| Age | Commit message (Collapse) | Author |
|---|
|
|
|
ASGI requests.
The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.
This work adds a new check on the actual number of bytes consumed.
Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.
|
|
When a multipart file part used `Content-Transfer-Encoding: base64` and
the non-whitespace base64 bytes did not align to a multiple of 4 within
a chunk, the parser entered a loop calling `field_stream.read(1-3)` once
per whitespace byte. Each such call fetched the entire internal buffer,
sliced off 1-3 bytes, and pushed the remainder back via unget(), doing
an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace
produced CPU amplification relative to a normal upload of the same size.
The alignment loop now reads `self._chunk_size` bytes at a time, and
accumulates stripped parts in a list joined once at the end.
Thanks to Seokchan Yoon for the report and the fixing patch.
|
|
encoding.
Added LookupError to the except clause so invalid headers are silently
skipped, consistent with other malformed header handling.
|
|
|
|
Refs CVE-2025-64458.
The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.
Thanks Jacob Walls for report and review.
|
|
HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.
Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821.
|
|
parse_header_parameters for multipart requests.
Header parsing should apply only to the header value. The previous
implementation happened to work but relied on unintended behavior.
|
|
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
|
|
Manually reformatted some long docstrings and comments that would be
damaged by the to-be-applied autofixer script, in cases where editorial
judgment seemed necessary for style or wording changes.
|
|
|
|
When matching which entry in the `Accept` header should be used for
a given media type, the specificity matters. However once those are
resolved, only the quality matters when selecting preference.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
Thank you to Anders Kaseorg for the report.
|
|
The "q" key was removed while addressing ticket #36411. Despite
`MediaType.params` is undocumented and considered internal, it was used
in third-party projects (Zulip reported breakage), so this work restored
the `q` key in `params`.
Thanks Anders Kaseorg for the report.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
|
|
parameters.
HttpRequest.get_preferred_type() did not account for parameters in
Accept header media types (e.g., "text/vcard; version=3.0"). This caused
incorrect content negotiation when multiple types differed only by
parameters, reducing specificity as per RFC 7231 section 5.3.2
(https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2).
This fix updates get_preferred_type() to treat media types with
parameters as distinct, allowing more precise and standards-compliant
matching.
Thanks to magicfelix for the report, and to David Sanders and Sarah
Boyce for the reviews.
|
|
|
|
datetime.UTC was added in Python 3.11.
|
|
HttpResponseRedirectBase.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
|
|
StreamingHttpResponse.__iter__()/__aiter__().
|
|
This work should not generate any change of functionality, and
`urlsplit` is approximately 6x faster.
Most use cases of `urlparse` didn't touch the path, so they can be
converted to `urlsplit` without any issue. Most of those which do use
`.path`, simply parse the URL, mutate the querystring, then put them
back together, which is also fine (so long as urlunsplit is used).
|
|
https://github.com/psf/black/releases/tag/24.1.0
|
|
headers.
This also allow customizing the maximum size of headers via
MAX_TOTAL_HEADER_SIZE.
|
|
application/x-www-form-urlencoded content type.
Thanks Eki Xu for the report.
|
|
Use the capture groups from the regular expression that has already been
matched to avoid resplitting and the need to special case for IPv6.
|
|
subclasses."
This reverts commit d7f5bfd241666c0a76e90208da1e9ef81aec44db.
Thanks Márton Salomváry for the report.
|
|
HttpRequest and subclasses."
This reverts commit 6220c445c40a6a7f4d442de8bde2628346153963.
Thanks Adam Johnson and Márton Salomváry for reports.
|
|
compress and brotli.
Thanks Chamal De Silva for the report.
|
|
Thanks to Jakob Ackermann for the report.
|
|
|
|
Available since Python 3.10.
|
|
Thanks to Florian Vazelle for initial exploratory work, and to Nick
Pope and Mariusz Felisiak for review.
|
|
|
|
|
|
- Updated references to RFC 1123 to RFC 5322
- Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
- Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
|
|
Identified using the following command:
$ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
|
|
|
|
Thanks to Motoyasu Saburi for the report.
|
|
boundary streams.
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
|
|
Reraising ValueError was unused since its introduction in
d725cc9734272f867d41f7236235c28b3931a1b2.
|
|
|
|
|
|
|
|
django.utils.http.parse_header_parameters() for parsing Content-Type header.
|
|
semicolons.
See https://github.com/python/cpython/commit/1ef0c0349e8fdb5415e21231cb42edbf232b742a
|
|
|
|
https://peps.python.org/pep-0594/#cgi
|
|
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
|
|
in the header value.
|
|
"expires" and "max_age" are passed.
This fixes the case where you might pass set_cookie(expires=val, max_age=val)
and max_age is silently ignored.
|
