| Age | Commit message (Collapse) | Author |
|
HttpResponseRedirectBase.
Refs CVE-2025-64458.
The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.
Thanks Jacob Walls for report and review.
Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
|
|
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.
Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
|
|
parse_header_parameters for multipart requests.
Header parsing should apply only to the header value. The previous
implementation happened to work but relied on unintended behavior.
|
|
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
|
|
Manually reformatted some long docstrings and comments that would be
damaged by the to-be-applied autofixer script, in cases where editorial
judgment seemed necessary for style or wording changes.
|
|
|
|
When matching which entry in the `Accept` header should be used for
a given media type, the specificity matters. However once those are
resolved, only the quality matters when selecting preference.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
Thank you to Anders Kaseorg for the report.
|
|
The "q" key was removed while addressing ticket #36411. Despite
`MediaType.params` is undocumented and considered internal, it was used
in third-party projects (Zulip reported breakage), so this work restored
the `q` key in `params`.
Thanks Anders Kaseorg for the report.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
|
|
parameters.
HttpRequest.get_preferred_type() did not account for parameters in
Accept header media types (e.g., "text/vcard; version=3.0"). This caused
incorrect content negotiation when multiple types differed only by
parameters, reducing specificity as per RFC 7231 section 5.3.2
(https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2).
This fix updates get_preferred_type() to treat media types with
parameters as distinct, allowing more precise and standards-compliant
matching.
Thanks to magicfelix for the report, and to David Sanders and Sarah
Boyce for the reviews.
|
|
|
|
datetime.UTC was added in Python 3.11.
|
|
HttpResponseRedirectBase.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
|
|
StreamingHttpResponse.__iter__()/__aiter__().
|
|
This work should not generate any change of functionality, and
`urlsplit` is approximately 6x faster.
Most use cases of `urlparse` didn't touch the path, so they can be
converted to `urlsplit` without any issue. Most of those which do use
`.path`, simply parse the URL, mutate the querystring, then put them
back together, which is also fine (so long as urlunsplit is used).
|
|
https://github.com/psf/black/releases/tag/24.1.0
|
|
headers.
This also allow customizing the maximum size of headers via
MAX_TOTAL_HEADER_SIZE.
|
|
application/x-www-form-urlencoded content type.
Thanks Eki Xu for the report.
|
|
Use the capture groups from the regular expression that has already been
matched to avoid resplitting and the need to special case for IPv6.
|
|
subclasses."
This reverts commit d7f5bfd241666c0a76e90208da1e9ef81aec44db.
Thanks Márton Salomváry for the report.
|
|
HttpRequest and subclasses."
This reverts commit 6220c445c40a6a7f4d442de8bde2628346153963.
Thanks Adam Johnson and Márton Salomváry for reports.
|
|
compress and brotli.
Thanks Chamal De Silva for the report.
|
|
Thanks to Jakob Ackermann for the report.
|
|
|
|
Available since Python 3.10.
|
|
Thanks to Florian Vazelle for initial exploratory work, and to Nick
Pope and Mariusz Felisiak for review.
|
|
|
|
|
|
- Updated references to RFC 1123 to RFC 5322
- Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
- Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
|
|
Identified using the following command:
$ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
|
|
|
|
Thanks to Motoyasu Saburi for the report.
|
|
boundary streams.
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
|
|
Reraising ValueError was unused since its introduction in
d725cc9734272f867d41f7236235c28b3931a1b2.
|
|
|
|
|
|
|
|
django.utils.http.parse_header_parameters() for parsing Content-Type header.
|
|
semicolons.
See https://github.com/python/cpython/commit/1ef0c0349e8fdb5415e21231cb42edbf232b742a
|
|
|
|
https://peps.python.org/pep-0594/#cgi
|
|
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
|
|
in the header value.
|
|
"expires" and "max_age" are passed.
This fixes the case where you might pass set_cookie(expires=val, max_age=val)
and max_age is silently ignored.
|
|
max_age argument.
|
|
This removes an extraneous conditional causing "Content-Type" to be
checked within the ResponseHeaders twice, if a content_type parameter
is provided.
|
|
This avoids scanning the Content-Type if it's empty, allowing the
Content-Type header itself to have a charset assigned without using
the re module.
|
|
the type-checking duplication.
In the common case, where keys and values are be encoded into
ascii/latin-1, defer the checking for newlines until it's been
successfully coerced to a string.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
|
|
|