summaryrefslogtreecommitdiff
path: root/django/utils/http.py
AgeCommit message (Collapse)Author
2015-09-16Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.Matt Robenolt
Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.
2015-03-18Made is_safe_url() reject URLs that start with control characters.Tim Graham
This is a security fix; disclosure to follow shortly.
2015-02-12Fixed #24321 -- Improved `utils.http.same_origin` compliance with RFC6454Lukas Klein
2015-02-06Sorted imports with isort; refs #23860.Tim Graham
2015-01-13Fixed is_safe_url() to handle leading whitespace.Tim Graham
This is a security fix. Disclosure following shortly.
2014-09-08Fixed #23399 -- Optimized django.utils.http.int_to_bas36()Tim Graham
Thanks liminspace for the patch and Keryn Knight for benchmarking.
2014-08-22Fixed #23333 -- Made urlsafe_base64_decode() return proper type on Python 3.Ian Foote
2014-07-09Fixed #22223 -- Prevented over-escaping URLs in reverse()Claude Paroz
And follow more closely the class of characters defined in the RFC 3986. Thanks Erik van Zijst for the report and the initial patch, and Tim Graham for the review.
2014-05-14typo: urlaprse -> urlparseCollin Anderson
2014-05-14Added additional checks in is_safe_url to account for flexible parsing.Erik Romijn
This is a security fix. Disclosure following shortly.
2013-11-02Correct flake8 E302 violationsRay Ashman Jr
2013-11-02Correct flake8 violation E261Ray Ashman Jr
2013-10-26Fixed up some more flake8 violations (this particular violation still has ↵Alex Gaynor
many occurrences in the tests/ dir so it can't be removed from setup.cfg yet)
2013-10-21Fixed #21288 -- Fixed E126 pep8 warningsAlasdair Nicol
2013-09-22Removed a few trailing backslashes.Aymeric Augustin
We have always been at war with trailing backslashes.
2013-09-05Took advantage of django.utils.six.moves.urllib.*.Aymeric Augustin
2013-09-02Replaced "not PY3" by "PY2", new in six 1.4.0.Aymeric Augustin
2013-08-13Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S.Jacob Kaplan-Moss
This is a security fix; disclosure to follow shortly.
2013-08-07Use `usegmt` flag in formatdateDavid Evans
Slightly cleaner and faster than string manipulation. This flag has been available since Python 2.4: http://docs.python.org/2/library/email.util.html#email.utils.formatdate
2013-06-26Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.Tim Graham
uid is now base64 encoded in password reset URLs/views. A backwards compatible password_reset_confirm view/URL will allow password reset links generated before this change to continue to work. This view will be removed in Django 1.7. Thanks jonash for the initial patch and claudep for the review.
2013-05-19Fix a typo in a comment.Marc Tamlyn
2013-05-18Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks.Florian Apolloner
Thanks to edevil for the report and saz for the patch.
2013-03-28Fixed spelling errorsGavin Wahl
2013-03-19Fixed #18003 -- Preserved tracebacks when re-raising errors.konarkmodi
Thanks jrothenbuhler for draft patch, Konark Modi for updates.
2012-12-10Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.Florian Apolloner
2012-09-26Fixed parse_http_date docstring and moved related testsClaude Paroz
Refs #18675.
2012-08-30Replaced some smart_xxx by force_xxx equivalentClaude Paroz
smart_str/smart_text should only be used when a potential lazy string should be preserved in the result of the function call.
2012-08-14[py3] Fixed conditional_processing testsClaude Paroz
2012-08-07[py3] Ported django.utils.encoding.Aymeric Augustin
* Renamed smart_unicode to smart_text (but kept the old name under Python 2 for backwards compatibility). * Renamed smart_str to smart_bytes. * Re-introduced smart_str as an alias for smart_text under Python 3 and smart_bytes under Python 2 (which is backwards compatible). Thus smart_str always returns a str objects. * Used the new smart_str in a few places where both Python 2 and 3 want a str.
2012-08-03[py3] Removed uses of sys.maxint under Python 3.Aymeric Augustin
Also fixed #18706: improved exceptions raised by int_to_base36.
2012-07-22[py3] Updated urllib/urllib2/urlparse imports.Aymeric Augustin
Lots of functions were moved. Use explicit imports in all cases to keey it easy to identify where the functions come from.
2012-07-22[py3] Replaced unicode/str by six.text_type/bytes.Aymeric Augustin
2012-06-14Fixed #12140 -- Fixed http.urlencode result for empty listsClaude Paroz
Thanks aneil for the report and the initial patch.
2012-03-30Removed some Python < 2.6 compatibility code. Refs #17965.Aymeric Augustin
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17830 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-16Use Python's changed comparisons, which makes this a bit more readable.Alex Gaynor
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17526 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-16Fixed #17693. Input validation and tests for base36 conversion utils. Thanks ↵Paul McMillan
Keryn Knight for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17525 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-01-29Fixed #5964 -- Added unicode-aware versions of urlunquote and urlunquote_plus.Aymeric Augustin
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17407 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09Switch to using explicit new-style division behavior, rather than relying on ↵Alex Gaynor
teh classic behavior. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16745 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09Fixed a bunch of imports of the email stdlib module now that we are on ↵Jannis Leidel
Python 2.5 to ease the Python 3 port. Thanks, Martin von Löwis. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16731 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-09Fixed #16155 -- Removed Python 2.4 compatibility constructs from code and ↵Ramiro Morales
mentions from docs. Thanks Aymeric Augustin for the report and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16349 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-22Fixed #9089 -- Correctly handle list values in MultiValueDict instances when ↵Jannis Leidel
passed to django.utils.http.urlencode. Thanks, kratorius, guettli and obeattie. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16064 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15Fixed #15617 - CSRF referer checking too strictLuke Plant
Thanks to adam for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-03Fixed #15543 -- Tweaked change from r15696 to not use 'if' syntax introduce ↵Ramiro Morales
in Python 2.5. Thanks to an anonymous reporter for the heads up. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15731 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-01Fixed #717 - If-Modified-Since handling should compare dates according to ↵Luke Plant
RFC 2616 Thanks to Maniac for the report, julienb for the initial patch, and especially to aaugustin for the final patch and tests. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15696 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-24Fixed #15067 -- Modified the range checks on base36_to_int so you are ↵Russell Keith-Magee
guaranteed to always get an int, avoiding possible OverflowErrors. Thanks to Garthex for the report, jboutros for the patch, and kfrazier for the feedback. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15288 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-23Fix a security issue in the auth system. Disclosure and new release forthcoming.Alex Gaynor
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15032 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-13Fixed #13765 - 'safe' parameter for urlencode filterLuke Plant
Thanks to KyleMac for the suggestion and SmileyChris for the patch git-svn-id: http://code.djangoproject.com/svn/django/trunk@13849 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-22Fixed #5791 -- Added early-bailout support for views (ETags and Last-modified).Malcolm Tredinnick
This provides support for views that can have their ETag and/or Last-modified values computed much more quickly than the view itself. Supports all HTTP verbs (not just GET). Documentation and tests need a little more fleshing out (I'm not happy with the documentation at the moment, since it's a bit backwards), but the functionality is correct. git-svn-id: http://code.djangoproject.com/svn/django/trunk@10114 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-31Fixed #7723 - implemented a secure password reset form that uses a token and ↵Luke Plant
prompts user for new password. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8162 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-31Fixed #5816 -- Fixed a regression from [6333] that generates incorrect ↵Gary Wilson Jr
cookie "expires" dates when using a locale other than English. Introduced `http_date` and `cookie_date` utility functions. Thanks for the report Michael Lemaire. Thanks for the patch Karen Tracey and `SmileyChris`. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6634 bcc190cf-cafb-0310-a4f2-bffc1f526a37