summaryrefslogtreecommitdiff
path: root/django/middleware
AgeCommit message (Collapse)Author
2022-02-08[4.0.x] Refs #33476 -- Reformatted code with Black.django-bot
Backport of 9c19aff7c7561e3a82978a272ecdaad40dda5c00 from main.
2021-09-01Fixed #32768 -- Added Vary header when redirecting to prefixed i18n pattern.Alex Hayward
get_language_from_request() uses Accept-Language and/or Cookie to determine the correct redirect. Upstream caches need the matching Vary header to cache the result.
2021-08-17Refs #32800 -- Added _add_new_csrf_cookie() helper function.Chris Jerdonek
This centralizes the logic to use when setting a new cookie. It also eliminates the need for the _get_new_csrf_token() function, which is now removed.
2021-08-17Refs #32800 -- Renamed _set_token() to _set_csrf_cookie().Chris Jerdonek
2021-08-03Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match().Chris Jerdonek
2021-07-29Refs #32916 -- Replaced request.csrf_cookie_needs_reset with ↵Chris Jerdonek
request.META['CSRF_COOKIE_NEEDS_UPDATE'].
2021-07-29Fixed #32916 -- Combined request.META['CSRF_COOKIE_USED'] and ↵Chris Jerdonek
request.csrf_cookie_needs_reset.
2021-07-23Fixed #32329 -- Made CsrfViewMiddleware catch more specific UnreadablePostError.Virtosu Bogdan
Thanks Chris Jerdonek for the review.
2021-07-23Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset ↵Chris Jerdonek
logic. Thanks Florian Apolloner and Shai Berger for reviews.
2021-06-23Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token ↵Chris Jerdonek
error messages.
2021-06-22Fixed #32842 -- Refactored out CsrfViewMiddleware._check_token().Chris Jerdonek
2021-06-12Fixed comment in CsrfViewMiddleware to say _reject instead of reject.Chris Jerdonek
2021-06-01Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly ↵Chris Jerdonek
formatted cookie tokens.
2021-05-31Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly ↵Chris Jerdonek
formatted tokens.
2021-05-29Refs #32778 -- Improved the name of the regex object detecting invalid CSRF ↵Chris Jerdonek
token characters. This also improves the comments near where the variable is used.
2021-05-28Refs #32596 -- Added early return on safe methods in ↵Chris Jerdonek
CsrfViewMiddleware.process_view().
2021-05-28Refs #32596 -- Optimized CsrfViewMiddleware._check_referer() to delay ↵Chris Jerdonek
computing good_referer.
2021-05-28Fixed #32596 -- Added CsrfViewMiddleware._check_referer().Chris Jerdonek
This encapsulates CsrfViewMiddleware's referer logic into a method and updates existing tests to check the "seam" introduced by the refactor, when doing so would improve the test.
2021-05-25Fixed #32778 -- Avoided unnecessary recompilation of token regex in ↵abhiabhi94
_sanitize_token().
2021-04-30Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.Tim Graham
2021-03-30Fixed #31840 -- Added support for Cross-Origin Opener Policy header.bankc
Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com>
2021-03-25Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin ↵Chris Jerdonek
header has an invalid host.
2021-03-25Refs #32579 -- Fixed cookie domain comment in CsrfViewMiddleware.process_view().Chris Jerdonek
2021-03-25Refs #32579 -- Optimized good_hosts creation in ↵Chris Jerdonek
CsrfViewMiddleware.process_view().
2021-03-19Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header.Adam Donaghy
2021-03-18Fixed #16010 -- Added Origin header checking to CSRF middleware.Tim Graham
Thanks David Benjamin for the original patch, and Florian Apolloner, Chris Jerdonek, and Adam Johnson for reviews.
2021-03-18Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.Tim Graham
2021-01-14Refs #26601 -- Made get_response argument required and don't accept None in ↵Mariusz Felisiak
middleware classes. Per deprecation timeline.
2020-10-28Made small readability improvements.Martin Thoma
2020-10-22Fixed #32124 -- Added per-view opt-out for APPEND_SLASH behavior.Carlton Gibson
2020-09-14Fixed #31789 -- Added a new headers interface to HttpResponse.Tom Carrick
2020-08-28Fixed #31928 -- Fixed detecting an async get_response in various middlewares.Kevin Michel
SecurityMiddleware and the three cache middlewares were not calling super().__init__() during their initialization or calling the required MiddlewareMixin._async_check() method. This made the middlewares not properly present as coroutine and confused the middleware chain when used in a fully async context. Thanks Kordian Kowalski for the report.
2020-05-04Refs #30573 -- Rephrased "Of Course" and "Obvious(ly)" in documentation and ↵Adam Johnson
comments.
2020-02-26Fixed #28699 -- Fixed CSRF validation with remote user middleware.Colton Hicks
Ensured process_view() always accesses the CSRF token from the session or cookie, rather than the request, as rotate_token() may have been called by an authentication middleware during the process_request() phase.
2020-02-25Fixed #31291 -- Renamed salt to mask for CSRF tokens.Ram Rachum
2020-02-18Refs #26601 -- Deprecated passing None as get_response arg to middleware ↵Claude Paroz
classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-01-16Fixed #30765 -- Made cache_page decorator take precedence over max-age ↵Flavio Curella
Cache-Control directive.
2019-10-29Fixed #30899 -- Lazily compiled import time regular expressions.Hasan Ramezani
2019-10-23Refs #26601 -- Removed obsolete workarounds for MIDDLEWARE_CLASSES setting.Sergey Fedoseev
2019-09-09Fixed #29406 -- Added support for Referrer-Policy header.Nick Pope
Thanks to James Bennett for the initial implementation.
2019-09-09Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.Claude Paroz
2019-04-24Removed unnecessary assignments in various code.Jon Dufresne
2019-03-30Optimized CommonMiddleware's check for DISALLOWED_USER_AGENTS.Brad
Avoided getattribute + getitem for each DISALLOWED_USER_AGENTS.
2019-01-28Fixed #30137 -- Replaced OSError aliases with the canonical OSError.Jon Dufresne
Used more specific errors (e.g. FileExistsError) as appropriate.
2018-10-30Capitalized SecurityMiddleware headers for consistency with other headers.Artur Juraszek
(No behavior change since HTTP headers are case insensitive.)
2018-09-08Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged.Michal Čihař
2018-08-01Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.Andreas Hug
2018-05-04Fixed #26688 -- Fixed HTTP request logging inconsistencies.Samir Shah
* Added logging of 500 responses for instantiated responses. * Added logging of all 4xx and 5xx responses.
2018-04-13Fixed #27863 -- Added support for the SameSite cookie flag.Alex Gaynor
Thanks Alex Gaynor for contributing to the patch.
2018-03-16Fixed hanging indentation in various code.Mariusz Felisiak