summaryrefslogtreecommitdiff
path: root/tests/middleware/tests.py
AgeCommit message (Collapse)Author
2026-06-08Refs CVE-2026-48587 -- Added helper to properly split header values.Natalia
Extracted the repeated `split(",")` + per-token `.strip()` pattern into a `split_header_value()` generator in django/utils/http.py. The previous `cc_delim_re` regex only stripped whitespace adjacent to the comma delimiter, leaving leading or trailing whitespace on the first and last tokens. Now, `split_header_value()` strips every token fully, matching RFC 9110's optional-whitespace rules. Thanks to Shai Berger, Jacob Walls, and Sarah Boyce for reviews.
2026-05-13Fixed #35514 -- Implemented dictionary-based MAILERS.Mike Edmunds
See DEP 0018. Added: * MAILERS setting. * django.core.mail.mailers dict-like EmailBackend factory. * `using` argument to mail sending APIs. * `sent_using` attribute to mail.outbox messages in locmem backend. * MAILERS in startproject settings template, set to console backend. * AdminLogHandler.using argument. * BrokenLinkEmailsMiddleware.send_mail() method. Updated: * BaseEmailBackend to track the MAILERS alias used to construct it, and to report errors for unknown kwargs (OPTIONS). * EmailBackend implementations to initialize from kwargs (OPTIONS) only when MAILERS is being used. * smtp.EmailBackend to require `host` option and to default `port` option based on SSL/TLS options. * SimpleTestCase setup to substitute the locmem backend for all defined MAILERS configurations. * Django's tests that send mail to define MAILERS. Deprecated: * EMAIL_BACKEND and other backend-related EMAIL_* settings. * mail.get_connection(). * The `connection`, `fail_silently`, `auth_user`, and `auth_password` arguments to mail functions. * The EmailMessage.connection attribute. * BaseEmailBackend support for `fail_silently`. Backends that support fail_silently (SMTP, console, file) now implement it directly. * AdminEmailHandler.email_backend argument. Removed undocumented features without deprecation: * EmailMessage.get_connection() method. (send() now raises an error if a subclass has attempted to override it.) * EmailMessage.send() no longer sets self.connection to the connection used for sending. (It still _uses_ a pre-existing self.connection.) * AdminEmailHandler.connection() method. (Init now raises an error if a subclass has attempted to override it.) Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive reviews and suggestions on the implementation. Thanks to Jacob Rief for the initial implementation and multiple iterations while refining the design. Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
2026-05-06Refs #35514 -- Cleaned up logging and middleware tests.Mike Edmunds
Simplified and removed use of soon-to-be-deprecated or removed features from tests for AdminEmailHandler and BrokenLinkEmailsMiddleware. Added or updated cases to ensure `fail_silently` usage remains consistent during the transition to email providers. Changed custom FailingEmailBackend to respect fail_silently and record its use in a class-level property. In AdminEmailHandlerTest: * Added make_log_record() helper to reduce duplicated code. * Changed test_fail_silently() to send through the FailingEmailBackend, which will fail if not initialized with fail_silently=True. (Rather than inspecting attributes of a soon-to-be-deprecated connection.) * Simplified test_uses_custom_email_backend() by replacing monkeypatches with inspectable custom backend. * In test_customize_send_mail_method(), removed use of the undocumented self.connection() method and the soon-to-be-deprecated `connection` arg to mail_managers(). This test verifies a subclass can customize sending by mailing the managers rather than the admins. Involving a email backend connection was irrelevant. In BrokenLinkEmailsMiddlewareTest, added a case with FailingEmailBackend to verify send uses fail_silently=True.
2025-10-21Fixed #36656 -- Avoided truncating async streaming responses in GZipMiddleware.Adam Johnson
2025-09-03Refs #34989 -- Ensured the Content-Length header is set when redirect with ↵Ronan LE HAY
APPEND_SLASH.
2025-03-21Fixed #36138 -- Changed ADMINS and MANAGERS settings to lists of strings.Mike Edmunds
Previously, the ADMINS and MANAGERS settings were lists of (name, address) tuples (where the name had been unused). Deprecated use of tuples. Updated settings value sanity checks, and changed from ValueError to ImproperlyConfigured.
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-12-08Fixed #34742 -- Made CommonMiddleware raise APPEND_SLASH RuntimeError on ↵Avaneesh Kumar
DELETE requests.
2023-02-01Refs #33476 -- Applied Black's 2023 stable style.David Smith
Black 23.1.0 is released which, as the first release of the year, introduces the 2023 stable style. This incorporates most of last year's preview style. https://github.com/psf/black/releases/tag/23.1.0
2023-01-04Refs #34074 -- Used headers argument for RequestFactory and Client in docs ↵David Wobrock
and tests.
2022-12-22Fixed #33735 -- Added async support to StreamingHttpResponse.Carlton Gibson
Thanks to Florian Vazelle for initial exploratory work, and to Nick Pope and Mariusz Felisiak for review.
2022-12-17Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware.Andreas Pelme
2022-11-10Updated documentation and comments for RFC updates.Nick Pope
- Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents
2022-10-31Avoided assignment followed by immediate return.Nick Pope
Identified using the following command: $ pcre2grep --line-number --multiline --recursive \ "(?s)(\n +)(\w+) = [^\n]+\1return \2;?$" \ django docs extras js_tests scripts tests
2022-06-02Fixed #33700 -- Skipped extra resolution for successful requests not ending ↵Anders Kaseorg
with /. By moving a should_redirect_with_slash call out of an if block, commit 9390da7fb6e251eaa9a785692f987296cb14523f negated the performance fix of commit 434d309ef6dbecbfd2b322d3a1da78aa5cb05fa8 (#24720). Meanwhile, the logging issue #26293 that it targeted was subsequently fixed more fully by commit 40b69607c751c4afa453edfd41d2ed155e58187e (#26504), so it is no longer needed. This effectively reverts it. This speeds up successful requests not ending with / when APPEND_SLASH is enabled (the default, and still useful in projects with a mix of URLs with and without trailing /). The amount of speedup varies from about 5% in a typical project to nearly 50% on a benchmark with many routes. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-07-29Fixed 32956 -- Lowercased spelling of "web" and "web framework" where ↵David Smith
appropriate.
2020-10-22Fixed #32124 -- Added per-view opt-out for APPEND_SLASH behavior.Carlton Gibson
2020-09-14Fixed #31789 -- Added a new headers interface to HttpResponse.Tom Carrick
2020-02-18Refs #26601 -- Deprecated passing None as get_response arg to middleware ↵Claude Paroz
classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-10-10Fixed #30812 -- Made ConditionalGetMiddleware set ETag only for responses ↵Viktor Lomakin
with non-empty content.
2019-09-09Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.Claude Paroz
2019-07-02Fixed #30604 -- Made mail_admins()/mail_managers() raise ValueError if ↵Hasan Ramezani
ADMINS/MANAGERS is set incorrectly.
2018-11-27Made reused RequestFactory instances class attributes.Simon Charette
2018-08-01Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.Andreas Hug
2017-09-22Refs #26447 -- Removed the USE_ETAGS setting per deprecation timeline.Tim Graham
2017-02-09Refs #23919 -- Removed default 'utf-8' argument for str.encode()/decode().Tim Graham
2017-01-25Refs #23919 -- Replaced super(ClassName, self) with super().chillaranand
2017-01-20Refs #23919 -- Removed unneeded force_str callsClaude Paroz
2017-01-18Refs #23919 -- Removed most of remaining six usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed six.PY2/PY3 usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-11-10Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings.za
2016-11-06Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a ↵Sven Engström
trailing slash.
2016-11-05Fixed #27346 -- Stopped setting the Content-Length header in ↵Adam Malinowski
ConditionalGetMiddleware.
2016-10-17Fixed #27344 -- Made ConditionalGetMiddleware only process GET requests.Kevin Christopher Henry
2016-10-14Fixed #27345 -- Stopped setting the Date header in ConditionalGetMiddleware.Tim Graham
2016-10-14Refs #19705 -- Changed gzip modification times to 0.Kevin Christopher Henry
This makes gzip output deterministic, which allows ConditionalGetMiddleware to reliably compare ETags on gzipped content (views using the gzip_page() decorator in particular).
2016-10-13Refs #19705 -- Made GZipMiddleware make ETags weak.Kevin Christopher Henry
Django's conditional request processing can now produce 304 Not Modified responses for content that is subject to compression.
2016-10-12Fixed #19705 -- Set proper headers on conditional Not Modified responses.Kevin Christopher Henry
2016-10-10Fixed #26447 -- Deprecated settings.USE_ETAGS in favor of ↵Denis Cornehl
ConditionalGetMiddleware.
2016-09-10Fixed #27083 -- Added support for weak ETags.Kevin Christopher Henry
2016-07-15Fixed #26765 -- Made CommonMiddleware no longer set an ETag when response ↵andrewnester
has Cache-Control: no-store.
2016-06-27Fixed #5897 -- Added the Content-Length response header in CommonMiddlewareClaude Paroz
Thanks Tim Graham for the review.
2016-06-16Fixed #26747 -- Used more specific assertions in the Django test suite.Jon Dufresne
2016-04-08Fixed E128 flake8 warnings in tests/.Tim Graham
2016-03-23Fixed #26293 -- Fixed CommonMiddleware to process PREPEND_WWW and ↵ieatkittens
APPEND_SLASH independently.
2016-03-08Fixed #25971 -- Made BrokenLinkEmailsMiddleware ignore APPEND_SLASH redirects.harikrishnakanchi
If APPEND_SLASH=True and the referer is the URL without a trailing '/', then BrokenLinkEmailsMiddleware shouldn't send an email.
2016-01-25Fixed #26125 -- Fixed E731 flake warnings.userimack