| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2016-05-12 | Fixed #21231 -- Enforced a max size for GET/POST values read into memory. | Andre Cruz | |
| Thanks Tom Christie for review. | |||
| 2016-05-03 | Fixed #26567 -- Updated references to obsolete RFC2616. | Vasiliy Faronov | |
| Didn't touch comments where it wasn't obvious that the code adhered to the newer standard. | |||
| 2016-04-06 | Removed unused django.utils.http.PROTOCOL_TO_PORT. | Tim Graham | |
| Unused since b0c56b895fd2694d7f5d4595bdbbc41916607f45. | |||
| 2016-03-04 | Added safety to URL decoding in is_safe_url() on Python 2 | Claude Paroz | |
| The errors='replace' parameter to force_text altered the URL before checking it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef. | |||
| 2016-03-04 | Fixed #26308 -- Prevented crash with binary URLs in is_safe_url() | Claude Paroz | |
| This fixes a regression introduced by c5544d28923. Thanks John Eskew for the reporti and Tim Graham for the review. | |||
| 2016-03-01 | Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth. | Mark Striemer | |
| This is a security fix. | |||
| 2016-01-05 | Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support. | Denis Cornehl | |
| Thanks Denis Cornehl for help with the patch. | |||
| 2015-12-12 | Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy(). | Iacopo Spalletti | |
| Thanks to bmispelon and uruz for the initial patch. | |||
| 2015-09-16 | Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN. | Matt Robenolt | |
| Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews. | |||
| 2015-03-18 | Made is_safe_url() reject URLs that start with control characters. | Tim Graham | |
| This is a security fix; disclosure to follow shortly. | |||
| 2015-02-12 | Fixed #24321 -- Improved `utils.http.same_origin` compliance with RFC6454 | Lukas Klein | |
| 2015-02-06 | Sorted imports with isort; refs #23860. | Tim Graham | |
| 2015-01-13 | Fixed is_safe_url() to handle leading whitespace. | Tim Graham | |
| This is a security fix. Disclosure following shortly. | |||
| 2014-09-08 | Fixed #23399 -- Optimized django.utils.http.int_to_bas36() | Tim Graham | |
| Thanks liminspace for the patch and Keryn Knight for benchmarking. | |||
| 2014-08-22 | Fixed #23333 -- Made urlsafe_base64_decode() return proper type on Python 3. | Ian Foote | |
| 2014-07-09 | Fixed #22223 -- Prevented over-escaping URLs in reverse() | Claude Paroz | |
| And follow more closely the class of characters defined in the RFC 3986. Thanks Erik van Zijst for the report and the initial patch, and Tim Graham for the review. | |||
| 2014-05-14 | typo: urlaprse -> urlparse | Collin Anderson | |
| 2014-05-14 | Added additional checks in is_safe_url to account for flexible parsing. | Erik Romijn | |
| This is a security fix. Disclosure following shortly. | |||
| 2013-11-02 | Correct flake8 E302 violations | Ray Ashman Jr | |
| 2013-11-02 | Correct flake8 violation E261 | Ray Ashman Jr | |
| 2013-10-26 | Fixed up some more flake8 violations (this particular violation still has ↵ | Alex Gaynor | |
| many occurrences in the tests/ dir so it can't be removed from setup.cfg yet) | |||
| 2013-10-21 | Fixed #21288 -- Fixed E126 pep8 warnings | Alasdair Nicol | |
| 2013-09-22 | Removed a few trailing backslashes. | Aymeric Augustin | |
| We have always been at war with trailing backslashes. | |||
| 2013-09-05 | Took advantage of django.utils.six.moves.urllib.*. | Aymeric Augustin | |
| 2013-09-02 | Replaced "not PY3" by "PY2", new in six 1.4.0. | Aymeric Augustin | |
| 2013-08-13 | Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S. | Jacob Kaplan-Moss | |
| This is a security fix; disclosure to follow shortly. | |||
| 2013-08-07 | Use `usegmt` flag in formatdate | David Evans | |
| Slightly cleaner and faster than string manipulation. This flag has been available since Python 2.4: http://docs.python.org/2/library/email.util.html#email.utils.formatdate | |||
| 2013-06-26 | Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk. | Tim Graham | |
| uid is now base64 encoded in password reset URLs/views. A backwards compatible password_reset_confirm view/URL will allow password reset links generated before this change to continue to work. This view will be removed in Django 1.7. Thanks jonash for the initial patch and claudep for the review. | |||
| 2013-05-19 | Fix a typo in a comment. | Marc Tamlyn | |
| 2013-05-18 | Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks. | Florian Apolloner | |
| Thanks to edevil for the report and saz for the patch. | |||
| 2013-03-28 | Fixed spelling errors | Gavin Wahl | |
| 2013-03-19 | Fixed #18003 -- Preserved tracebacks when re-raising errors. | konarkmodi | |
| Thanks jrothenbuhler for draft patch, Konark Modi for updates. | |||
| 2012-12-10 | Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users. | Florian Apolloner | |
| 2012-09-26 | Fixed parse_http_date docstring and moved related tests | Claude Paroz | |
| Refs #18675. | |||
| 2012-08-30 | Replaced some smart_xxx by force_xxx equivalent | Claude Paroz | |
| smart_str/smart_text should only be used when a potential lazy string should be preserved in the result of the function call. | |||
| 2012-08-14 | [py3] Fixed conditional_processing tests | Claude Paroz | |
| 2012-08-07 | [py3] Ported django.utils.encoding. | Aymeric Augustin | |
| * Renamed smart_unicode to smart_text (but kept the old name under Python 2 for backwards compatibility). * Renamed smart_str to smart_bytes. * Re-introduced smart_str as an alias for smart_text under Python 3 and smart_bytes under Python 2 (which is backwards compatible). Thus smart_str always returns a str objects. * Used the new smart_str in a few places where both Python 2 and 3 want a str. | |||
| 2012-08-03 | [py3] Removed uses of sys.maxint under Python 3. | Aymeric Augustin | |
| Also fixed #18706: improved exceptions raised by int_to_base36. | |||
| 2012-07-22 | [py3] Updated urllib/urllib2/urlparse imports. | Aymeric Augustin | |
| Lots of functions were moved. Use explicit imports in all cases to keey it easy to identify where the functions come from. | |||
| 2012-07-22 | [py3] Replaced unicode/str by six.text_type/bytes. | Aymeric Augustin | |
| 2012-06-14 | Fixed #12140 -- Fixed http.urlencode result for empty lists | Claude Paroz | |
| Thanks aneil for the report and the initial patch. | |||
| 2012-03-30 | Removed some Python < 2.6 compatibility code. Refs #17965. | Aymeric Augustin | |
| git-svn-id: http://code.djangoproject.com/svn/django/trunk@17830 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2012-02-16 | Use Python's changed comparisons, which makes this a bit more readable. | Alex Gaynor | |
| git-svn-id: http://code.djangoproject.com/svn/django/trunk@17526 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2012-02-16 | Fixed #17693. Input validation and tests for base36 conversion utils. Thanks ↵ | Paul McMillan | |
| Keryn Knight for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2012-01-29 | Fixed #5964 -- Added unicode-aware versions of urlunquote and urlunquote_plus. | Aymeric Augustin | |
| git-svn-id: http://code.djangoproject.com/svn/django/trunk@17407 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-09-09 | Switch to using explicit new-style division behavior, rather than relying on ↵ | Alex Gaynor | |
| teh classic behavior. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16745 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-09-09 | Fixed a bunch of imports of the email stdlib module now that we are on ↵ | Jannis Leidel | |
| Python 2.5 to ease the Python 3 port. Thanks, Martin von Löwis. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16731 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-06-09 | Fixed #16155 -- Removed Python 2.4 compatibility constructs from code and ↵ | Ramiro Morales | |
| mentions from docs. Thanks Aymeric Augustin for the report and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16349 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-04-22 | Fixed #9089 -- Correctly handle list values in MultiValueDict instances when ↵ | Jannis Leidel | |
| passed to django.utils.http.urlencode. Thanks, kratorius, guettli and obeattie. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16064 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-03-15 | Fixed #15617 - CSRF referer checking too strict | Luke Plant | |
| Thanks to adam for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
