1
0
mirror of https://github.com/django/django.git synced 2025-10-23 21:59:11 +00:00
Commit Graph

30 Commits

Author SHA1 Message Date
Tim Graham
546740544d [1.7.x] Fixed a remote code execution vulnerabilty in URL reversing.
Thanks Benjamin Bach for the report and initial patch.

This is a security fix; disclosure to follow shortly.

Backport of 8b93b31487 from master
2014-04-21 18:29:12 -04:00
Athena
5d568bcfa6 Fixed #7571 -- Fixed parameter matching in include()'d urlpattern
Fixed URL resolving in the case where an outer regex includes an inner
regex and both regexes use positional parameters instead of named
groups, causing the outer regex's parameters to override the inner
regex's.

Modified the regex url resolver so that it will concatenates and then
normalizes, instead of normalizing and then concatenating.
2014-03-05 00:35:03 +01:00
Baptiste Mispelon
173aa51997 Fixed #21435 -- Improved error message when urlconf is empty.
The new error message now hints that the most likely issue
is a circular import.

Thanks to trac user elena for the report and to
bpeschier for the original patch.
2014-02-22 15:36:49 +01:00
Claude Paroz
203f55b5d5 Replaced 'test' by 'sqlall' management command in reverse_lazy test 2014-02-18 13:21:25 +01:00
Claude Paroz
45edb9d235 Fixed #22057 -- Ensured reverse_lazy can be used in settings
And without causing a circular import. Thanks Akis Kesoglou for
the report.
2014-02-18 10:23:30 +01:00
Grzegorz Nosek
0b6f9f7c6f Improved fix for #18373 -- backward compatibility
Commit 79558c78 cleaned up the (undocumented) interface of Resolver404
exception, which breaks compatibility with code messing with .args[0]
directly. Revert the cleanup part and simply leave the fix itself.
2014-02-15 17:51:18 +01:00
Grzegorz Nosek
79558c787e Fixed #18373 - improved handling of Resolver404s from views
When django.core.urlresolvers.resolve was called from a view, failed
and the exception was propagated and rendered by technical_404_response,
the URL mentioned on the page was the current URL instead of the URL
passed to resolve().

Fixed by using the path attribute from the Resolver404 exception instead
of request.path_info. Also cleaned up the exceptions to use standard
named parameters instead of stuffing a dict in args[0]
2014-02-15 15:56:04 +01:00
Aymeric Augustin
e32095616c Imported override_settings from its new location. 2013-12-23 21:37:56 +01:00
Alex Gaynor
bc742ca110 Flake8 fixes -- including not runnign flake8 over a backported file 2013-11-11 14:05:14 -08:00
Bouke Haarsma
9b7455e918 Fixed #21351 -- Replaced memoize with Python's lru_cache.
Replaced the custom, untested memoize with a similar decorator from Python's
3.2 stdlib. Although some minor performance degradation (see ticket), it is
expected that in the long run lru_cache will outperform memoize once it is
implemented in C.

Thanks to EvilDMP for the report and Baptiste Mispelon for the idea of
replacing memoize with lru_cache.
2013-11-11 08:53:09 +01:00
Jason Myers
c3791463a5 Fixing E302 Errors
Signed-off-by: Jason Myers <jason@jasonamyers.com>
2013-11-02 23:48:47 -05:00
Boryslav Larin
e737c009b8 Fixed flake8 E241 2013-11-02 21:45:40 +02:00
Tim Graham
36ded01527 Fixed #21302 -- Fixed unused imports and import *. 2013-11-02 15:24:56 -04:00
Alex Gaynor
9d740eb8b1 Fix all violators of E231 2013-10-26 12:15:03 -07:00
Bouke Haarsma
3565efaa45 Removed some direct settings manipulations in tests; refs #21230. 2013-10-21 11:31:05 -04:00
Tim Graham
96d1d4e292 Removed unused local variables in tests. 2013-10-19 08:31:38 -04:00
Tim Graham
1dae4ac177 Whitespace cleanup.
* Removed trailing whitespace.
* Added newline to EOF if missing.
* Removed blank lines at EOF.
* Removed some stray tabs.
2013-10-10 16:49:20 -04:00
Aymeric Augustin
a5b062576b Removed a few trailing backslashes.
We have always been at war with trailing backslashes.
2013-09-22 14:04:10 +02:00
Dan Johnson
df462cf760 Fixed #21043 -- Made resolve() handle reverse_lazy objects.
Thanks Keryn Knight for the report.
2013-09-06 15:46:43 -04:00
Claude Paroz
5c1143910e Removed most of absolute_import imports
Should be unneeded with Python 2.7 and up.
Added some unicode_literals along the way.
2013-07-29 20:28:13 +02:00
Aymeric Augustin
cfcf4b3605 Stopped using django.utils.unittest in the test suite.
Refs #20680.
2013-07-01 14:29:33 +02:00
Wilfred Hughes
8365ed08b8 Fixed #17076 -- When reversing a URL fails, inform the user which patterns were tried. 2013-06-14 10:26:30 +01:00
Preston Holmes
d228c1192e Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.

Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
Marc Tamlyn
09f8652765 Use assertIsInstance in tests.
Gives much nicer errors when it fails.
2013-05-21 10:42:15 +01:00
Loic Bistuer
521765f63d Fixed #19541 -- Fixed BaseHandler to enable reversing URLs in response middlewares
and streamed responses with respect to per-request urlconf.
2013-03-25 03:19:19 +07:00
Aymeric Augustin
31b5275235 Fixed #13260 -- Quoted arguments interpolated in URLs in reverse. 2013-03-18 23:58:22 +01:00
Baptiste Mispelon
4fa7f3cdd9 Fix #20022: Correctly handle prefixes with url-unsafe characters in reverse(). 2013-03-13 18:19:29 +01:00
Aymeric Augustin
ce76fbfc5a Fixed #20019 -- Ensured HttpRequest.resolver_match always exists.
Obviously it isn't set until the URL is resolved.
2013-03-10 23:28:19 +01:00
Florian Apolloner
33836cf88d Renamed some tests and removed references to modeltests/regressiontests. 2013-02-26 14:36:57 +01:00
Florian Apolloner
89f40e3624 Merged regressiontests and modeltests into the test root. 2013-02-26 14:36:57 +01:00