summaryrefslogtreecommitdiff
path: root/django/middleware
AgeCommit message (Collapse)Author
2017-09-20Fixed #28488 -- Reallowed error handlers to access CSRF tokens.Florian Apolloner
Regression in eef95ea96faef0b7dbbe0c8092202b74f68a899b.
2017-03-04Refs #27656 -- Updated remaining docstring verbs according to PEP 257.Anton Samarchyan
2017-02-27Imported django.http classes instead of django.http.Asif Saifuddin Auvi
2017-01-30Refs #23919 -- Assumed request COOKIES and META are strClaude Paroz
2017-01-18Refs #23919 -- Removed most of remaining six usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-11-30Refs #16859 -- Allowed storing CSRF tokens in sessions.Raphael Michel
Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-29Fixed #27402 -- Fixed incorrect LocaleMiddleware redirects with ↵Krzysztof Urbaniak
prefix_default_language=False.
2016-11-06Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a ↵Sven Engström
trailing slash.
2016-11-05Fixed #27346 -- Stopped setting the Content-Length header in ↵Adam Malinowski
ConditionalGetMiddleware.
2016-10-17Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests.Kevin Christopher Henry
2016-10-14Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware.Tim Graham
2016-10-13Refs #19705 -- Made GZipMiddleware make ETags weak.Kevin Christopher Henry
Django's conditional request processing can now produce 304 Not Modified responses for content that is subject to compression.
2016-10-10Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ↵Denis Cornehl
ConditionalGetMiddleware.
2016-09-14Fixed #27211 -- Made UpdateCacheMiddleware include caching headers for "304 ↵Rinat Khabibiev
Not Modified" responses.
2016-09-10Fixed #27083 -- Added support for weak ETags.Kevin Christopher Henry
2016-08-10Fixed #26947 -- Added an option to enable the HSTS header preload directive.Ed Morley
2016-07-15Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response ↵andrewnester
has Cache-Control: no-store.
2016-06-27Fixed #5897 -- Added the Content-Length response header in CommonMiddlewareClaude Paroz
Thanks Tim Graham for the review.
2016-06-17Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware ↵Carl Meyer
exception handling.
2016-06-04Removed an unused logger in middleware/common.pyTim Graham
2016-06-04Fixed #26628 -- Changed CSRF logger to django.security.csrf.Holly Becker
2016-05-19Fixed some newlines in imports per isort.Tim Graham
2016-05-19Fixed #20869 -- made CSRF tokens change every request by salt-encrypting themShai Berger
Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.
2016-05-17Fixed #26601 -- Improved middleware per DEP 0005.Florian Apolloner
Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-17Refs #26601 -- Refactored BaseHandler to prepare for new-style middleware.Florian Apolloner
2016-05-03Fixed #26567 -- Updated references to obsolete RFC2616.Vasiliy Faronov
Didn't touch comments where it wasn't obvious that the code adhered to the newer standard.
2016-04-08Fixed E128 flake8 warnings in django/.Tim Graham
2016-04-04Fixed W503 flake8 warnings.Tim Graham
2016-03-23Fixed #26293 -- Fixed CommonMiddleware to process PREPEND_WWW and ↵ieatkittens
APPEND_SLASH independently.
2016-03-10Refs #25933 -- Fixed i18n_patterns() prefix_default_language=False with ↵Krzysztof Urbaniak
HTTP_ACCEPT_LANGUAGE header.
2016-03-08Fixed #25971 -- Made BrokenLinkEmailsMiddleware ignore APPEND_SLASH redirects.harikrishnakanchi
If APPEND_SLASH=True and the referer is the URL without a trailing '/', then BrokenLinkEmailsMiddleware shouldn't send an email.
2016-03-08Fixed #25933 -- Allowed an unprefixed default language in i18n_patterns().Krzysztof Urbaniak
2016-03-03Fixed #26295 -- Allowed using i18n_patterns() in any root URLconf.Simon Charette
Thanks Tim for the review.
2016-02-09Fixed typo in django/middleware/common.py docstring.Liam Brenner
2016-01-20Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).chemary
2016-01-05Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.Denis Cornehl
Thanks Denis Cornehl for help with the patch.
2015-12-31Fixed #26013 -- Moved django.core.urlresolvers to django.urls.Marten Kenbeek
Thanks to Tim Graham for the review.
2015-12-10Fixed #25900 -- Fixed regression in CommonMiddleware ETag support.Derek J. Curtis
2015-11-26Fixed #25302 (again) -- Ignored scheme when checking for bad referers.Aymeric Augustin
The check introduced in 4ce433e was too strict in real life. The poorly implemented bots this patch attempted to ignore are sloppy when it comes to http vs. https.
2015-09-16Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.Matt Robenolt
Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.
2015-09-05Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.Joshua Kehn
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests.
2015-08-24Fixed #25302 -- Prevented BrokenLinkEmailsMiddleware from reporting 404s ↵Maxime Lorant
when Referer = URL.
2015-08-15Fixed #24935 -- Refactored common conditional GET handling.Denis Cornehl
2015-08-08Updated Wikipedia links to use httpsClaude Paroz
2015-07-31Fixed #24720 -- Avoided resolving URLs that don't end in a slash twice in ↵Jay Cox
CommonMiddleware. This speeds up affected requests by about 5%.
2015-06-27Fixed #25017 -- Allowed customizing the DISALLOWED_USER_AGENTS responsesujayskumar
2015-05-13Removed unnecessary arguments in .get method callsPiotr Jakimiak
2015-05-02Fixed #24696 -- Made CSRF_COOKIE computation lazy.Jay Cox
Only compute the CSRF_COOKIE when it is actually used. This is a significant speedup for clients not using cookies. Changed result of the “test_token_node_no_csrf_cookie” test: It gets a valid CSRF token now which seems like the correct behavior. Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to use get_token() to trigger CSRF cookie inclusion instead of changing request.META["CSRF_COOKIE_USED"] directly.
2015-04-21Fixed #24681 -- Removed Unicode bug in BrokenLinkEmailMiddlewareOliver A Bristow