summaryrefslogtreecommitdiff
path: root/django/middleware
AgeCommit message (Collapse)Author
2016-09-10Fixed #27083 -- Added support for weak ETags.Kevin Christopher Henry
2016-08-10Fixed #26947 -- Added an option to enable the HSTS header preload directive.Ed Morley
2016-07-15Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response ↵andrewnester
has Cache-Control: no-store.
2016-06-27Fixed #5897 -- Added the Content-Length response header in CommonMiddlewareClaude Paroz
Thanks Tim Graham for the review.
2016-06-17Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware ↵Carl Meyer
exception handling.
2016-06-04Removed an unused logger in middleware/common.pyTim Graham
2016-06-04Fixed #26628 -- Changed CSRF logger to django.security.csrf.Holly Becker
2016-05-19Fixed some newlines in imports per isort.Tim Graham
2016-05-19Fixed #20869 -- made CSRF tokens change every request by salt-encrypting themShai Berger
Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.
2016-05-17Fixed #26601 -- Improved middleware per DEP 0005.Florian Apolloner
Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP.
2016-05-17Refs #26601 -- Refactored BaseHandler to prepare for new-style middleware.Florian Apolloner
2016-05-03Fixed #26567 -- Updated references to obsolete RFC2616.Vasiliy Faronov
Didn't touch comments where it wasn't obvious that the code adhered to the newer standard.
2016-04-08Fixed E128 flake8 warnings in django/.Tim Graham
2016-04-04Fixed W503 flake8 warnings.Tim Graham
2016-03-23Fixed #26293 -- Fixed CommonMiddleware to process PREPEND_WWW and ↵ieatkittens
APPEND_SLASH independently.
2016-03-10Refs #25933 -- Fixed i18n_patterns() prefix_default_language=False with ↵Krzysztof Urbaniak
HTTP_ACCEPT_LANGUAGE header.
2016-03-08Fixed #25971 -- Made BrokenLinkEmailsMiddleware ignore APPEND_SLASH redirects.harikrishnakanchi
If APPEND_SLASH=True and the referer is the URL without a trailing '/', then BrokenLinkEmailsMiddleware shouldn't send an email.
2016-03-08Fixed #25933 -- Allowed an unprefixed default language in i18n_patterns().Krzysztof Urbaniak
2016-03-03Fixed #26295 -- Allowed using i18n_patterns() in any root URLconf.Simon Charette
Thanks Tim for the review.
2016-02-09Fixed typo in django/middleware/common.py docstring.Liam Brenner
2016-01-20Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True).chemary
2016-01-05Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.Denis Cornehl
Thanks Denis Cornehl for help with the patch.
2015-12-31Fixed #26013 -- Moved django.core.urlresolvers to django.urls.Marten Kenbeek
Thanks to Tim Graham for the review.
2015-12-10Fixed #25900 -- Fixed regression in CommonMiddleware ETag support.Derek J. Curtis
2015-11-26Fixed #25302 (again) -- Ignored scheme when checking for bad referers.Aymeric Augustin
The check introduced in 4ce433e was too strict in real life. The poorly implemented bots this patch attempted to ignore are sloppy when it comes to http vs. https.
2015-09-16Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.Matt Robenolt
Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.
2015-09-05Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS.Joshua Kehn
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests.
2015-08-24Fixed #25302 -- Prevented BrokenLinkEmailsMiddleware from reporting 404s ↵Maxime Lorant
when Referer = URL.
2015-08-15Fixed #24935 -- Refactored common conditional GET handling.Denis Cornehl
2015-08-08Updated Wikipedia links to use httpsClaude Paroz
2015-07-31Fixed #24720 -- Avoided resolving URLs that don't end in a slash twice in ↵Jay Cox
CommonMiddleware. This speeds up affected requests by about 5%.
2015-06-27Fixed #25017 -- Allowed customizing the DISALLOWED_USER_AGENTS responsesujayskumar
2015-05-13Removed unnecessary arguments in .get method callsPiotr Jakimiak
2015-05-02Fixed #24696 -- Made CSRF_COOKIE computation lazy.Jay Cox
Only compute the CSRF_COOKIE when it is actually used. This is a significant speedup for clients not using cookies. Changed result of the “test_token_node_no_csrf_cookie” test: It gets a valid CSRF token now which seems like the correct behavior. Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to use get_token() to trigger CSRF cookie inclusion instead of changing request.META["CSRF_COOKIE_USED"] directly.
2015-04-21Fixed #24681 -- Removed Unicode bug in BrokenLinkEmailMiddlewareOliver A Bristow
2015-03-26Fixed #19910 -- Added slash to i18n redirect if APPEND_SLASH is set.Bas Peschier
This introduces a force_append_slash argument for request.get_full_path() which is used by RedirectFallbackMiddleware and CommonMiddleware when handling redirects for settings.APPEND_SLASH.
2015-03-18Fixed #23960 -- Removed http.fix_location_headerClaude Paroz
Thanks Carl Meyer for the report and Tim Graham for the review.
2015-03-05Fixed #21495 -- Added settings.CSRF_HEADER_NAMEGrzegorz Slusarek
2015-03-02Fixed #24360 -- Delayed internal LocaleMiddleware variable initializationClaude Paroz
Failing in a middleware `__init__` is preventing proper debug view.
2015-02-06Sorted imports with isort; refs #23860.Tim Graham
2015-02-01Removed UpdateCacheMiddleware._session_accessed()Tim Graham
This method is unused since f567d04b249913db4a37adab8ba521cdc974d423
2015-01-29Fixed #24145 -- Added PUT & PATCH to CommonMiddleware APPEND_SLASH redirect ↵Samuel Colvin
error.
2015-01-06Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middlewareClaude Paroz
Thanks codeitloadit for the report, living180 for investigations and Tim Graham for the review.
2014-11-04Fixed #23531 -- Added CommonMiddleware.response_redirect_class.Berker Peksag
2014-09-12Fixed #17101 -- Integrated django-secure and added check --deploy optionTim Graham
Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews.
2014-08-14Fixed #21579 -- Made LocaleMiddleware respect script prefix.Tim Graham
Thanks buettgenbach at datacollect.com for the report and patch.
2014-06-25Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data.Tim Graham
Thanks Walter Doekes.
2014-06-13Fixed #22440 -- Updated ConditionalGetMiddleware to comply with RFC 2616.Mark Lavin
2014-06-10Fixed #17552 -- Removed a hack for IE6 and earlier.Aymeric Augustin
It prevented the GZipMiddleware from compressing some data types even on more recent version of IE where the corresponding bug was fixed. Thanks Aaron Cannon for the report and Tim Graham for the review.
2014-05-28Fixed several typos in DjangoAlex Gaynor