| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2022-02-08 | [4.0.x] Refs #33476 -- Reformatted code with Black. | django-bot | |
| Backport of 9c19aff7c7561e3a82978a272ecdaad40dda5c00 from main. | |||
| 2021-09-01 | Fixed #32768 -- Added Vary header when redirecting to prefixed i18n pattern. | Alex Hayward | |
| get_language_from_request() uses Accept-Language and/or Cookie to determine the correct redirect. Upstream caches need the matching Vary header to cache the result. | |||
| 2021-08-17 | Refs #32800 -- Added _add_new_csrf_cookie() helper function. | Chris Jerdonek | |
| This centralizes the logic to use when setting a new cookie. It also eliminates the need for the _get_new_csrf_token() function, which is now removed. | |||
| 2021-08-17 | Refs #32800 -- Renamed _set_token() to _set_csrf_cookie(). | Chris Jerdonek | |
| 2021-08-03 | Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match(). | Chris Jerdonek | |
| 2021-07-29 | Refs #32916 -- Replaced request.csrf_cookie_needs_reset with ↵ | Chris Jerdonek | |
| request.META['CSRF_COOKIE_NEEDS_UPDATE']. | |||
| 2021-07-29 | Fixed #32916 -- Combined request.META['CSRF_COOKIE_USED'] and ↵ | Chris Jerdonek | |
| request.csrf_cookie_needs_reset. | |||
| 2021-07-23 | Fixed #32329 -- Made CsrfViewMiddleware catch more specific UnreadablePostError. | Virtosu Bogdan | |
| Thanks Chris Jerdonek for the review. | |||
| 2021-07-23 | Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset ↵ | Chris Jerdonek | |
| logic. Thanks Florian Apolloner and Shai Berger for reviews. | |||
| 2021-06-23 | Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token ↵ | Chris Jerdonek | |
| error messages. | |||
| 2021-06-22 | Fixed #32842 -- Refactored out CsrfViewMiddleware._check_token(). | Chris Jerdonek | |
| 2021-06-12 | Fixed comment in CsrfViewMiddleware to say _reject instead of reject. | Chris Jerdonek | |
| 2021-06-01 | Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly ↵ | Chris Jerdonek | |
| formatted cookie tokens. | |||
| 2021-05-31 | Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly ↵ | Chris Jerdonek | |
| formatted tokens. | |||
| 2021-05-29 | Refs #32778 -- Improved the name of the regex object detecting invalid CSRF ↵ | Chris Jerdonek | |
| token characters. This also improves the comments near where the variable is used. | |||
| 2021-05-28 | Refs #32596 -- Added early return on safe methods in ↵ | Chris Jerdonek | |
| CsrfViewMiddleware.process_view(). | |||
| 2021-05-28 | Refs #32596 -- Optimized CsrfViewMiddleware._check_referer() to delay ↵ | Chris Jerdonek | |
| computing good_referer. | |||
| 2021-05-28 | Fixed #32596 -- Added CsrfViewMiddleware._check_referer(). | Chris Jerdonek | |
| This encapsulates CsrfViewMiddleware's referer logic into a method and updates existing tests to check the "seam" introduced by the refactor, when doing so would improve the test. | |||
| 2021-05-25 | Fixed #32778 -- Avoided unnecessary recompilation of token regex in ↵ | abhiabhi94 | |
| _sanitize_token(). | |||
| 2021-04-30 | Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting. | Tim Graham | |
| 2021-03-30 | Fixed #31840 -- Added support for Cross-Origin Opener Policy header. | bankc | |
| Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com> | |||
| 2021-03-25 | Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin ↵ | Chris Jerdonek | |
| header has an invalid host. | |||
| 2021-03-25 | Refs #32579 -- Fixed cookie domain comment in CsrfViewMiddleware.process_view(). | Chris Jerdonek | |
| 2021-03-25 | Refs #32579 -- Optimized good_hosts creation in ↵ | Chris Jerdonek | |
| CsrfViewMiddleware.process_view(). | |||
| 2021-03-19 | Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header. | Adam Donaghy | |
| 2021-03-18 | Fixed #16010 -- Added Origin header checking to CSRF middleware. | Tim Graham | |
| Thanks David Benjamin for the original patch, and Florian Apolloner, Chris Jerdonek, and Adam Johnson for reviews. | |||
| 2021-03-18 | Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme. | Tim Graham | |
| 2021-01-14 | Refs #26601 -- Made get_response argument required and don't accept None in ↵ | Mariusz Felisiak | |
| middleware classes. Per deprecation timeline. | |||
| 2020-10-28 | Made small readability improvements. | Martin Thoma | |
| 2020-10-22 | Fixed #32124 -- Added per-view opt-out for APPEND_SLASH behavior. | Carlton Gibson | |
| 2020-09-14 | Fixed #31789 -- Added a new headers interface to HttpResponse. | Tom Carrick | |
| 2020-08-28 | Fixed #31928 -- Fixed detecting an async get_response in various middlewares. | Kevin Michel | |
| SecurityMiddleware and the three cache middlewares were not calling super().__init__() during their initialization or calling the required MiddlewareMixin._async_check() method. This made the middlewares not properly present as coroutine and confused the middleware chain when used in a fully async context. Thanks Kordian Kowalski for the report. | |||
| 2020-05-04 | Refs #30573 -- Rephrased "Of Course" and "Obvious(ly)" in documentation and ↵ | Adam Johnson | |
| comments. | |||
| 2020-02-26 | Fixed #28699 -- Fixed CSRF validation with remote user middleware. | Colton Hicks | |
| Ensured process_view() always accesses the CSRF token from the session or cookie, rather than the request, as rotate_token() may have been called by an authentication middleware during the process_request() phase. | |||
| 2020-02-25 | Fixed #31291 -- Renamed salt to mask for CSRF tokens. | Ram Rachum | |
| 2020-02-18 | Refs #26601 -- Deprecated passing None as get_response arg to middleware ↵ | Claude Paroz | |
| classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2020-01-16 | Fixed #30765 -- Made cache_page decorator take precedence over max-age ↵ | Flavio Curella | |
| Cache-Control directive. | |||
| 2019-10-29 | Fixed #30899 -- Lazily compiled import time regular expressions. | Hasan Ramezani | |
| 2019-10-23 | Refs #26601 -- Removed obsolete workarounds for MIDDLEWARE_CLASSES setting. | Sergey Fedoseev | |
| 2019-09-09 | Fixed #29406 -- Added support for Referrer-Policy header. | Nick Pope | |
| Thanks to James Bennett for the initial implementation. | |||
| 2019-09-09 | Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY. | Claude Paroz | |
| 2019-04-24 | Removed unnecessary assignments in various code. | Jon Dufresne | |
| 2019-03-30 | Optimized CommonMiddleware's check for DISALLOWED_USER_AGENTS. | Brad | |
| Avoided getattribute + getitem for each DISALLOWED_USER_AGENTS. | |||
| 2019-01-28 | Fixed #30137 -- Replaced OSError aliases with the canonical OSError. | Jon Dufresne | |
| Used more specific errors (e.g. FileExistsError) as appropriate. | |||
| 2018-10-30 | Capitalized SecurityMiddleware headers for consistency with other headers. | Artur Juraszek | |
| (No behavior change since HTTP headers are case insensitive.) | |||
| 2018-09-08 | Fixed #29728 -- Prevented session resaving if CSRF cookie is unchanged. | Michal Čihař | |
| 2018-08-01 | Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware. | Andreas Hug | |
| 2018-05-04 | Fixed #26688 -- Fixed HTTP request logging inconsistencies. | Samir Shah | |
| * Added logging of 500 responses for instantiated responses. * Added logging of all 4xx and 5xx responses. | |||
| 2018-04-13 | Fixed #27863 -- Added support for the SameSite cookie flag. | Alex Gaynor | |
| Thanks Alex Gaynor for contributing to the patch. | |||
| 2018-03-16 | Fixed hanging indentation in various code. | Mariusz Felisiak | |
