python 3.10,
see https://bugs.python.org/issue41732
Refs #30294
|
|
|
|
|
|
integer.
|
|
HttpResponse.delete_cookie().
Cookies with the "SameSite" flag set to None and without the "secure"
flag will be soon rejected by latest browser versions.
This affects sessions and messages cookies.
|
|
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
|
|
Thanks to Oskar Persson for the report.
|
|
file-like object."
This reverts commit cce47ff65a4dd3786c049ec14ee889e128ca7de9.
|