| Age | Commit message (Collapse) | Author |
|
size in ASGI requests.
The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.
This work adds a new check on the actual number of bytes consumed.
Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.
Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main.
|
|
When a multipart file part used `Content-Transfer-Encoding: base64` and
the non-whitespace base64 bytes did not align to a multiple of 4 within
a chunk, the parser entered a loop calling `field_stream.read(1-3)` once
per whitespace byte. Each such call fetched the entire internal buffer,
sliced off 1-3 bytes, and pushed the remainder back via unget(), doing
an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace
produced CPU amplification relative to a normal upload of the same size.
The alignment loop now reads `self._chunk_size` bytes at a time, and
accumulates stripped parts in a list joined once at the end.
Thanks to Seokchan Yoon for the report and the fixing patch.
Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main.
|
|
HttpResponseRedirectBase.
Refs CVE-2025-64458.
The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.
Thanks Jacob Walls for report and review.
Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
|
|
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
|
|
and subclasses."
This reverts commit d7f5bfd241666c0a76e90208da1e9ef81aec44db.
Thanks Márton Salomváry for the report.
Backport of 173034b00589c083793d495e8b07e35be2cb1cf0 from main
|
|
pickling HttpRequest and subclasses."
This reverts commit 6220c445c40a6a7f4d442de8bde2628346153963.
Thanks Adam Johnson and Márton Salomváry for reports.
Backport of 280ca147af9cdfce1ca9cb14cc3c5527ff6c7a02 from main
|
|
Thanks to Jakob Ackermann for the report.
|
|
Thanks to Florian Vazelle for initial exploratory work, and to Nick
Pope and Mariusz Felisiak for review.
|
|
|
|
|
|
- Updated references to RFC 1123 to RFC 5322
- Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
- Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
|
|
Identified using the following command:
$ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
|
|
|
|
Thanks to Motoyasu Saburi for the report.
|
|
boundary streams.
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
|
|
Reraising ValueError was unused since its introduction in
d725cc9734272f867d41f7236235c28b3931a1b2.
|
|
|
|
|
|
|
|
django.utils.http.parse_header_parameters() for parsing Content-Type header.
|
|
semicolons.
See https://github.com/python/cpython/commit/1ef0c0349e8fdb5415e21231cb42edbf232b742a
|
|
|
|
https://peps.python.org/pep-0594/#cgi
|
|
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
|
|
in the header value.
|
|
"expires" and "max_age" are passed.
This fixes the case where you might pass set_cookie(expires=val, max_age=val)
and max_age is silently ignored.
|
|
max_age argument.
|
|
This removes an extraneous conditional causing "Content-Type" to be
checked within the ResponseHeaders twice, if a content_type parameter
is provided.
|
|
This avoids scanning the Content-Type if it's empty, allowing the
Content-Type header itself to have a charset assigned without using
the re module.
|
|
the type-checking duplication.
In the common case, where keys and values are be encoded into
ascii/latin-1, defer the checking for newlines until it's been
successfully coerced to a string.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
|
|
|
|
|
|
Thanks Alan Ryan for the report and initial patch.
|
|
|
|
|
|
Co-Authored-By: Nick Pope <nick@nickpope.me.uk>
|
|
Follow up to dc724c5bf9d3b8d59c9571aa751c3cd001cdeced.
|
|
offsets.
|
|
Elements yielded by _destruct_iterable_mapping_values are always
unpacked. Since unpacking can be done with any iterable, there is no
need to convert elements to tuples. Also, such elements can be used
directly in for loops, creating a dictionary of them is excessive.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
Since ResponseHeaders was introduced, header names and values are stored
as strings. There is no need to check whether they are bytes.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
|
|
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
|
|
|
|
ExceptionReporter._get_raw_insecure_uri().
|
|
|
|
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.
|
|
|
|
|
|
|