| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2021-11-29 | Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret. | Chris Jerdonek | |
| This also adds CSRF_COOKIE_MASKED transitional setting helpful in migrating multiple instance of the same project to Django 4.1+. Thanks Florian Apolloner and Shai Berger for reviews. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2021-11-16 | Refs #32800 -- Avoided use of _does_token_match() in some CSRF tests. | Chris Jerdonek | |
| 2021-08-03 | Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match(). | Chris Jerdonek | |
| 2020-02-25 | Fixed #31291 -- Renamed salt to mask for CSRF tokens. | Ram Rachum | |
| 2017-01-24 | Removed unneeded force_text calls in the test suite | Claude Paroz | |
| 2016-05-19 | Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them | Shai Berger | |
| Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews. | |||
| 2015-05-27 | Fixed #24836 -- Made force_text() resolve lazy objects. | Tim Graham | |
