mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-29 08:36:09 +00:00
Code Issues 32 Releases Wiki Activity
31,708 Commits 30 Branches 460 Tags
1536833e93a72a24e7ad32c04a922be83c328756
Commit Graph

62 Commits

Author SHA1 Message Date
Alex Vandiver
cbce427c17 Fixed #34194 -- Added django.utils.http.content_disposition_header(). 2022-12-05 13:08:00 +01:00
Nick Pope
9bd174b9a7 Updated documentation and comments for RFC updates. 
- Updated references to RFC 1123 to RFC 5322
  - Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
  - Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
 2022-11-10 13:52:17 +01:00
Michael Manfre
03eec9ff6c Updated vendored _urlsplit() to strip newline and tabs. 
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
 2022-07-01 08:48:38 +02:00
Mehrdad
d4d5427571 Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams. 
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
 2022-06-28 09:42:47 +02:00
Carlton Gibson
34e2148fc7 Refs #33173 -- Removed use of deprecated cgi module. 
https://peps.python.org/pep-0594/#cgi
 2022-05-11 14:06:31 +02:00
django-bot
9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Ad Timmering
bdf3e156b4 Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate. 2022-01-07 12:25:06 +01:00
Nick Pope
d06c5b3581 Fixed #32366 -- Updated datetime module usage to recommended approach. 
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
 2021-05-12 11:08:41 +02:00
Mariusz Felisiak
ec0ff40631 Fixed #32355 -- Dropped support for Python 3.6 and 3.7 2021-02-10 10:20:54 +01:00
Mariusz Felisiak
9e456f3166 Refs #30747 -- Removed django.utils.http.is_safe_url() per deprecation timeline. 2021-01-14 17:50:04 +01:00
Mariusz Felisiak
88ed1c8d08 Refs #27753 -- Removed django.utils.http urllib aliases per deprecation timeline. 2021-01-14 17:50:04 +01:00
Nick Pope
fd209f62f1 Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8. 2020-09-03 14:24:42 +02:00
Hasan Ramezani
f121621073 Fixed #31521 -- Skipped test_parsing_rfc850 test on 32-bit systems. 2020-04-30 06:51:47 +02:00
Ad Timmering
7b5f8acb9e Fixed #28690 -- Fixed handling of two-digit years in parse_http_date(). 
Due to RFC7231 ayear that appears to be more than 50 years in the
future are interpreted as representing the past.
 2019-09-30 14:42:56 +02:00
Ad Timmering
7cbd25a06e Refs #28690 -- Added more tests for parse_http_date(). 2019-09-30 14:42:51 +02:00
Carlton Gibson
4f61810751 Fixed #30747 -- Renamed is_safe_url() to url_has_allowed_host_and_scheme(). 2019-09-02 15:32:23 +02:00
swatantra
73ac9e3f04 Fixed #30677 -- Improved error message for urlencode() and Client when None is passed as data. 2019-08-11 20:15:23 +02:00
Jon Dufresne
b903bb438f Refs #30485 -- Removed non-representative test that emitted a warning. 
Previously, when running the Django test suite with warnings enabled,
the following was emitted:

    /usr/lib64/python3.7/urllib/parse.py:915: BytesWarning: str() on a bytearray instance
      v = quote_via(str(v), safe, encoding, errors)

This occurred due to the bytearray() being passed to
urllib.parse.urlencode() which eventually calls str() on it. The test
does not represent desired real world behavior. Rather than test for and
assert strange unspecified behavior that emits a warning, remove it.

This was also discussed in PR #11374.
 2019-06-19 13:03:52 +02:00
Johan Lübcke
0670b1b403 Fixed #30485 -- Adjusted django.utils.http.urlencode for doseq=False case. 2019-05-24 17:15:34 +02:00
Mariusz Felisiak
c9888bc8ec Fixed #30264 -- Fixed crash of test_parsing_year_less_than_70() on 32-bit systems. 
Thanks Andreas Beckmann and Chris Lamb for the report.
 2019-03-20 13:44:30 +01:00
Tim Graham
83c2bc52c2 Refs #27753 -- Deprecated django.utils.http urllib aliases. 2019-02-04 18:53:11 -05:00
Tim Graham
958a7b4ca6 Refs #28965 -- Removed utils.http.cookie_date() per deprecation timeline. 2019-01-17 10:52:19 -05:00
Jon Dufresne
6fe9c45b72 Fixed #30024 -- Made urlencode() and Client raise TypeError when None is passed as data. 2018-12-27 11:19:55 -05:00
Hasan Ramezani
6b7f1c2530 Increased test coverage of django.utils.http. 2018-11-03 11:13:28 -04:00
Andreas Hug
a656a68127 Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware. 2018-08-01 09:28:42 -04:00
Przemysław Suliga
d22b90b4ea Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string. 2018-06-29 10:17:52 -04:00
Jon Dufresne
1e81a4b897 Fixed #28638 -- Made allowed_hosts a required argument of is_safe_url(). 2018-01-11 07:03:50 -05:00
Tim Graham
ab7f4c3306 Refs #28965 -- Deprecated unused django.utils.http.cookie_date(). 2018-01-02 11:23:04 -05:00
François Freitag
41be85862d Fixed #28679 -- Fixed urlencode()'s handling of bytes. 
Regression in fee42fd99e.

Thanks Claude Paroz, Jon Dufresne, and Tim Graham for the guidance.
 2017-10-12 09:08:33 -04:00
François Freitag
0e212a705e Split django.utils.http tests into separate test classes. 2017-10-10 08:53:01 -04:00
Tim Graham
96107e2844 Refs #26956 -- Removed the host parameter of django.utils.http.is_safe_url(). 
Per deprecation timeline.
 2017-09-22 12:51:18 -04:00
Mads Jensen
41a7876991 Added test for too large input to django.utils.http.base36_to_int(). 2017-09-21 10:21:02 -04:00
UmanShahzad
856072dd4a Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs. 2017-05-10 09:02:20 -04:00
Tim Graham
5ea48a70af Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs. 
This is a security fix.
 2017-04-04 10:42:06 -04:00
Claude Paroz
c716fe8782 Refs #23919 -- Removed six.PY2/PY3 usage 
Thanks Tim Graham for the review.
 2017-01-18 16:21:28 +01:00
Claude Paroz
d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Tim Graham
8119b679eb Refs #27025 -- Fixed "invalid escape sequence" warnings in Python 3.6. 
http://bugs.python.org/issue27364
 2016-09-17 15:44:06 -04:00
Kevin Christopher Henry
4ef0e019b7 Fixed #27083 -- Added support for weak ETags. 2016-09-10 08:14:52 -04:00
Jon Dufresne
f227b8d15d Refs #26956 -- Allowed is_safe_url() to validate against multiple hosts 2016-09-07 19:56:25 -07:00
Przemysław Suliga
5e5a17028f Fixed #26902 -- Allowed is_safe_url() to require an https URL. 
Thanks Andrew Nester, Berker Peksag, and Tim Graham for reviews.
 2016-08-19 18:51:33 -04:00
Tim Graham
92053acbb9 Fixed E128 flake8 warnings in tests/. 2016-04-08 10:12:33 -04:00
Claude Paroz
552f03869e Added safety to URL decoding in is_safe_url() on Python 2 
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef.
 2016-03-04 23:33:35 +01:00
Claude Paroz
ada7a4aefb Fixed #26308 -- Prevented crash with binary URLs in is_safe_url() 
This fixes a regression introduced by c5544d2892.
Thanks John Eskew for the reporti and Tim Graham for the review.
 2016-03-04 21:14:14 +01:00
Mark Striemer
c5544d2892 Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth. 
This is a security fix.
 2016-03-01 11:25:28 -05:00
Hasan
3d0dcd7f5a Refs #26022 -- Used context manager version of assertRaises in tests. 2016-01-29 12:32:18 -05:00
Denis Cornehl
186b6c61bf Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support. 
Thanks Denis Cornehl for help with the patch.
 2016-01-05 09:37:11 -05:00
Josh Soref
93452a70e8 Fixed many spelling mistakes in code, comments, and docs. 2015-12-03 12:48:24 -05:00
Matt Robenolt
b0c56b895f Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN. 
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
 2015-09-16 12:21:50 -04:00
Tim Graham
011a54315e Made is_safe_url() reject URLs that start with control characters. 
This is a security fix; disclosure to follow shortly.
 2015-03-18 19:20:07 -04:00
Lukas Klein
93b3ef9b2e Fixed #24321 -- Improved utils.http.same_origin compliance with RFC6454 2015-02-12 08:58:35 +01:00