| Age | Commit message (Collapse) | Author |
|
HttpResponseRedirectBase.
Refs CVE-2025-64458.
The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.
Thanks Jacob Walls for report and review.
Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
|
|
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.
Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
|
|
https://github.com/psf/black/releases/tag/24.1.0
|
|
headers.
This also allow customizing the maximum size of headers via
MAX_TOTAL_HEADER_SIZE.
|
|
application/x-www-form-urlencoded content type.
Thanks Eki Xu for the report.
|
|
Use the capture groups from the regular expression that has already been
matched to avoid resplitting and the need to special case for IPv6.
|
|
subclasses."
This reverts commit d7f5bfd241666c0a76e90208da1e9ef81aec44db.
Thanks Márton Salomváry for the report.
|
|
HttpRequest and subclasses."
This reverts commit 6220c445c40a6a7f4d442de8bde2628346153963.
Thanks Adam Johnson and Márton Salomváry for reports.
|
|
compress and brotli.
Thanks Chamal De Silva for the report.
|
|
Thanks to Jakob Ackermann for the report.
|
|
|
|
Available since Python 3.10.
|
|
Thanks to Florian Vazelle for initial exploratory work, and to Nick
Pope and Mariusz Felisiak for review.
|
|
|
|
|
|
- Updated references to RFC 1123 to RFC 5322
- Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
- Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
|
|
Identified using the following command:
$ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
|
|
|
|
Thanks to Motoyasu Saburi for the report.
|
|
boundary streams.
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
|
|
Reraising ValueError was unused since its introduction in
d725cc9734272f867d41f7236235c28b3931a1b2.
|
|
|
|
|
|
|
|
django.utils.http.parse_header_parameters() for parsing Content-Type header.
|
|
semicolons.
See https://github.com/python/cpython/commit/1ef0c0349e8fdb5415e21231cb42edbf232b742a
|
|
|
|
https://peps.python.org/pep-0594/#cgi
|
|
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
|
|
in the header value.
|
|
"expires" and "max_age" are passed.
This fixes the case where you might pass set_cookie(expires=val, max_age=val)
and max_age is silently ignored.
|
|
max_age argument.
|
|
This removes an extraneous conditional causing "Content-Type" to be
checked within the ResponseHeaders twice, if a content_type parameter
is provided.
|
|
This avoids scanning the Content-Type if it's empty, allowing the
Content-Type header itself to have a charset assigned without using
the re module.
|
|
the type-checking duplication.
In the common case, where keys and values are be encoded into
ascii/latin-1, defer the checking for newlines until it's been
successfully coerced to a string.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
|
|
|
|
|
|
Thanks Alan Ryan for the report and initial patch.
|
|
|
|
|
|
Co-Authored-By: Nick Pope <nick@nickpope.me.uk>
|
|
Follow up to dc724c5bf9d3b8d59c9571aa751c3cd001cdeced.
|
|
offsets.
|
|
Elements yielded by _destruct_iterable_mapping_values are always
unpacked. Since unpacking can be done with any iterable, there is no
need to convert elements to tuples. Also, such elements can be used
directly in for loops, creating a dictionary of them is excessive.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
Since ResponseHeaders was introduced, header names and values are stored
as strings. There is no need to check whether they are bytes.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
|
|
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
|
|
|
|
ExceptionReporter._get_raw_insecure_uri().
|