summaryrefslogtreecommitdiff
path: root/tests/middleware
AgeCommit message (Collapse)Author
2026-06-08Refs CVE-2026-48587 -- Added helper to properly split header values.Natalia
Extracted the repeated `split(",")` + per-token `.strip()` pattern into a `split_header_value()` generator in django/utils/http.py. The previous `cc_delim_re` regex only stripped whitespace adjacent to the comma delimiter, leaving leading or trailing whitespace on the first and last tokens. Now, `split_header_value()` strips every token fully, matching RFC 9110's optional-whitespace rules. Thanks to Shai Berger, Jacob Walls, and Sarah Boyce for reviews.
2026-05-20Refs #36825 -- Fixed regression in CSPSeleniumTestCase.Johannes Maron
The CSP report test relied on the debug view having a CSP error, which has been fixed in 3e4e0db. This commit added a custom view to reintroduce the same error to verify the reporting behavior. Follow-up to 3e4e0db66961a48a080ff3ff91f6c0d954261366.
2026-05-13Fixed #35514 -- Implemented dictionary-based MAILERS.Mike Edmunds
See DEP 0018. Added: * MAILERS setting. * django.core.mail.mailers dict-like EmailBackend factory. * `using` argument to mail sending APIs. * `sent_using` attribute to mail.outbox messages in locmem backend. * MAILERS in startproject settings template, set to console backend. * AdminLogHandler.using argument. * BrokenLinkEmailsMiddleware.send_mail() method. Updated: * BaseEmailBackend to track the MAILERS alias used to construct it, and to report errors for unknown kwargs (OPTIONS). * EmailBackend implementations to initialize from kwargs (OPTIONS) only when MAILERS is being used. * smtp.EmailBackend to require `host` option and to default `port` option based on SSL/TLS options. * SimpleTestCase setup to substitute the locmem backend for all defined MAILERS configurations. * Django's tests that send mail to define MAILERS. Deprecated: * EMAIL_BACKEND and other backend-related EMAIL_* settings. * mail.get_connection(). * The `connection`, `fail_silently`, `auth_user`, and `auth_password` arguments to mail functions. * The EmailMessage.connection attribute. * BaseEmailBackend support for `fail_silently`. Backends that support fail_silently (SMTP, console, file) now implement it directly. * AdminEmailHandler.email_backend argument. Removed undocumented features without deprecation: * EmailMessage.get_connection() method. (send() now raises an error if a subclass has attempted to override it.) * EmailMessage.send() no longer sets self.connection to the connection used for sending. (It still _uses_ a pre-existing self.connection.) * AdminEmailHandler.connection() method. (Init now raises an error if a subclass has attempted to override it.) Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive reviews and suggestions on the implementation. Thanks to Jacob Rief for the initial implementation and multiple iterations while refining the design. Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
2026-05-06Refs #35514 -- Cleaned up logging and middleware tests.Mike Edmunds
Simplified and removed use of soon-to-be-deprecated or removed features from tests for AdminEmailHandler and BrokenLinkEmailsMiddleware. Added or updated cases to ensure `fail_silently` usage remains consistent during the transition to email providers. Changed custom FailingEmailBackend to respect fail_silently and record its use in a class-level property. In AdminEmailHandlerTest: * Added make_log_record() helper to reduce duplicated code. * Changed test_fail_silently() to send through the FailingEmailBackend, which will fail if not initialized with fail_silently=True. (Rather than inspecting attributes of a soon-to-be-deprecated connection.) * Simplified test_uses_custom_email_backend() by replacing monkeypatches with inspectable custom backend. * In test_customize_send_mail_method(), removed use of the undocumented self.connection() method and the soon-to-be-deprecated `connection` arg to mail_managers(). This test verifies a subclass can customize sending by mailing the managers rather than the admins. Involving a email backend connection was irrelevant. In BrokenLinkEmailsMiddlewareTest, added a case with FailingEmailBackend to verify send uses fail_silently=True.
2026-01-09Refs #35875 -- Added dark mode support in additional views.mbcodes
Thanks Thibaud Colas for the review.
2025-10-21Fixed #36656 -- Avoided truncating async streaming responses in GZipMiddleware.Adam Johnson
2025-09-03Refs #34989 -- Ensured the Content-Length header is set when redirect with ↵Ronan LE HAY
APPEND_SLASH.
2025-08-28Fixed #36532 -- Added Content Security Policy view decorators to override or ↵Rob Hudson
disable policies. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-08-26Refs #15727 -- Captured failed request log in CSPMiddlewareTest.Jacob Walls
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-06-27Fixed #15727 -- Added Content Security Policy (CSP) support.Rob Hudson
This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-03-21Fixed #36138 -- Changed ADMINS and MANAGERS settings to lists of strings.Mike Edmunds
Previously, the ADMINS and MANAGERS settings were lists of (name, address) tuples (where the name had been unused). Deprecated use of tuples. Updated settings value sanity checks, and changed from ValueError to ImproperlyConfigured.
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-12-08Fixed #34742 -- Made CommonMiddleware raise APPEND_SLASH RuntimeError on ↵Avaneesh Kumar
DELETE requests.
2023-02-01Refs #33476 -- Applied Black's 2023 stable style.David Smith
Black 23.1.0 is released which, as the first release of the year, introduces the 2023 stable style. This incorporates most of last year's preview style. https://github.com/psf/black/releases/tag/23.1.0
2023-01-04Refs #34074 -- Used headers argument for RequestFactory and Client in docs ↵David Wobrock
and tests.
2022-12-22Fixed #33735 -- Added async support to StreamingHttpResponse.Carlton Gibson
Thanks to Florian Vazelle for initial exploratory work, and to Nick Pope and Mariusz Felisiak for review.
2022-12-17Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware.Andreas Pelme
2022-11-10Updated documentation and comments for RFC updates.Nick Pope
- Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents
2022-10-31Avoided assignment followed by immediate return.Nick Pope
Identified using the following command: $ pcre2grep --line-number --multiline --recursive \ "(?s)(\n +)(\w+) = [^\n]+\1return \2;?$" \ django docs extras js_tests scripts tests
2022-06-02Fixed #33700 -- Skipped extra resolution for successful requests not ending ↵Anders Kaseorg
with /. By moving a should_redirect_with_slash call out of an if block, commit 9390da7fb6e251eaa9a785692f987296cb14523f negated the performance fix of commit 434d309ef6dbecbfd2b322d3a1da78aa5cb05fa8 (#24720). Meanwhile, the logging issue #26293 that it targeted was subsequently fixed more fully by commit 40b69607c751c4afa453edfd41d2ed155e58187e (#26504), so it is no longer needed. This effectively reverts it. This speeds up successful requests not ending with / when APPEND_SLASH is enabled (the default, and still useful in projects with a mix of URLs with and without trailing /). The amount of speedup varies from about 5% in a typical project to nearly 50% on a benchmark with many routes. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-07-29Fixed 32956 -- Lowercased spelling of "web" and "web framework" where ↵David Smith
appropriate.
2021-04-30Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.Tim Graham
2021-03-30Fixed #31840 -- Added support for Cross-Origin Opener Policy header.bankc
Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com>
2020-10-22Fixed #32124 -- Added per-view opt-out for APPEND_SLASH behavior.Carlton Gibson
2020-09-14Fixed #31789 -- Added a new headers interface to HttpResponse.Tom Carrick
2020-02-18Refs #26601 -- Deprecated passing None as get_response arg to middleware ↵Claude Paroz
classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-10-10Fixed #30812 -- Made ConditionalGetMiddleware set ETag only for responses ↵Viktor Lomakin
with non-empty content.
2019-09-09Fixed #29406 -- Added support for Referrer-Policy header.Nick Pope
Thanks to James Bennett for the initial implementation.
2019-09-09Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.Claude Paroz
2019-07-02Fixed #30604 -- Made mail_admins()/mail_managers() raise ValueError if ↵Hasan Ramezani
ADMINS/MANAGERS is set incorrectly.
2019-03-20Corrected settings names in SecurityMiddleware tests.Nick Pope
2019-02-09Removed default empty content argument from HttpResponse calls.Jon Dufresne
2018-12-31Updated test URL patterns to use path() and re_path().Tim Graham
2018-11-27Made reused RequestFactory instances class attributes.Simon Charette
2018-10-30Capitalized SecurityMiddleware headers for consistency with other headers.Artur Juraszek
(No behavior change since HTTP headers are case insensitive.)
2018-08-01Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.Andreas Hug
2018-03-16Fixed hanging indentation in various code.Mariusz Felisiak
2017-09-22Refs #26447 -- Removed the USE_ETAGS setting per deprecation timeline.Tim Graham
2017-02-09Refs #23919 -- Removed default 'utf-8' argument for str.encode()/decode().Tim Graham
2017-02-01Refs #23919 -- Replaced kwargs.pop() with keyword-only arguments.Vytis Banaitis
2017-01-25Refs #23919 -- Replaced super(ClassName, self) with super().chillaranand
2017-01-20Refs #23919 -- Removed unneeded force_str callsClaude Paroz
2017-01-18Refs #23919 -- Removed most of remaining six usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed six.PY2/PY3 usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-11-10Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings.za
2016-11-06Fixed #26812 -- Fixed APPEND_SLASH on a URL including querystring with a ↵Sven Engström
trailing slash.