| Age | Commit message (Collapse) | Author |
|
|
|
|
|
APPEND_SLASH.
|
|
disable policies.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()."
This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
|
|
favor of hmac.compare_digest().
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
Cache-Control 'no-cache' or 'no-store'.
|
|
|
|
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
|
|
|
|
This initial work adds a pair of settings to configure specific CSP
directives for enforcing or reporting policy violations, a new
`django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the
appropriate headers to responses, and a context processor to support CSP
nonces in templates for safely inlining assets.
Relevant documentation has been added for the 6.0 release notes,
security overview, a new how-to page, and a dedicated reference section.
Thanks to the multiple reviewers for their precise and valuable feedback.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Follow-up to 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which added
counterintuitive to the wordlist. Removes unneeded (antiquated)
hyphenated usages.
See e.g. https://www.merriam-webster.com/dictionary/counterintuitive
|
|
This work should not generate any change of functionality, and
`urlsplit` is approximately 6x faster.
Most use cases of `urlparse` didn't touch the path, so they can be
converted to `urlsplit` without any issue. Most of those which do use
`.path`, simply parse the URL, mutate the querystring, then put them
back together, which is also fine (so long as urlunsplit is used).
|
|
Co-Authored-By: Author: Alexander Lazarević <laza@e11bits.com>
|
|
https://github.com/psf/black/releases/tag/24.1.0
|
|
DELETE requests.
|
|
patterns are used.
Regression in 94e7f471c4edef845a4fe5e3160132997b4cca81.
This reverts commit 94e7f471c4edef845a4fe5e3160132997b4cca81
(refs #34069) and
partly reverts commit 3b4728310a7a64f8fcc548163b0aa5f98a5c78f5.
Thanks Anthony Baillard for the report.
Co-Authored-By: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
deprecation timeline.
|
|
Thanks to Florian Vazelle for initial exploratory work, and to Nick
Pope and Mariusz Felisiak for review.
|
|
|
|
|
|
- Updated references to RFC 1123 to RFC 5322
- Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
- Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
|
|
Identified using the following command:
$ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
|
|
i18n patterns are used.
|
|
with /.
By moving a should_redirect_with_slash call out of an if block, commit
9390da7fb6e251eaa9a785692f987296cb14523f negated the performance fix
of commit 434d309ef6dbecbfd2b322d3a1da78aa5cb05fa8 (#24720).
Meanwhile, the logging issue #26293 that it targeted was subsequently
fixed more fully by commit 40b69607c751c4afa453edfd41d2ed155e58187e
(#26504), so it is no longer needed. This effectively reverts it.
This speeds up successful requests not ending with / when APPEND_SLASH
is enabled (the default, and still useful in projects with a mix of
URLs with and without trailing /). The amount of speedup varies from
about 5% in a typical project to nearly 50% on a benchmark with many
routes.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
|
|
Follow up to 05d0eca635853564c57e639ac5590674a7de2ed6.
|
|
|
|
|
|
This also adds CSRF_COOKIE_MASKED transitional setting helpful in
migrating multiple instance of the same project to Django 4.1+.
Thanks Florian Apolloner and Shai Berger for reviews.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
|
|
|
get_language_from_request() uses Accept-Language and/or Cookie to determine the
correct redirect. Upstream caches need the matching Vary header to cache the
result.
|
|
This centralizes the logic to use when setting a new cookie. It also
eliminates the need for the _get_new_csrf_token() function, which is now
removed.
|
|
|
|
|
|
request.META['CSRF_COOKIE_NEEDS_UPDATE'].
|
|
request.csrf_cookie_needs_reset.
|
|
Thanks Chris Jerdonek for the review.
|
|
logic.
Thanks Florian Apolloner and Shai Berger for reviews.
|
|
error messages.
|
|
|
|
|
|
formatted cookie tokens.
|
|
formatted tokens.
|
|
token characters.
This also improves the comments near where the variable is used.
|
|
CsrfViewMiddleware.process_view().
|
|
computing good_referer.
|
|
This encapsulates CsrfViewMiddleware's referer logic into a method and
updates existing tests to check the "seam" introduced by the refactor,
when doing so would improve the test.
|
|
_sanitize_token().
|
|
|
|
Thanks Adam Johnson and Tim Graham for the reviews.
Co-authored-by: Tim Graham <timograham@gmail.com>
|