summaryrefslogtreecommitdiff
path: root/django/middleware
AgeCommit message (Collapse)Author
2026-06-09Refs #36560, CVE-2026-35193 -- Replaced substring check on cache-control ↵Jacob Walls
directives in UpdateCacheMiddleware. Avoid false positives from hypothetical extension directives that could be superstrings of the ones we are checking.
2026-06-08Refs CVE-2026-48587 -- Added helper to properly split header values.Natalia
Extracted the repeated `split(",")` + per-token `.strip()` pattern into a `split_header_value()` generator in django/utils/http.py. The previous `cc_delim_re` regex only stripped whitespace adjacent to the comma delimiter, leaving leading or trailing whitespace on the first and last tokens. Now, `split_header_value()` strips every token fully, matching RFC 9110's optional-whitespace rules. Thanks to Shai Berger, Jacob Walls, and Sarah Boyce for reviews.
2026-06-03Fixed CVE-2026-35193 -- Varied on Authorization when caching non-public ↵Jacob Walls
responses. Thanks Shai Berger for the report, and Natalia Bidart and Sarah Boyce for reviews.
2026-06-03Fixed CVE-2026-8404 -- Used Cache-Control directives case-insensitively in ↵Jake Howard
UpdateCacheMiddleware. Thanks Ahmed Badawe for the report, and Jacob Walls for reviews.
2026-05-13Fixed #35514 -- Implemented dictionary-based MAILERS.Mike Edmunds
See DEP 0018. Added: * MAILERS setting. * django.core.mail.mailers dict-like EmailBackend factory. * `using` argument to mail sending APIs. * `sent_using` attribute to mail.outbox messages in locmem backend. * MAILERS in startproject settings template, set to console backend. * AdminLogHandler.using argument. * BrokenLinkEmailsMiddleware.send_mail() method. Updated: * BaseEmailBackend to track the MAILERS alias used to construct it, and to report errors for unknown kwargs (OPTIONS). * EmailBackend implementations to initialize from kwargs (OPTIONS) only when MAILERS is being used. * smtp.EmailBackend to require `host` option and to default `port` option based on SSL/TLS options. * SimpleTestCase setup to substitute the locmem backend for all defined MAILERS configurations. * Django's tests that send mail to define MAILERS. Deprecated: * EMAIL_BACKEND and other backend-related EMAIL_* settings. * mail.get_connection(). * The `connection`, `fail_silently`, `auth_user`, and `auth_password` arguments to mail functions. * The EmailMessage.connection attribute. * BaseEmailBackend support for `fail_silently`. Backends that support fail_silently (SMTP, console, file) now implement it directly. * AdminEmailHandler.email_backend argument. Removed undocumented features without deprecation: * EmailMessage.get_connection() method. (send() now raises an error if a subclass has attempted to override it.) * EmailMessage.send() no longer sets self.connection to the connection used for sending. (It still _uses_ a pre-existing self.connection.) * AdminEmailHandler.connection() method. (Init now raises an error if a subclass has attempted to override it.) Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive reviews and suggestions on the implementation. Thanks to Jacob Rief for the initial implementation and multiple iterations while refining the design. Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
2026-05-05Fixed CVE-2026-6907 -- Prevented caching of requests when Vary header ↵Sarah Boyce
contains an asterisk. Thank you Ahmad Sadeddin for the report and Jacob Walls for the review.
2025-10-21Fixed #36656 -- Avoided truncating async streaming responses in GZipMiddleware.Adam Johnson
2025-09-15Renamed local variables in CsrfViewMiddleware._origin_verified() for clarity.Klaas van Schelven
2025-09-03Refs #34989 -- Ensured the Content-Length header is set when redirect with ↵Ronan LE HAY
APPEND_SLASH.
2025-08-28Fixed #36532 -- Added Content Security Policy view decorators to override or ↵Rob Hudson
disable policies. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-08-27Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵Sarah Boyce
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
2025-08-25Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵SaJH
favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-21Fixed #36560 -- Prevented UpdateCacheMiddleware from caching responses with ↵mengxun
Cache-Control 'no-cache' or 'no-store'.
2025-07-24Fixed typo in django/middleware/gzip.py.Mohamed Amine Mahmoud
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce
2025-06-27Fixed #15727 -- Added Content Security Policy (CSP) support.Rob Hudson
This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-07-04Removed unneeded hyphens in "counterintuitive".Carlton Gibson
Follow-up to 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which added counterintuitive to the wordlist. Removes unneeded (antiquated) hyphenated usages. See e.g. https://www.merriam-webster.com/dictionary/counterintuitive
2024-05-29Fixed 35467 -- Replaced urlparse with urlsplit where appropriate.Jake Howard
This work should not generate any change of functionality, and `urlsplit` is approximately 6x faster. Most use cases of `urlparse` didn't touch the path, so they can be converted to `urlsplit` without any issue. Most of those which do use `.path`, simply parse the URL, mutate the querystring, then put them back together, which is also fine (so long as urlunsplit is used).
2024-02-05Fixed #27225 -- Added "Age" header when fetching cached responses.Rinat Khabibiev
Co-Authored-By: Author: Alexander Lazarević <laza@e11bits.com>
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-12-08Fixed #34742 -- Made CommonMiddleware raise APPEND_SLASH RuntimeError on ↵Avaneesh Kumar
DELETE requests.
2023-05-02Fixed #34515 -- Made LocaleMiddleware prefer language from paths when i18n ↵Mariusz Felisiak
patterns are used. Regression in 94e7f471c4edef845a4fe5e3160132997b4cca81. This reverts commit 94e7f471c4edef845a4fe5e3160132997b4cca81 (refs #34069) and partly reverts commit 3b4728310a7a64f8fcc548163b0aa5f98a5c78f5. Thanks Anthony Baillard for the report. Co-Authored-By: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2023-01-17Refs #32800 -- Removed CSRF_COOKIE_MASKED transitional setting per ↵Mariusz Felisiak
deprecation timeline.
2022-12-22Fixed #33735 -- Added async support to StreamingHttpResponse.Carlton Gibson
Thanks to Florian Vazelle for initial exploratory work, and to Nick Pope and Mariusz Felisiak for review.
2022-12-17Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware.Andreas Pelme
2022-11-14Fixed #34074 -- Added headers argument to RequestFactory and Client classes.David Wobrock
2022-11-10Updated documentation and comments for RFC updates.Nick Pope
- Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents
2022-10-31Used more augmented assignment statements.Nick Pope
Identified using the following command: $ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
2022-10-13Fixed #34069 -- Made LocaleMiddleware respect language from requests when ↵Sergio
i18n patterns are used.
2022-06-02Fixed #33700 -- Skipped extra resolution for successful requests not ending ↵Anders Kaseorg
with /. By moving a should_redirect_with_slash call out of an if block, commit 9390da7fb6e251eaa9a785692f987296cb14523f negated the performance fix of commit 434d309ef6dbecbfd2b322d3a1da78aa5cb05fa8 (#24720). Meanwhile, the logging issue #26293 that it targeted was subsequently fixed more fully by commit 40b69607c751c4afa453edfd41d2ed155e58187e (#26504), so it is no longer needed. This effectively reverts it. This speeds up successful requests not ending with / when APPEND_SLASH is enabled (the default, and still useful in projects with a mix of URLs with and without trailing /). The amount of speedup varies from about 5% in a typical project to nearly 50% on a benchmark with many routes. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2022-04-29Refs #30426 -- Updated XFrameOptionsMiddleware docstring.Clemens Wolff
Follow up to 05d0eca635853564c57e639ac5590674a7de2ed6.
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-11-29Refs #32800 -- Renamed _sanitize_token() to _check_token_format().Chris Jerdonek
2021-11-29Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret.Chris Jerdonek
This also adds CSRF_COOKIE_MASKED transitional setting helpful in migrating multiple instance of the same project to Django 4.1+. Thanks Florian Apolloner and Shai Berger for reviews. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-11-03Fixed #33252 -- Made cache middlewares thread-safe.Iuri de Silvio
2021-09-01Fixed #32768 -- Added Vary header when redirecting to prefixed i18n pattern.Alex Hayward
get_language_from_request() uses Accept-Language and/or Cookie to determine the correct redirect. Upstream caches need the matching Vary header to cache the result.
2021-08-17Refs #32800 -- Added _add_new_csrf_cookie() helper function.Chris Jerdonek
This centralizes the logic to use when setting a new cookie. It also eliminates the need for the _get_new_csrf_token() function, which is now removed.
2021-08-17Refs #32800 -- Renamed _set_token() to _set_csrf_cookie().Chris Jerdonek
2021-08-03Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match().Chris Jerdonek
2021-07-29Refs #32916 -- Replaced request.csrf_cookie_needs_reset with ↵Chris Jerdonek
request.META['CSRF_COOKIE_NEEDS_UPDATE'].
2021-07-29Fixed #32916 -- Combined request.META['CSRF_COOKIE_USED'] and ↵Chris Jerdonek
request.csrf_cookie_needs_reset.
2021-07-23Fixed #32329 -- Made CsrfViewMiddleware catch more specific UnreadablePostError.Virtosu Bogdan
Thanks Chris Jerdonek for the review.
2021-07-23Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset ↵Chris Jerdonek
logic. Thanks Florian Apolloner and Shai Berger for reviews.
2021-06-23Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token ↵Chris Jerdonek
error messages.
2021-06-22Fixed #32842 -- Refactored out CsrfViewMiddleware._check_token().Chris Jerdonek
2021-06-12Fixed comment in CsrfViewMiddleware to say _reject instead of reject.Chris Jerdonek
2021-06-01Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly ↵Chris Jerdonek
formatted cookie tokens.
2021-05-31Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly ↵Chris Jerdonek
formatted tokens.
2021-05-29Refs #32778 -- Improved the name of the regex object detecting invalid CSRF ↵Chris Jerdonek
token characters. This also improves the comments near where the variable is used.