| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2023-05-02 | [4.2.x] Fixed #34515 -- Made LocaleMiddleware prefer language from paths ↵ | Mariusz Felisiak | |
| when i18n patterns are used. Regression in 94e7f471c4edef845a4fe5e3160132997b4cca81. This reverts commit 94e7f471c4edef845a4fe5e3160132997b4cca81 (refs #34069) and partly reverts commit 3b4728310a7a64f8fcc548163b0aa5f98a5c78f5. Thanks Anthony Baillard for the report. Co-Authored-By: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Backport of 0e444e84f87d174713a2aef0c4f9704ce2865586 from main | |||
| 2022-12-22 | Fixed #33735 -- Added async support to StreamingHttpResponse. | Carlton Gibson | |
| Thanks to Florian Vazelle for initial exploratory work, and to Nick Pope and Mariusz Felisiak for review. | |||
| 2022-12-17 | Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware. | Andreas Pelme | |
| 2022-11-14 | Fixed #34074 -- Added headers argument to RequestFactory and Client classes. | David Wobrock | |
| 2022-11-10 | Updated documentation and comments for RFC updates. | Nick Pope | |
| - Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents | |||
| 2022-10-31 | Used more augmented assignment statements. | Nick Pope | |
| Identified using the following command: $ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]' | |||
| 2022-10-13 | Fixed #34069 -- Made LocaleMiddleware respect language from requests when ↵ | Sergio | |
| i18n patterns are used. | |||
| 2022-06-02 | Fixed #33700 -- Skipped extra resolution for successful requests not ending ↵ | Anders Kaseorg | |
| with /. By moving a should_redirect_with_slash call out of an if block, commit 9390da7fb6e251eaa9a785692f987296cb14523f negated the performance fix of commit 434d309ef6dbecbfd2b322d3a1da78aa5cb05fa8 (#24720). Meanwhile, the logging issue #26293 that it targeted was subsequently fixed more fully by commit 40b69607c751c4afa453edfd41d2ed155e58187e (#26504), so it is no longer needed. This effectively reverts it. This speeds up successful requests not ending with / when APPEND_SLASH is enabled (the default, and still useful in projects with a mix of URLs with and without trailing /). The amount of speedup varies from about 5% in a typical project to nearly 50% on a benchmark with many routes. Signed-off-by: Anders Kaseorg <andersk@mit.edu> | |||
| 2022-04-29 | Refs #30426 -- Updated XFrameOptionsMiddleware docstring. | Clemens Wolff | |
| Follow up to 05d0eca635853564c57e639ac5590674a7de2ed6. | |||
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2021-11-29 | Refs #32800 -- Renamed _sanitize_token() to _check_token_format(). | Chris Jerdonek | |
| 2021-11-29 | Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret. | Chris Jerdonek | |
| This also adds CSRF_COOKIE_MASKED transitional setting helpful in migrating multiple instance of the same project to Django 4.1+. Thanks Florian Apolloner and Shai Berger for reviews. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2021-11-03 | Fixed #33252 -- Made cache middlewares thread-safe. | Iuri de Silvio | |
| 2021-09-01 | Fixed #32768 -- Added Vary header when redirecting to prefixed i18n pattern. | Alex Hayward | |
| get_language_from_request() uses Accept-Language and/or Cookie to determine the correct redirect. Upstream caches need the matching Vary header to cache the result. | |||
| 2021-08-17 | Refs #32800 -- Added _add_new_csrf_cookie() helper function. | Chris Jerdonek | |
| This centralizes the logic to use when setting a new cookie. It also eliminates the need for the _get_new_csrf_token() function, which is now removed. | |||
| 2021-08-17 | Refs #32800 -- Renamed _set_token() to _set_csrf_cookie(). | Chris Jerdonek | |
| 2021-08-03 | Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match(). | Chris Jerdonek | |
| 2021-07-29 | Refs #32916 -- Replaced request.csrf_cookie_needs_reset with ↵ | Chris Jerdonek | |
| request.META['CSRF_COOKIE_NEEDS_UPDATE']. | |||
| 2021-07-29 | Fixed #32916 -- Combined request.META['CSRF_COOKIE_USED'] and ↵ | Chris Jerdonek | |
| request.csrf_cookie_needs_reset. | |||
| 2021-07-23 | Fixed #32329 -- Made CsrfViewMiddleware catch more specific UnreadablePostError. | Virtosu Bogdan | |
| Thanks Chris Jerdonek for the review. | |||
| 2021-07-23 | Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset ↵ | Chris Jerdonek | |
| logic. Thanks Florian Apolloner and Shai Berger for reviews. | |||
| 2021-06-23 | Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token ↵ | Chris Jerdonek | |
| error messages. | |||
| 2021-06-22 | Fixed #32842 -- Refactored out CsrfViewMiddleware._check_token(). | Chris Jerdonek | |
| 2021-06-12 | Fixed comment in CsrfViewMiddleware to say _reject instead of reject. | Chris Jerdonek | |
| 2021-06-01 | Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly ↵ | Chris Jerdonek | |
| formatted cookie tokens. | |||
| 2021-05-31 | Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly ↵ | Chris Jerdonek | |
| formatted tokens. | |||
| 2021-05-29 | Refs #32778 -- Improved the name of the regex object detecting invalid CSRF ↵ | Chris Jerdonek | |
| token characters. This also improves the comments near where the variable is used. | |||
| 2021-05-28 | Refs #32596 -- Added early return on safe methods in ↵ | Chris Jerdonek | |
| CsrfViewMiddleware.process_view(). | |||
| 2021-05-28 | Refs #32596 -- Optimized CsrfViewMiddleware._check_referer() to delay ↵ | Chris Jerdonek | |
| computing good_referer. | |||
| 2021-05-28 | Fixed #32596 -- Added CsrfViewMiddleware._check_referer(). | Chris Jerdonek | |
| This encapsulates CsrfViewMiddleware's referer logic into a method and updates existing tests to check the "seam" introduced by the refactor, when doing so would improve the test. | |||
| 2021-05-25 | Fixed #32778 -- Avoided unnecessary recompilation of token regex in ↵ | abhiabhi94 | |
| _sanitize_token(). | |||
| 2021-04-30 | Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting. | Tim Graham | |
| 2021-03-30 | Fixed #31840 -- Added support for Cross-Origin Opener Policy header. | bankc | |
| Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com> | |||
| 2021-03-25 | Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin ↵ | Chris Jerdonek | |
| header has an invalid host. | |||
| 2021-03-25 | Refs #32579 -- Fixed cookie domain comment in CsrfViewMiddleware.process_view(). | Chris Jerdonek | |
| 2021-03-25 | Refs #32579 -- Optimized good_hosts creation in ↵ | Chris Jerdonek | |
| CsrfViewMiddleware.process_view(). | |||
| 2021-03-19 | Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header. | Adam Donaghy | |
| 2021-03-18 | Fixed #16010 -- Added Origin header checking to CSRF middleware. | Tim Graham | |
| Thanks David Benjamin for the original patch, and Florian Apolloner, Chris Jerdonek, and Adam Johnson for reviews. | |||
| 2021-03-18 | Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme. | Tim Graham | |
| 2021-01-14 | Refs #26601 -- Made get_response argument required and don't accept None in ↵ | Mariusz Felisiak | |
| middleware classes. Per deprecation timeline. | |||
| 2020-10-28 | Made small readability improvements. | Martin Thoma | |
| 2020-10-22 | Fixed #32124 -- Added per-view opt-out for APPEND_SLASH behavior. | Carlton Gibson | |
| 2020-09-14 | Fixed #31789 -- Added a new headers interface to HttpResponse. | Tom Carrick | |
| 2020-08-28 | Fixed #31928 -- Fixed detecting an async get_response in various middlewares. | Kevin Michel | |
| SecurityMiddleware and the three cache middlewares were not calling super().__init__() during their initialization or calling the required MiddlewareMixin._async_check() method. This made the middlewares not properly present as coroutine and confused the middleware chain when used in a fully async context. Thanks Kordian Kowalski for the report. | |||
| 2020-05-04 | Refs #30573 -- Rephrased "Of Course" and "Obvious(ly)" in documentation and ↵ | Adam Johnson | |
| comments. | |||
| 2020-02-26 | Fixed #28699 -- Fixed CSRF validation with remote user middleware. | Colton Hicks | |
| Ensured process_view() always accesses the CSRF token from the session or cookie, rather than the request, as rotate_token() may have been called by an authentication middleware during the process_request() phase. | |||
| 2020-02-25 | Fixed #31291 -- Renamed salt to mask for CSRF tokens. | Ram Rachum | |
| 2020-02-18 | Refs #26601 -- Deprecated passing None as get_response arg to middleware ↵ | Claude Paroz | |
| classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2020-01-16 | Fixed #30765 -- Made cache_page decorator take precedence over max-age ↵ | Flavio Curella | |
| Cache-Control directive. | |||
| 2019-10-29 | Fixed #30899 -- Lazily compiled import time regular expressions. | Hasan Ramezani | |
