[1.6.x] Dropped fix_IE_for_vary/attach.

This is a security fix. Disclosure following shortly.
2025-10-30 09:06:13 +00:00 · 2014-05-12 09:37:44 -04:00
parent e05a6222cd
commit 1abcf3a808
4 changed files with 1 additions and 103 deletions
--- a/django/core/handlers/base.py
+++ b/django/core/handlers/base.py
@@ -23,8 +23,6 @@ class BaseHandler(object):
    response_fixes = [
        http.fix_location_header,
        http.conditional_content_removal,
        http.fix_IE_for_attach,
        http.fix_IE_for_vary,
    ]
    def __init__(self):
--- a/django/http/init.py
+++ b/django/http/init.py
@@ -6,5 +6,4 @@ from django.http.response import (HttpResponse, StreamingHttpResponse,
    HttpResponseRedirect, HttpResponseNotModified, HttpResponseBadRequest,
    HttpResponseForbidden, HttpResponseNotFound, HttpResponseNotAllowed,
    HttpResponseGone, HttpResponseServerError, Http404, BadHeaderError)
-from django.http.utils import (fix_location_header, conditional_content_removal,
+from django.http.utils import fix_location_header, conditional_content_removal
    fix_IE_for_attach, fix_IE_for_vary)
--- a/django/http/utils.py
+++ b/django/http/utils.py
@@ -39,58 +39,3 @@ def conditional_content_removal(request, response):
        else:
            response.content = b''
    return response
 def fix_IE_for_attach(request, response):
    """
    This function will prevent Django from serving a Content-Disposition header
    while expecting the browser to cache it (only when the browser is IE). This
    leads to IE not allowing the client to download.
    """
    useragent = request.META.get('HTTP_USER_AGENT', '').upper()
    if 'MSIE' not in useragent and 'CHROMEFRAME' not in useragent:
        return response
    offending_headers = ('no-cache', 'no-store')
    if response.has_header('Content-Disposition'):
        try:
            del response['Pragma']
        except KeyError:
            pass
        if response.has_header('Cache-Control'):
            cache_control_values = [value.strip() for value in
                    response['Cache-Control'].split(',')
                    if value.strip().lower() not in offending_headers]
            if not len(cache_control_values):
                del response['Cache-Control']
            else:
                response['Cache-Control'] = ', '.join(cache_control_values)
    return response
 def fix_IE_for_vary(request, response):
    """
    This function will fix the bug reported at
    http://support.microsoft.com/kb/824847/en-us?spid=8722&sid=global
    by clearing the Vary header whenever the mime-type is not safe
    enough for Internet Explorer to handle.  Poor thing.
    """
    useragent = request.META.get('HTTP_USER_AGENT', '').upper()
    if 'MSIE' not in useragent and 'CHROMEFRAME' not in useragent:
        return response
    # These mime-types that are decreed "Vary-safe" for IE:
    safe_mime_types = ('text/html', 'text/plain', 'text/sgml')
    # The first part of the Content-Type field will be the MIME type,
    # everything after ';', such as character-set, can be ignored.
    mime_type = response.get('Content-Type', '').partition(';')[0]
    if mime_type not in safe_mime_types:
        try:
            del response['Vary']
        except KeyError:
            pass
    return response
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -67,50 +67,6 @@ class TestUtilsHttp(unittest.TestCase):
        ]
        self.assertTrue(result in acceptable_results)
    def test_fix_IE_for_vary(self):
        """
        Regression for #16632.
        `fix_IE_for_vary` shouldn't crash when there's no Content-Type header.
        """
        # functions to generate responses
        def response_with_unsafe_content_type():
            r = HttpResponse(content_type="text/unsafe")
            r['Vary'] = 'Cookie'
            return r
        def no_content_response_with_unsafe_content_type():
            # 'Content-Type' always defaulted, so delete it
            r = response_with_unsafe_content_type()
            del r['Content-Type']
            return r
        # request with & without IE user agent
        rf = RequestFactory()
        request = rf.get('/')
        ie_request = rf.get('/', HTTP_USER_AGENT='MSIE')
        # not IE, unsafe_content_type
        response = response_with_unsafe_content_type()
        utils.fix_IE_for_vary(request, response)
        self.assertTrue('Vary' in response)
        # IE, unsafe_content_type
        response = response_with_unsafe_content_type()
        utils.fix_IE_for_vary(ie_request, response)
        self.assertFalse('Vary' in response)
        # not IE, no_content
        response = no_content_response_with_unsafe_content_type()
        utils.fix_IE_for_vary(request, response)
        self.assertTrue('Vary' in response)
        # IE, no_content
        response = no_content_response_with_unsafe_content_type()
        utils.fix_IE_for_vary(ie_request, response)
        self.assertFalse('Vary' in response)
    def test_base36(self):
        # reciprocity works
        for n in [0, 1, 1000, 1000000]: