summaryrefslogtreecommitdiff
path: root/django/http
AgeCommit message (Collapse)Author
2022-08-03[4.1.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.Carlton Gibson
Thanks to Motoyasu Saburi for the report.
2022-06-01[4.1.x] Refs #33697 -- Fixed multipart parsing of headers with double quotes ↵Mehrdad
and semicolons. See https://github.com/python/cpython/commit/1ef0c0349e8fdb5415e21231cb42edbf232b742a Backport of 93cedc82f29076c824d476354527af1150888e4f from main
2022-05-17Fixed #33683 -- Document HttpResponseBase and allow import from django.httpCollin Anderson
2022-05-11Refs #33173 -- Removed use of deprecated cgi module.Carlton Gibson
https://peps.python.org/pep-0594/#cgi
2022-03-24Refs #32365 -- Removed internal uses of utils.timezone.utc alias.Carlton Gibson
Remaining test case ensures that uses of the alias are mapped canonically by the migration writer.
2022-03-23Fixed #33569 -- Added SECURE_PROXY_SSL_HEADER support for list of protocols ↵Thomas Schmidt
in the header value.
2022-03-07Refs #33562 -- Made HttpResponse.set_cookie() raise ValueError when both ↵Luke Plant
"expires" and "max_age" are passed. This fixes the case where you might pass set_cookie(expires=val, max_age=val) and max_age is silently ignored.
2022-03-07Fixed #33562 -- Made HttpResponse.set_cookie() support timedelta for the ↵Luke Plant
max_age argument.
2022-03-02Refs #33546 -- Optimized handling content types in HttpResponseBase.__init__().Keryn Knight
This removes an extraneous conditional causing "Content-Type" to be checked within the ResponseHeaders twice, if a content_type parameter is provided.
2022-03-02Refs #33546 -- Optimized HttpResponseBase.charset a bit.Keryn Knight
This avoids scanning the Content-Type if it's empty, allowing the Content-Type header itself to have a charset assigned without using the re module.
2022-03-02Refs #33546 -- Optimized ResponseHeaders._convert_to_charset() by reducing ↵Keryn Knight
the type-checking duplication. In the common case, where keys and values are be encoded into ascii/latin-1, defer the checking for newlines until it's been successfully coerced to a string. Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2022-03-02Refs #33546 -- Avoided unpacking data in ResponseHeaders when not necessary.Keryn Knight
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2022-02-01Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.Mariusz Felisiak
Thanks Alan Ryan for the report and initial patch.
2022-01-20Fixed #33062 -- Made MultiPartParser remove non-printable chars from file names.Hrushikesh Vaidya
2022-01-07Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate.Ad Timmering
2021-12-02Updated various links to HTTPS and new locations.Mariusz Felisiak
Co-Authored-By: Nick Pope <nick@nickpope.me.uk>
2021-10-15Refs #30509 -- Adjusted internal FileResponse variable name.Carlton Gibson
Follow up to dc724c5bf9d3b8d59c9571aa751c3cd001cdeced.
2021-10-14Fixed #30509 -- Made FileResponse better handle buffers and non-zero file ↵Piotr Kunicki
offsets.
2021-09-22Optimized handling case-insensitive mappings.Illia Volochii
Elements yielded by _destruct_iterable_mapping_values are always unpacked. Since unpacking can be done with any iterable, there is no need to convert elements to tuples. Also, such elements can be used directly in for loops, creating a dictionary of them is excessive. Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2021-08-02Simplified serializing HTTP response headers.Illia Volochii
Since ResponseHeaders was introduced, header names and values are stored as strings. There is no need to check whether they are bytes. Co-authored-by: Nick Pope <nick@nickpope.me.uk>
2021-06-22Refs #24121 -- Added __repr__() to StreamingHttpResponse and subclasses.Nicolas Restrepo
2021-05-12Fixed #32366 -- Updated datetime module usage to recommended approach.Nick Pope
- Replaced datetime.utcnow() with datetime.now(). - Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp(). - Replaced datetime.utctimetuple() with datetime.timetuple(). - Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
2021-05-04Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.Florian Apolloner
2021-04-30Fixed #32698 -- Moved HttpRequest.get_raw_uri() to ↵Hasan Ramezani
ExceptionReporter._get_raw_insecure_uri().
2021-04-29Fixed capitalization of "ECMAScript" and "JavaScript".Nick Pope
2021-04-06Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.Mariusz Felisiak
Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report.
2021-02-10Fixed #32355 -- Dropped support for Python 3.6 and 3.7Mariusz Felisiak
2021-01-28Fixed #32389 -- Fixed ResponseHeaders crash when data is not mapping.Illia Volochii
2021-01-14Refs #30997 -- Removed HttpRequest.is_ajax() per deprecation timeline.Mariusz Felisiak
2020-12-08Fixed grammar in HttpResponse docstring.ᴙɘɘᴙgYmɘᴙɘj
2020-11-10Refs #32074 -- Fixed handling memoryview content by HttpResponse on Python ↵Mariusz Felisiak
3.10+. An iterator was added to memoryview in Python 3.10, see https://bugs.python.org/issue41732 Refs #30294
2020-10-07Fixed #32002 -- Added headers parameter to HttpResponse and subclasses.Tom Carrick
2020-09-30Fixed #30422 -- Made TemporaryFileUploadHandler handle interrupted uploads.aryan
This patch allows upload handlers to handle interrupted uploads. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-09-14Fixed #31789 -- Added a new headers interface to HttpResponse.Tom Carrick
2020-09-07Refs #21231 -- Corrected parse_qsl() fallback.Tim Graham
An oversight in fd209f62f1d83233cc634443cfac5ee4328d98b8.
2020-09-05Fixed #31982 -- Made HttpResponse.set_cookie() cast max_age argument to an ↵Hasan Ramezani
integer.
2020-09-03Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8.Nick Pope
2020-07-16Fixed #31790 -- Fixed setting SameSite and Secure cookies flags in ↵Mariusz Felisiak
HttpResponse.delete_cookie(). Cookies with the "SameSite" flag set to None and without the "secure" flag will be soon rejected by latest browser versions. This affects sessions and messages cookies.
2020-06-11Fixed #28132 -- Made MultiPartParser ignore filenames with trailing slash.Michael Brown
2020-06-03Refs #30997 -- Improved HttpRequest.is_ajax() warning message with stacklevel=2.Mariusz Felisiak
2020-05-12Fixed E128, E741 flake8 warnings.Mariusz Felisiak
2020-05-11Refs #30116 -- Simplified regex match group access with Match.__getitem__().Jon Dufresne
The method has been available since Python 3.6. The shorter syntax is also marginally faster.
2020-02-28Fixed #31293 -- Allowed MultiPartParser to handle double-quoted encoded headers.007
2020-02-11Fixed #31240 -- Properly closed FileResponse when wsgi.file_wrapper is used.Florian Apolloner
Thanks to Oskar Persson for the report.
2020-02-11Reverted "Fixed #30565 -- Closed HttpResponse when wsgi.file_wrapper closes ↵Florian Apolloner
file-like object." This reverts commit cce47ff65a4dd3786c049ec14ee889e128ca7de9.
2020-01-27Fixed #30997 -- Deprecated HttpRequest.is_ajax().Claude Paroz
2020-01-24Refs #30997 -- Added HttpRequest.accepts().Claude Paroz
2019-12-27Fixed #31114 -- Fixed HttpRequest.build_absolute_uri() crash with ↵Jon Dufresne
reverse_lazy() locations.