| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2018-12-27 | Fixed #30024 -- Made urlencode() and Client raise TypeError when None is ↵ | Jon Dufresne | |
| passed as data. | |||
| 2018-10-10 | Refs #27795 -- Removed force_bytes() usage from django/utils/http.py. | Jon Dufresne | |
| django.utils.http.urlsafe_base64_encode() now returns a string, not a bytestring. Since URLs are represented as strings, urlsafe_base64_encode() should return a string. All uses immediately decoded the bytestring to a string anyway. As the inverse operation, urlsafe_base64_decode() accepts a string. | |||
| 2018-08-01 | Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware. | Andreas Hug | |
| 2018-06-29 | Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string. | Przemysław Suliga | |
| 2018-01-11 | Fixed #28638 -- Made allowed_hosts a required argument of is_safe_url(). | Jon Dufresne | |
| 2018-01-02 | Refs #28965 -- Deprecated unused django.utils.http.cookie_date(). | Tim Graham | |
| 2017-12-07 | Fixed #28906 -- Removed unnecessary bool() calls. | Tim Graham | |
| 2017-12-04 | Fixed #28860 -- Removed unnecessary len() calls. | Дилян Палаузов | |
| 2017-10-13 | Updated email.Util (Python 2) references to email.utils (Python 3). | Tim Graham | |
| 2017-10-12 | Fixed #28679 -- Fixed urlencode()'s handling of bytes. | François Freitag | |
| Regression in fee42fd99ee470528858c2ccb3621135c30ec262. Thanks Claude Paroz, Jon Dufresne, and Tim Graham for the guidance. | |||
| 2017-09-22 | Refs #26956 -- Removed the host parameter of django.utils.http.is_safe_url(). | Tim Graham | |
| Per deprecation timeline. | |||
| 2017-09-07 | Reverted "Fixed #27818 -- Replaced try/except/pass with contextlib.suppress()." | Tim Graham | |
| This reverts commit 550cb3a365dee4edfdd1563224d5304de2a57fda because try/except performs better. | |||
| 2017-06-28 | Fixed #27818 -- Replaced try/except/pass with contextlib.suppress(). | Mads Jensen | |
| 2017-05-10 | Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs. | UmanShahzad | |
| 2017-04-04 | Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs. | Tim Graham | |
| This is a security fix. | |||
| 2017-02-11 | Refs #27656 -- Updated django.utils docstring verbs according to PEP 257. | Anton Samarchyan | |
| 2017-01-26 | Refs #23919 -- Replaced usage of django.utils.http utilities with Python ↵ | Claude Paroz | |
| equivalents Thanks Tim Graham for the review. | |||
| 2017-01-22 | Refs #23919 -- Replaced six.reraise by raise | Claude Paroz | |
| 2017-01-20 | Refs #23919 -- Removed unneeded str() calls | Claude Paroz | |
| 2017-01-19 | Fixed django/utils/http.py comment typo. | Tim Graham | |
| 2017-01-18 | Refs #23919 -- Removed most of remaining six usage | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2017-01-18 | Refs #23919 -- Removed six.PY2/PY3 usage | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2017-01-18 | Refs #23919 -- Removed encoding preambles and future imports | Claude Paroz | |
| 2016-09-10 | Fixed #27083 -- Added support for weak ETags. | Kevin Christopher Henry | |
| 2016-09-07 | Refs #26956 -- Allowed is_safe_url() to validate against multiple hosts | Jon Dufresne | |
| 2016-08-19 | Fixed #26902 -- Allowed is_safe_url() to require an https URL. | Przemysław Suliga | |
| Thanks Andrew Nester, Berker Peksag, and Tim Graham for reviews. | |||
| 2016-05-12 | Fixed #21231 -- Enforced a max size for GET/POST values read into memory. | Andre Cruz | |
| Thanks Tom Christie for review. | |||
| 2016-05-03 | Fixed #26567 -- Updated references to obsolete RFC2616. | Vasiliy Faronov | |
| Didn't touch comments where it wasn't obvious that the code adhered to the newer standard. | |||
| 2016-04-06 | Removed unused django.utils.http.PROTOCOL_TO_PORT. | Tim Graham | |
| Unused since b0c56b895fd2694d7f5d4595bdbbc41916607f45. | |||
| 2016-03-04 | Added safety to URL decoding in is_safe_url() on Python 2 | Claude Paroz | |
| The errors='replace' parameter to force_text altered the URL before checking it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef. | |||
| 2016-03-04 | Fixed #26308 -- Prevented crash with binary URLs in is_safe_url() | Claude Paroz | |
| This fixes a regression introduced by c5544d28923. Thanks John Eskew for the reporti and Tim Graham for the review. | |||
| 2016-03-01 | Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth. | Mark Striemer | |
| This is a security fix. | |||
| 2016-01-05 | Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support. | Denis Cornehl | |
| Thanks Denis Cornehl for help with the patch. | |||
| 2015-12-12 | Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy(). | Iacopo Spalletti | |
| Thanks to bmispelon and uruz for the initial patch. | |||
| 2015-09-16 | Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN. | Matt Robenolt | |
| Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews. | |||
| 2015-03-18 | Made is_safe_url() reject URLs that start with control characters. | Tim Graham | |
| This is a security fix; disclosure to follow shortly. | |||
| 2015-02-12 | Fixed #24321 -- Improved `utils.http.same_origin` compliance with RFC6454 | Lukas Klein | |
| 2015-02-06 | Sorted imports with isort; refs #23860. | Tim Graham | |
| 2015-01-13 | Fixed is_safe_url() to handle leading whitespace. | Tim Graham | |
| This is a security fix. Disclosure following shortly. | |||
| 2014-09-08 | Fixed #23399 -- Optimized django.utils.http.int_to_bas36() | Tim Graham | |
| Thanks liminspace for the patch and Keryn Knight for benchmarking. | |||
| 2014-08-22 | Fixed #23333 -- Made urlsafe_base64_decode() return proper type on Python 3. | Ian Foote | |
| 2014-07-09 | Fixed #22223 -- Prevented over-escaping URLs in reverse() | Claude Paroz | |
| And follow more closely the class of characters defined in the RFC 3986. Thanks Erik van Zijst for the report and the initial patch, and Tim Graham for the review. | |||
| 2014-05-14 | typo: urlaprse -> urlparse | Collin Anderson | |
| 2014-05-14 | Added additional checks in is_safe_url to account for flexible parsing. | Erik Romijn | |
| This is a security fix. Disclosure following shortly. | |||
| 2013-11-02 | Correct flake8 E302 violations | Ray Ashman Jr | |
| 2013-11-02 | Correct flake8 violation E261 | Ray Ashman Jr | |
| 2013-10-26 | Fixed up some more flake8 violations (this particular violation still has ↵ | Alex Gaynor | |
| many occurrences in the tests/ dir so it can't be removed from setup.cfg yet) | |||
| 2013-10-21 | Fixed #21288 -- Fixed E126 pep8 warnings | Alasdair Nicol | |
| 2013-09-22 | Removed a few trailing backslashes. | Aymeric Augustin | |
| We have always been at war with trailing backslashes. | |||
| 2013-09-05 | Took advantage of django.utils.six.moves.urllib.*. | Aymeric Augustin | |
