summaryrefslogtreecommitdiff
path: root/django/middleware
AgeCommit message (Collapse)Author
2018-10-30Capitalized SecurityMiddleware headers for consistency with other headers.Artur Juraszek
(No behavior change since HTTP headers are case insensitive.)
2018-09-08Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged.Michal Čihař
2018-08-01Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.Andreas Hug
2018-05-04Fixed #26688 -- Fixed HTTP request logging inconsistencies.Samir Shah
* Added logging of 500 responses for instantiated responses. * Added logging of all 4xx and 5xx responses.
2018-04-13Fixed #27863 -- Added support for the SameSite cookie flag.Alex Gaynor
Thanks Alex Gaynor for contributing to the patch.
2018-03-16Fixed hanging indentation in various code.Mariusz Felisiak
2018-02-14Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has ↵Tomer Chachamu
an invalid host.
2018-02-06Fixed #28833 -- Prevented CacheMiddleware from caching responses with ↵shanghui
"Cache-Control: private".
2018-01-03Fixed #28982 -- Simplified code with and/or.Дилян Палаузов
2017-11-14Fixed #28795 -- Removed 'not in' checks and used dict.setdefault().Дилян Палаузов
2017-11-11Refs #26447 -- Removed outdated ETag comment in CommonMiddleware.Tim Graham
Follow up to 48d57788ee56811fa77cd37b9edf40535f82d87e.
2017-09-22Refs #26447 -- Removed the USE_ETAGS setting per deprecation timeline.Tim Graham
2017-09-20Fixed #28488 -- Reallowed error handlers to access CSRF tokens.Florian Apolloner
Regression in eef95ea96faef0b7dbbe0c8092202b74f68a899b.
2017-03-04Refs #27656 -- Updated remaining docstring verbs according to PEP 257.Anton Samarchyan
2017-02-27Imported django.http classes instead of django.http.Asif Saifuddin Auvi
2017-01-30Refs #23919 -- Assumed request COOKIES and META are strClaude Paroz
2017-01-18Refs #23919 -- Removed most of remaining six usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-11-30Refs #16859 -- Allowed storing CSRF tokens in sessions.Raphael Michel
Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review.
2016-11-29Fixed #27402 -- Fixed incorrect LocaleMiddleware redirects with ↵Krzysztof Urbaniak
prefix_default_language=False.
2016-11-06Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a ↵Sven Engström
trailing slash.
2016-11-05Fixed #27346 -- Stopped setting the Content-Length header in ↵Adam Malinowski
ConditionalGetMiddleware.
2016-10-17Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests.Kevin Christopher Henry
2016-10-14Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware.Tim Graham
2016-10-13Refs #19705 -- Made GZipMiddleware make ETags weak.Kevin Christopher Henry
Django's conditional request processing can now produce 304 Not Modified responses for content that is subject to compression.
2016-10-10Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ↵Denis Cornehl
ConditionalGetMiddleware.
2016-09-14Fixed #27211 -- Made UpdateCacheMiddleware include caching headers for "304 ↵Rinat Khabibiev
Not Modified" responses.
2016-09-10Fixed #27083 -- Added support for weak ETags.Kevin Christopher Henry
2016-08-10Fixed #26947 -- Added an option to enable the HSTS header preload directive.Ed Morley
2016-07-15Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response ↵andrewnester
has Cache-Control: no-store.
2016-06-27Fixed #5897 -- Added the Content-Length response header in CommonMiddlewareClaude Paroz
Thanks Tim Graham for the review.
2016-06-17Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware ↵Carl Meyer
exception handling.
2016-06-04Removed an unused logger in middleware/common.pyTim Graham
2016-06-04Fixed #26628 -- Changed CSRF logger to django.security.csrf.Holly Becker
2016-05-19Fixed some newlines in imports per isort.Tim Graham
2016-05-19Fixed #20869 -- made CSRF tokens change every request by salt-encrypting themShai Berger
Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.
2016-05-17Fixed #26601 -- Improved middleware per DEP 0005.Florian Apolloner
Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-17Refs #26601 -- Refactored BaseHandler to prepare for new-style middleware.Florian Apolloner
2016-05-03Fixed #26567 -- Updated references to obsolete RFC2616.Vasiliy Faronov
Didn't touch comments where it wasn't obvious that the code adhered to the newer standard.
2016-04-08Fixed E128 flake8 warnings in django/.Tim Graham
2016-04-04Fixed W503 flake8 warnings.Tim Graham
2016-03-23Fixed #26293 -- Fixed CommonMiddleware to process PREPEND_WWW and ↵ieatkittens
APPEND_SLASH independently.
2016-03-10Refs #25933 -- Fixed i18n_patterns() prefix_default_language=False with ↵Krzysztof Urbaniak
HTTP_ACCEPT_LANGUAGE header.
2016-03-08Fixed #25971 -- Made BrokenLinkEmailsMiddleware ignore APPEND_SLASH redirects.harikrishnakanchi
If APPEND_SLASH=True and the referer is the URL without a trailing '/', then BrokenLinkEmailsMiddleware shouldn't send an email.
2016-03-08Fixed #25933 -- Allowed an unprefixed default language in i18n_patterns().Krzysztof Urbaniak
2016-03-03Fixed #26295 -- Allowed using i18n_patterns() in any root URLconf.Simon Charette
Thanks Tim for the review.
2016-02-09Fixed typo in django/middleware/common.py docstring.Liam Brenner
2016-01-20Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).chemary
2016-01-05Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.Denis Cornehl
Thanks Denis Cornehl for help with the patch.
2015-12-31Fixed #26013 -- Moved django.core.urlresolvers to django.urls.Marten Kenbeek
Thanks to Tim Graham for the review.