summaryrefslogtreecommitdiff
path: root/django/utils/http.py
AgeCommit message (Collapse)Author
2018-12-27Fixed #30024 -- Made urlencode() and Client raise TypeError when None is ↵Jon Dufresne
passed as data.
2018-10-10Refs #27795 -- Removed force_bytes() usage from django/utils/http.py.Jon Dufresne
django.utils.http.urlsafe_base64_encode() now returns a string, not a bytestring. Since URLs are represented as strings, urlsafe_base64_encode() should return a string. All uses immediately decoded the bytestring to a string anyway. As the inverse operation, urlsafe_base64_decode() accepts a string.
2018-08-01Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.Andreas Hug
2018-06-29Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string.Przemysław Suliga
2018-01-11Fixed #28638 -- Made allowed_hosts a required argument of is_safe_url().Jon Dufresne
2018-01-02Refs #28965 -- Deprecated unused django.utils.http.cookie_date().Tim Graham
2017-12-07Fixed #28906 -- Removed unnecessary bool() calls.Tim Graham
2017-12-04Fixed #28860 -- Removed unnecessary len() calls.Дилян Палаузов
2017-10-13Updated email.Util (Python 2) references to email.utils (Python 3).Tim Graham
2017-10-12Fixed #28679 -- Fixed urlencode()'s handling of bytes.François Freitag
Regression in fee42fd99ee470528858c2ccb3621135c30ec262. Thanks Claude Paroz, Jon Dufresne, and Tim Graham for the guidance.
2017-09-22Refs #26956 -- Removed the host parameter of django.utils.http.is_safe_url().Tim Graham
Per deprecation timeline.
2017-09-07Reverted "Fixed #27818 -- Replaced try/except/pass with contextlib.suppress()."Tim Graham
This reverts commit 550cb3a365dee4edfdd1563224d5304de2a57fda because try/except performs better.
2017-06-28Fixed #27818 -- Replaced try/except/pass with contextlib.suppress().Mads Jensen
2017-05-10Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs.UmanShahzad
2017-04-04Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.Tim Graham
This is a security fix.
2017-02-11Refs #27656 -- Updated django.utils docstring verbs according to PEP 257.Anton Samarchyan
2017-01-26Refs #23919 -- Replaced usage of django.utils.http utilities with Python ↵Claude Paroz
equivalents Thanks Tim Graham for the review.
2017-01-22Refs #23919 -- Replaced six.reraise by raiseClaude Paroz
2017-01-20Refs #23919 -- Removed unneeded str() callsClaude Paroz
2017-01-19Fixed django/utils/http.py comment typo.Tim Graham
2017-01-18Refs #23919 -- Removed most of remaining six usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed six.PY2/PY3 usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-09-10Fixed #27083 -- Added support for weak ETags.Kevin Christopher Henry
2016-09-07Refs #26956 -- Allowed is_safe_url() to validate against multiple hostsJon Dufresne
2016-08-19Fixed #26902 -- Allowed is_safe_url() to require an https URL.Przemysław Suliga
Thanks Andrew Nester, Berker Peksag, and Tim Graham for reviews.
2016-05-12Fixed #21231 -- Enforced a max size for GET/POST values read into memory.Andre Cruz
Thanks Tom Christie for review.
2016-05-03Fixed #26567 -- Updated references to obsolete RFC2616.Vasiliy Faronov
Didn't touch comments where it wasn't obvious that the code adhered to the newer standard.
2016-04-06Removed unused django.utils.http.PROTOCOL_TO_PORT.Tim Graham
Unused since b0c56b895fd2694d7f5d4595bdbbc41916607f45.
2016-03-04Added safety to URL decoding in is_safe_url() on Python 2Claude Paroz
The errors='replace' parameter to force_text altered the URL before checking it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef.
2016-03-04Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()Claude Paroz
This fixes a regression introduced by c5544d28923. Thanks John Eskew for the reporti and Tim Graham for the review.
2016-03-01Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.Mark Striemer
This is a security fix.
2016-01-05Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.Denis Cornehl
Thanks Denis Cornehl for help with the patch.
2015-12-12Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy().Iacopo Spalletti
Thanks to bmispelon and uruz for the initial patch.
2015-09-16Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN.Matt Robenolt
Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews.
2015-03-18Made is_safe_url() reject URLs that start with control characters.Tim Graham
This is a security fix; disclosure to follow shortly.
2015-02-12Fixed #24321 -- Improved `utils.http.same_origin` compliance with RFC6454Lukas Klein
2015-02-06Sorted imports with isort; refs #23860.Tim Graham
2015-01-13Fixed is_safe_url() to handle leading whitespace.Tim Graham
This is a security fix. Disclosure following shortly.
2014-09-08Fixed #23399 -- Optimized django.utils.http.int_to_bas36()Tim Graham
Thanks liminspace for the patch and Keryn Knight for benchmarking.
2014-08-22Fixed #23333 -- Made urlsafe_base64_decode() return proper type on Python 3.Ian Foote
2014-07-09Fixed #22223 -- Prevented over-escaping URLs in reverse()Claude Paroz
And follow more closely the class of characters defined in the RFC 3986. Thanks Erik van Zijst for the report and the initial patch, and Tim Graham for the review.
2014-05-14typo: urlaprse -> urlparseCollin Anderson
2014-05-14Added additional checks in is_safe_url to account for flexible parsing.Erik Romijn
This is a security fix. Disclosure following shortly.
2013-11-02Correct flake8 E302 violationsRay Ashman Jr
2013-11-02Correct flake8 violation E261Ray Ashman Jr
2013-10-26Fixed up some more flake8 violations (this particular violation still has ↵Alex Gaynor
many occurrences in the tests/ dir so it can't be removed from setup.cfg yet)
2013-10-21Fixed #21288 -- Fixed E126 pep8 warningsAlasdair Nicol
2013-09-22Removed a few trailing backslashes.Aymeric Augustin
We have always been at war with trailing backslashes.
2013-09-05Took advantage of django.utils.six.moves.urllib.*.Aymeric Augustin