summaryrefslogtreecommitdiff
path: root/django/middleware
AgeCommit message (Collapse)Author
2018-08-01[2.1.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in ↵Andreas Hug
CommonMiddleware.
2018-05-04Fixed #26688 -- Fixed HTTP request logging inconsistencies.Samir Shah
* Added logging of 500 responses for instantiated responses. * Added logging of all 4xx and 5xx responses.
2018-04-13Fixed #27863 -- Added support for the SameSite cookie flag.Alex Gaynor
Thanks Alex Gaynor for contributing to the patch.
2018-03-16Fixed hanging indentation in various code.Mariusz Felisiak
2018-02-14Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has ↵Tomer Chachamu
an invalid host.
2018-02-06Fixed #28833 -- Prevented CacheMiddleware from caching responses with ↵shanghui
"Cache-Control: private".
2018-01-03Fixed #28982 -- Simplified code with and/or.Дилян Палаузов
2017-11-14Fixed #28795 -- Removed 'not in' checks and used dict.setdefault().Дилян Палаузов
2017-11-11Refs #26447 -- Removed outdated ETag comment in CommonMiddleware.Tim Graham
Follow up to 48d57788ee56811fa77cd37b9edf40535f82d87e.
2017-09-22Refs #26447 -- Removed the USE_ETAGS setting per deprecation timeline.Tim Graham
2017-09-20Fixed #28488 -- Reallowed error handlers to access CSRF tokens.Florian Apolloner
Regression in eef95ea96faef0b7dbbe0c8092202b74f68a899b.
2017-03-04Refs #27656 -- Updated remaining docstring verbs according to PEP 257.Anton Samarchyan
2017-02-27Imported django.http classes instead of django.http.Asif Saifuddin Auvi
2017-01-30Refs #23919 -- Assumed request COOKIES and META are strClaude Paroz
2017-01-18Refs #23919 -- Removed most of remaining six usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-11-30Refs #16859 -- Allowed storing CSRF tokens in sessions.Raphael Michel
Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-29Fixed #27402 -- Fixed incorrect LocaleMiddleware redirects with ↵Krzysztof Urbaniak
prefix_default_language=False.
2016-11-06Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a ↵Sven Engström
trailing slash.
2016-11-05Fixed #27346 -- Stopped setting the Content-Length header in ↵Adam Malinowski
ConditionalGetMiddleware.
2016-10-17Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests.Kevin Christopher Henry
2016-10-14Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware.Tim Graham
2016-10-13Refs #19705 -- Made GZipMiddleware make ETags weak.Kevin Christopher Henry
Django's conditional request processing can now produce 304 Not Modified responses for content that is subject to compression.
2016-10-10Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ↵Denis Cornehl
ConditionalGetMiddleware.
2016-09-14Fixed #27211 -- Made UpdateCacheMiddleware include caching headers for "304 ↵Rinat Khabibiev
Not Modified" responses.
2016-09-10Fixed #27083 -- Added support for weak ETags.Kevin Christopher Henry
2016-08-10Fixed #26947 -- Added an option to enable the HSTS header preload directive.Ed Morley
2016-07-15Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response ↵andrewnester
has Cache-Control: no-store.
2016-06-27Fixed #5897 -- Added the Content-Length response header in CommonMiddlewareClaude Paroz
Thanks Tim Graham for the review.
2016-06-17Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware ↵Carl Meyer
exception handling.
2016-06-04Removed an unused logger in middleware/common.pyTim Graham
2016-06-04Fixed #26628 -- Changed CSRF logger to django.security.csrf.Holly Becker
2016-05-19Fixed some newlines in imports per isort.Tim Graham
2016-05-19Fixed #20869 -- made CSRF tokens change every request by salt-encrypting themShai Berger
Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.
2016-05-17Fixed #26601 -- Improved middleware per DEP 0005.Florian Apolloner
Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-17Refs #26601 -- Refactored BaseHandler to prepare for new-style middleware.Florian Apolloner
2016-05-03Fixed #26567 -- Updated references to obsolete RFC2616.Vasiliy Faronov
Didn't touch comments where it wasn't obvious that the code adhered to the newer standard.
2016-04-08Fixed E128 flake8 warnings in django/.Tim Graham
2016-04-04Fixed W503 flake8 warnings.Tim Graham
2016-03-23Fixed #26293 -- Fixed CommonMiddleware to process PREPEND_WWW and ↵ieatkittens
APPEND_SLASH independently.
2016-03-10Refs #25933 -- Fixed i18n_patterns() prefix_default_language=False with ↵Krzysztof Urbaniak
HTTP_ACCEPT_LANGUAGE header.
2016-03-08Fixed #25971 -- Made BrokenLinkEmailsMiddleware ignore APPEND_SLASH redirects.harikrishnakanchi
If APPEND_SLASH=True and the referer is the URL without a trailing '/', then BrokenLinkEmailsMiddleware shouldn't send an email.
2016-03-08Fixed #25933 -- Allowed an unprefixed default language in i18n_patterns().Krzysztof Urbaniak
2016-03-03Fixed #26295 -- Allowed using i18n_patterns() in any root URLconf.Simon Charette
Thanks Tim for the review.
2016-02-09Fixed typo in django/middleware/common.py docstring.Liam Brenner
2016-01-20Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).chemary
2016-01-05Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.Denis Cornehl
Thanks Denis Cornehl for help with the patch.
2015-12-31Fixed #26013 -- Moved django.core.urlresolvers to django.urls.Marten Kenbeek
Thanks to Tim Graham for the review.
2015-12-10Fixed #25900 -- Fixed regression in CommonMiddleware ETag support.Derek J. Curtis
2015-11-26Fixed #25302 (again) -- Ignored scheme when checking for bad referers.Aymeric Augustin
The check introduced in 4ce433e was too strict in real life. The poorly implemented bots this patch attempted to ignore are sloppy when it comes to http vs. https.