| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2025-09-15 | Renamed local variables in CsrfViewMiddleware._origin_verified() for clarity. | Klaas van Schelven | |
| 2025-08-27 | Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵ | Sarah Boyce | |
| django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0. | |||
| 2025-08-25 | Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵ | SaJH | |
| favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com> | |||
| 2025-07-23 | Refs #36500 -- Rewrapped long docstrings and block comments via a script. | django-bot | |
| Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. | |||
| 2025-07-23 | Removed double spaces after periods and within phrases. | Sarah Boyce | |
| 2024-05-29 | Fixed 35467 -- Replaced urlparse with urlsplit where appropriate. | Jake Howard | |
| This work should not generate any change of functionality, and `urlsplit` is approximately 6x faster. Most use cases of `urlparse` didn't touch the path, so they can be converted to `urlsplit` without any issue. Most of those which do use `.path`, simply parse the URL, mutate the querystring, then put them back together, which is also fine (so long as urlunsplit is used). | |||
| 2024-01-26 | Applied Black's 2024 stable style. | Mariusz Felisiak | |
| https://github.com/psf/black/releases/tag/24.1.0 | |||
| 2023-01-17 | Refs #32800 -- Removed CSRF_COOKIE_MASKED transitional setting per ↵ | Mariusz Felisiak | |
| deprecation timeline. | |||
| 2022-11-14 | Fixed #34074 -- Added headers argument to RequestFactory and Client classes. | David Wobrock | |
| 2022-11-10 | Updated documentation and comments for RFC updates. | Nick Pope | |
| - Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents | |||
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2021-11-29 | Refs #32800 -- Renamed _sanitize_token() to _check_token_format(). | Chris Jerdonek | |
| 2021-11-29 | Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret. | Chris Jerdonek | |
| This also adds CSRF_COOKIE_MASKED transitional setting helpful in migrating multiple instance of the same project to Django 4.1+. Thanks Florian Apolloner and Shai Berger for reviews. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2021-08-17 | Refs #32800 -- Added _add_new_csrf_cookie() helper function. | Chris Jerdonek | |
| This centralizes the logic to use when setting a new cookie. It also eliminates the need for the _get_new_csrf_token() function, which is now removed. | |||
| 2021-08-17 | Refs #32800 -- Renamed _set_token() to _set_csrf_cookie(). | Chris Jerdonek | |
| 2021-08-03 | Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match(). | Chris Jerdonek | |
| 2021-07-29 | Refs #32916 -- Replaced request.csrf_cookie_needs_reset with ↵ | Chris Jerdonek | |
| request.META['CSRF_COOKIE_NEEDS_UPDATE']. | |||
| 2021-07-29 | Fixed #32916 -- Combined request.META['CSRF_COOKIE_USED'] and ↵ | Chris Jerdonek | |
| request.csrf_cookie_needs_reset. | |||
| 2021-07-23 | Fixed #32329 -- Made CsrfViewMiddleware catch more specific UnreadablePostError. | Virtosu Bogdan | |
| Thanks Chris Jerdonek for the review. | |||
| 2021-07-23 | Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset ↵ | Chris Jerdonek | |
| logic. Thanks Florian Apolloner and Shai Berger for reviews. | |||
| 2021-06-23 | Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token ↵ | Chris Jerdonek | |
| error messages. | |||
| 2021-06-22 | Fixed #32842 -- Refactored out CsrfViewMiddleware._check_token(). | Chris Jerdonek | |
| 2021-06-12 | Fixed comment in CsrfViewMiddleware to say _reject instead of reject. | Chris Jerdonek | |
| 2021-06-01 | Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly ↵ | Chris Jerdonek | |
| formatted cookie tokens. | |||
| 2021-05-31 | Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly ↵ | Chris Jerdonek | |
| formatted tokens. | |||
| 2021-05-29 | Refs #32778 -- Improved the name of the regex object detecting invalid CSRF ↵ | Chris Jerdonek | |
| token characters. This also improves the comments near where the variable is used. | |||
| 2021-05-28 | Refs #32596 -- Added early return on safe methods in ↵ | Chris Jerdonek | |
| CsrfViewMiddleware.process_view(). | |||
| 2021-05-28 | Refs #32596 -- Optimized CsrfViewMiddleware._check_referer() to delay ↵ | Chris Jerdonek | |
| computing good_referer. | |||
| 2021-05-28 | Fixed #32596 -- Added CsrfViewMiddleware._check_referer(). | Chris Jerdonek | |
| This encapsulates CsrfViewMiddleware's referer logic into a method and updates existing tests to check the "seam" introduced by the refactor, when doing so would improve the test. | |||
| 2021-05-25 | Fixed #32778 -- Avoided unnecessary recompilation of token regex in ↵ | abhiabhi94 | |
| _sanitize_token(). | |||
| 2021-03-25 | Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin ↵ | Chris Jerdonek | |
| header has an invalid host. | |||
| 2021-03-25 | Refs #32579 -- Fixed cookie domain comment in CsrfViewMiddleware.process_view(). | Chris Jerdonek | |
| 2021-03-25 | Refs #32579 -- Optimized good_hosts creation in ↵ | Chris Jerdonek | |
| CsrfViewMiddleware.process_view(). | |||
| 2021-03-19 | Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header. | Adam Donaghy | |
| 2021-03-18 | Fixed #16010 -- Added Origin header checking to CSRF middleware. | Tim Graham | |
| Thanks David Benjamin for the original patch, and Florian Apolloner, Chris Jerdonek, and Adam Johnson for reviews. | |||
| 2021-03-18 | Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme. | Tim Graham | |
| 2020-02-26 | Fixed #28699 -- Fixed CSRF validation with remote user middleware. | Colton Hicks | |
| Ensured process_view() always accesses the CSRF token from the session or cookie, rather than the request, as rotate_token() may have been called by an authentication middleware during the process_request() phase. | |||
| 2020-02-25 | Fixed #31291 -- Renamed salt to mask for CSRF tokens. | Ram Rachum | |
| 2019-10-23 | Refs #26601 -- Removed obsolete workarounds for MIDDLEWARE_CLASSES setting. | Sergey Fedoseev | |
| 2019-04-24 | Removed unnecessary assignments in various code. | Jon Dufresne | |
| 2019-01-28 | Fixed #30137 -- Replaced OSError aliases with the canonical OSError. | Jon Dufresne | |
| Used more specific errors (e.g. FileExistsError) as appropriate. | |||
| 2018-09-08 | Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged. | Michal Čihař | |
| 2018-05-04 | Fixed #26688 -- Fixed HTTP request logging inconsistencies. | Samir Shah | |
| * Added logging of 500 responses for instantiated responses. * Added logging of all 4xx and 5xx responses. | |||
| 2018-04-13 | Fixed #27863 -- Added support for the SameSite cookie flag. | Alex Gaynor | |
| Thanks Alex Gaynor for contributing to the patch. | |||
| 2018-02-14 | Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has ↵ | Tomer Chachamu | |
| an invalid host. | |||
| 2017-09-20 | Fixed #28488 -- Reallowed error handlers to access CSRF tokens. | Florian Apolloner | |
| Regression in eef95ea96faef0b7dbbe0c8092202b74f68a899b. | |||
| 2017-03-04 | Refs #27656 -- Updated remaining docstring verbs according to PEP 257. | Anton Samarchyan | |
| 2017-01-30 | Refs #23919 -- Assumed request COOKIES and META are str | Claude Paroz | |
| 2017-01-18 | Refs #23919 -- Removed most of remaining six usage | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2017-01-18 | Refs #23919 -- Removed encoding preambles and future imports | Claude Paroz | |
