summaryrefslogtreecommitdiff
path: root/django/middleware
AgeCommit message (Collapse)Author
2012-09-20Imported getLogger directly from logging moduleClaude Paroz
This was a remainder of some 2.4 compatibility code.
2012-09-10fixed rfc comment typo in middleware/csrf.pyCollin Anderson
2012-08-13[py3] Made csrf context processor return UnicodeClaude Paroz
2012-05-03Fixed #18042 -- Advanced deprecation warnings.Aymeric Augustin
Thanks Ramiro for the patch.
2012-03-02Fixed #17817 -- Modified LocalMiddleware to use full URLs when redirecting ↵Jannis Leidel
to i18n URLs. Thanks to Paul for keeping an eye on the standards. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17633 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-02Fixed #17734 -- Made sure to only redirect translated URLs if they can ↵Jannis Leidel
actually be resolved to prevent unwanted redirects. Many thanks to Orne Brocaar and Anssi Kääriäinen for input. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17621 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-18Fixed #17720 -- Stopped the LocaleMiddleware from overeagerly using the ↵Jannis Leidel
request path for language activation if it's actually not wanted. Thanks to Anssi Kääriäinen for the initial patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17547 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-17Documentation (and some small source code) edits from [17432] - [17537]Adrian Holovaty
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17540 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-11Fixes #16827. Adds a length check to CSRF tokens before applying the ↵Paul McMillan
santizing regex. Thanks to jedie for the report and zsiciarz for the initial patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17500 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-09Fixed #17358 -- Updated logging calls to use official syntax for arguments ↵Jannis Leidel
instead of string interpolation. Thanks, spulec. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17480 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-09Fixed #16035 -- Appended the Etag response header if the GZipMiddleware is ↵Jannis Leidel
in use to follow RFC2616 better. Thanks, ext and dracos2. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17471 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-09Fixed #10762, #17514 -- Prevented the GZip middleware from returning a ↵Aymeric Augustin
response longer than the original content, allowed compression of non-200 responses, and added tests (there were none). Thanks cannona for the initial patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17365 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-10-06Fixed #16705 - Made the test client adhere to the WSGI spec -- in ↵Aymeric Augustin
particular, removed the assumption that environ['QUERY_STRING'] exists. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16933 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-08-12Fixed #16584 -- Fixed a bunch of typos in code comments. Thanks, Bernhard Essl.Jannis Leidel
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16598 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-13Fixed #16225 -- Removed unused imports. Many thanks to Aymeric Augustin for ↵Jannis Leidel
the work on the patch and Alex for reviewing. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16539 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-03Fixed #14506 -- Added an assertion to XViewMiddleware about the dependency ↵Jannis Leidel
on the authentication middleware. Thanks, vanschelven. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16496 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-15Fixed #11585 -- Added ability to translate and prefix URL patterns with a ↵Jannis Leidel
language code as an alternative method for language discovery. Many thanks to Orne Brocaar for his initial work and Carl Meyer for feedback. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16405 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-30Fixed #14261 - Added clickjacking protection (X-Frame-Options header)Luke Plant
Many thanks to rniemeyer for the patch! git-svn-id: http://code.djangoproject.com/svn/django/trunk@16298 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-24Made some small tweaks/fixes to documentation from IGNORABLE_404_URLS ↵Adrian Holovaty
changeset [16160] git-svn-id: http://code.djangoproject.com/svn/django/trunk@16275 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09Fixed #15258 - Ajax CSRF protection doesn't apply to PUT or DELETE requestsLuke Plant
Thanks to brodie for the report, and further input from tow21 This is a potentially backwards incompatible change - if you were doing PUT/DELETE requests and relying on the lack of protection, you will need to update your code, as noted in the releaste notes. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09Fixed #14134 - ability to set cookie 'path' and 'secure' attributes of CSRF ↵Luke Plant
cookie Thanks to cfattarsi for the report and initial patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-05Fixed #15954 - New IGNORABLE_404_URLS setting that allows more powerful ↵Luke Plant
filtering of 404s to ignore Thanks to aaugustin for implementing this. (Technically this doesn't fix the original report, as we've decided against having *any* default values, but the new feature makes it possible, and the docs have an example addressing #15954). git-svn-id: http://code.djangoproject.com/svn/django/trunk@16160 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30Removed deprecated CsrfResponseMiddleware, and corresponding tests and docsLuke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15949 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30Removed Django 1.1 fallback for CSRF checks.Luke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15948 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28Removed a bunch more Python 2.4 workarounds now that we don't support that ↵Adrian Holovaty
version. Refs #15702 -- thanks to jonash for the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15927 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-26Fixed #15635 -- Converted two legacy old-style raise statements. Thanks, ↵Adrian Holovaty
DaNmarner git-svn-id: http://code.djangoproject.com/svn/django/trunk@15917 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15Fixed #15617 - CSRF referer checking too strictLuke Plant
Thanks to adam for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-02Fixed #4992 -- Respect the GET request query string when creating cache ↵Jannis Leidel
keys. Thanks PeterKz and guettli for the initial patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15705 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-01Fixed #717 - If-Modified-Since handling should compare dates according to ↵Luke Plant
RFC 2616 Thanks to Maniac for the report, julienb for the initial patch, and especially to aaugustin for the final patch and tests. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15696 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-21Corrected logging call in CSRF middlewareLuke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15623 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-17Fixed #15260 -- Ensured that CACHE_MIDDLEWARE_ANONYMOUS_ONLY is effective ↵Carl Meyer
with the cache_page decorator, not only the middleware. Thanks to brodie for report and draft patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15559 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09Fixed a security issue in the CSRF component. Disclosure and new release ↵Alex Gaynor
forthcoming. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-01Fixed #13283 -- Corrected CACHE_MIDDLEWARE_ANONYMOUS_ONLY's bad habit of ↵Carl Meyer
setting Vary: Cookie on all responses and destroying cache efficiency. Thanks to natrius for the fix. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15381 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-30Fixed #15187 -- Ensure that missing page emails aren't sent when running ↵Russell Keith-Magee
under debug. Thanks to Dan Carroll for the report and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15363 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-24Fixed #15012 -- Added post-rendering callbacks to TemplateResponse so that ↵Russell Keith-Magee
decorators (in particular, the cache decorator) can defer processing until after rendering has occurred. Thanks to Joshua Ginsberg for the draft patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15295 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-24Fixed #15144 -- Corrected some problems with the Cache middleware when used ↵Russell Keith-Magee
with multiple cache settings. Thanks to Jim Dalton for the report, and to Jim and Joshua Ginsberg for the work on the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15285 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-04Fixed sending mail on 404s to fail silently.Luke Plant
A failure in the e-mail system should not turn a 404 into a 500. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15145 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-22Beefed up the tests for multi-cache handling of the cache middleware and ↵Russell Keith-Magee
view decorators, and made a couple of tweaks for edge cases as a result. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15021 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-21Fixed #11675 -- Added support for the PyLibMC cache library. In order to ↵Russell Keith-Magee
support this, and clean up some other 1.3 caching additions, this patch also includes some changes to the way caches are defined. This means you can now have multiple caches, in the same way you have multiple databases. A huge thanks to Jacob Burch for the work on the PyLibMC backend, and to Jannis for his work on the cache definition changes. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15005 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-02Fixed #14559 -- corrected some typos and misleading docstrings. Thanks to ↵Alex Gaynor
Gabriel Hurley for the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14441 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-29Fixed #14560 -- Enable HEAD requests to be cached properly. Thanks, codemonkey!Honza Král
Introducing ability to cache HEAD requests and GET requests separately by adding the method to the cache key while preserving the functionality that HEAD requests can use cached reponses generated by a GET request. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14391 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-28Fixed #14565 - No csrf_token on 404 page.Luke Plant
This solution doesn't have the negative side-effects of [14356]. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14Fixed #14445 - Use HMAC and constant-time comparison functions where needed.Luke Plant
All adhoc MAC applications have been updated to use HMAC, using SHA1 to generate unique keys for each application based on the SECRET_KEY, which is common practice for this situation. In all cases, backwards compatibility with existing hashes has been maintained, aiming to phase this out as per the normal deprecation process. In this way, under most normal circumstances the old hashes will have expired (e.g. by session expiration etc.) before they become invalid. In the case of the messages framework and the cookie backend, which was already using HMAC, there is the possibility of a backwards incompatibility if the SECRET_KEY is shorter than the default 50 bytes, but the low likelihood and low impact meant compatibility code was not worth it. All known instances where tokens/hashes were compared using simple string equality, which could potentially open timing based attacks, have also been fixed using a constant-time comparison function. There are no known practical attacks against the existing implementations, so these security improvements will not be backported. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings to ↵Russell Keith-Magee
DeprecationWarnings, and removed 1.1 deprecated code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-06Fixed #14406 -- Added a Python 2.4 compatibility to the logging interface. ↵Russell Keith-Magee
Thanks to Łukasz Rekucki for the report, and to Luke Plant for original patch this was based on. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13989 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04Fixed #12012 -- Added support for logging. Thanks to Vinay Sajip for his ↵Russell Keith-Magee
draft patch, and to the many people who gave feedback during development of the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13981 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-10Fixed #14235 - UnicodeDecodeError in CSRF middlewareLuke Plant
Thanks to jbg for the report. This changeset essentially backs out [13698] in favour of a method that sanitizes the token rather than escaping it. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13732 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-09Patch CSRF-protection system to deal with reported security issue. ↵James Bennett
Announcement and details to follow. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-03Added explanatory note on CSRF failure page for the case of a missing ↵Luke Plant
Referer header. This is intended to help power users who have disabled Referer headers, or installed add-ons which have done so, and to help web site administrators with debugging, since this problem will be browser specific and not a programming error. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13680 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-06-30Added proper code comments for the HTTPS CSRF protection.Luke Plant
Refs #13489 which noticed a vague comment - thanks pmclanahan git-svn-id: http://code.djangoproject.com/svn/django/trunk@13405 bcc190cf-cafb-0310-a4f2-bffc1f526a37