| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2017-09-20 | Fixed #28488 -- Reallowed error handlers to access CSRF tokens. | Florian Apolloner | |
| Regression in eef95ea96faef0b7dbbe0c8092202b74f68a899b. | |||
| 2017-03-04 | Refs #27656 -- Updated remaining docstring verbs according to PEP 257. | Anton Samarchyan | |
| 2017-02-27 | Imported django.http classes instead of django.http. | Asif Saifuddin Auvi | |
| 2017-01-30 | Refs #23919 -- Assumed request COOKIES and META are str | Claude Paroz | |
| 2017-01-18 | Refs #23919 -- Removed most of remaining six usage | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2017-01-18 | Refs #23919 -- Removed encoding preambles and future imports | Claude Paroz | |
| 2016-11-30 | Refs #16859 -- Allowed storing CSRF tokens in sessions. | Raphael Michel | |
| Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review. | |||
| 2016-11-29 | Fixed #27402 -- Fixed incorrect LocaleMiddleware redirects with ↵ | Krzysztof Urbaniak | |
| prefix_default_language=False. | |||
| 2016-11-06 | Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a ↵ | Sven Engström | |
| trailing slash. | |||
| 2016-11-05 | Fixed #27346 -- Stopped setting the Content-Length header in ↵ | Adam Malinowski | |
| ConditionalGetMiddleware. | |||
| 2016-10-17 | Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests. | Kevin Christopher Henry | |
| 2016-10-14 | Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware. | Tim Graham | |
| 2016-10-13 | Refs #19705 -- Made GZipMiddleware make ETags weak. | Kevin Christopher Henry | |
| Django's conditional request processing can now produce 304 Not Modified responses for content that is subject to compression. | |||
| 2016-10-10 | Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ↵ | Denis Cornehl | |
| ConditionalGetMiddleware. | |||
| 2016-09-14 | Fixed #27211 -- Made UpdateCacheMiddleware include caching headers for "304 ↵ | Rinat Khabibiev | |
| Not Modified" responses. | |||
| 2016-09-10 | Fixed #27083 -- Added support for weak ETags. | Kevin Christopher Henry | |
| 2016-08-10 | Fixed #26947 -- Added an option to enable the HSTS header preload directive. | Ed Morley | |
| 2016-07-15 | Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response ↵ | andrewnester | |
| has Cache-Control: no-store. | |||
| 2016-06-27 | Fixed #5897 -- Added the Content-Length response header in CommonMiddleware | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2016-06-17 | Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware ↵ | Carl Meyer | |
| exception handling. | |||
| 2016-06-04 | Removed an unused logger in middleware/common.py | Tim Graham | |
| 2016-06-04 | Fixed #26628 -- Changed CSRF logger to django.security.csrf. | Holly Becker | |
| 2016-05-19 | Fixed some newlines in imports per isort. | Tim Graham | |
| 2016-05-19 | Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them | Shai Berger | |
| Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews. | |||
| 2016-05-17 | Fixed #26601 -- Improved middleware per DEP 0005. | Florian Apolloner | |
| Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. | |||
| 2016-05-17 | Refs #26601 -- Refactored BaseHandler to prepare for new-style middleware. | Florian Apolloner | |
| 2016-05-03 | Fixed #26567 -- Updated references to obsolete RFC2616. | Vasiliy Faronov | |
| Didn't touch comments where it wasn't obvious that the code adhered to the newer standard. | |||
| 2016-04-08 | Fixed E128 flake8 warnings in django/. | Tim Graham | |
| 2016-04-04 | Fixed W503 flake8 warnings. | Tim Graham | |
| 2016-03-23 | Fixed #26293 -- Fixed CommonMiddleware to process PREPEND_WWW and ↵ | ieatkittens | |
| APPEND_SLASH independently. | |||
| 2016-03-10 | Refs #25933 -- Fixed i18n_patterns() prefix_default_language=False with ↵ | Krzysztof Urbaniak | |
| HTTP_ACCEPT_LANGUAGE header. | |||
| 2016-03-08 | Fixed #25971 -- Made BrokenLinkEmailsMiddleware ignore APPEND_SLASH redirects. | harikrishnakanchi | |
| If APPEND_SLASH=True and the referer is the URL without a trailing '/', then BrokenLinkEmailsMiddleware shouldn't send an email. | |||
| 2016-03-08 | Fixed #25933 -- Allowed an unprefixed default language in i18n_patterns(). | Krzysztof Urbaniak | |
| 2016-03-03 | Fixed #26295 -- Allowed using i18n_patterns() in any root URLconf. | Simon Charette | |
| Thanks Tim for the review. | |||
| 2016-02-09 | Fixed typo in django/middleware/common.py docstring. | Liam Brenner | |
| 2016-01-20 | Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True). | chemary | |
| 2016-01-05 | Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support. | Denis Cornehl | |
| Thanks Denis Cornehl for help with the patch. | |||
| 2015-12-31 | Fixed #26013 -- Moved django.core.urlresolvers to django.urls. | Marten Kenbeek | |
| Thanks to Tim Graham for the review. | |||
| 2015-12-10 | Fixed #25900 -- Fixed regression in CommonMiddleware ETag support. | Derek J. Curtis | |
| 2015-11-26 | Fixed #25302 (again) -- Ignored scheme when checking for bad referers. | Aymeric Augustin | |
| The check introduced in 4ce433e was too strict in real life. The poorly implemented bots this patch attempted to ignore are sloppy when it comes to http vs. https. | |||
| 2015-09-16 | Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN. | Matt Robenolt | |
| Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews. | |||
| 2015-09-05 | Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS. | Joshua Kehn | |
| Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests. | |||
| 2015-08-24 | Fixed #25302 -- Prevented BrokenLinkEmailsMiddleware from reporting 404s ↵ | Maxime Lorant | |
| when Referer = URL. | |||
| 2015-08-15 | Fixed #24935 -- Refactored common conditional GET handling. | Denis Cornehl | |
| 2015-08-08 | Updated Wikipedia links to use https | Claude Paroz | |
| 2015-07-31 | Fixed #24720 -- Avoided resolving URLs that don't end in a slash twice in ↵ | Jay Cox | |
| CommonMiddleware. This speeds up affected requests by about 5%. | |||
| 2015-06-27 | Fixed #25017 -- Allowed customizing the DISALLOWED_USER_AGENTS response | sujayskumar | |
| 2015-05-13 | Removed unnecessary arguments in .get method calls | Piotr Jakimiak | |
| 2015-05-02 | Fixed #24696 -- Made CSRF_COOKIE computation lazy. | Jay Cox | |
| Only compute the CSRF_COOKIE when it is actually used. This is a significant speedup for clients not using cookies. Changed result of the “test_token_node_no_csrf_cookie” test: It gets a valid CSRF token now which seems like the correct behavior. Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to use get_token() to trigger CSRF cookie inclusion instead of changing request.META["CSRF_COOKIE_USED"] directly. | |||
| 2015-04-21 | Fixed #24681 -- Removed Unicode bug in BrokenLinkEmailMiddleware | Oliver A Bristow | |
