Carl Meyer
d51fb74360
Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
...
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
Aymeric Augustin
720888a146
Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.
...
Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
2013-02-07 09:48:08 +01:00
Claude Paroz
d774ad752d
[py3] Made csrf context processor return Unicode
2012-08-13 11:54:21 +02:00
Claude Paroz
4a103086d5
Fixed #18269 -- Applied unicode_literals for Python 3 compatibility.
...
Thanks Vinay Sajip for the support of his django3 branch and
Jannis Leidel for the review.
2012-06-07 18:08:47 +02:00
Claude Paroz
38408f8007
Marked bytestrings with b prefix. Refs #18269
...
This is a preparation for unicode literals general usage in
Django (Python 3 compatibility).
2012-05-19 17:43:34 +02:00
Claude Paroz
9383a2761c
Removed with_statement imports, useless in Python >= 2.6. Refs #17965 . Thanks jonash for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17828 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-30 08:02:08 +00:00
Paul McMillan
a77679dfaa
Fixes #16827 . Adds a length check to CSRF tokens before applying the santizing regex. Thanks to jedie for the report and zsiciarz for the initial patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17500 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-11 04:18:15 +00:00
Adrian Holovaty
6cca104be0
Fixed some failing tests due to creation of HttpRequest._is_secure() methods in [17209]
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17212 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17 00:17:26 +00:00
Alex Gaynor
d362c1546f
Convert much of the regression tests to use absolute imports. There's still work to be done though.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16976 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-10-13 18:51:33 +00:00
Jannis Leidel
24f4764a48
Fixed #16225 -- Removed unused imports. Many thanks to Aymeric Augustin for the work on the patch and Alex for reviewing.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16539 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-13 09:35:51 +00:00
Luke Plant
73721912e2
Fixed #16002 - test failure due to missing `from __future__ import with_statement`
...
Thanks to julien for the report
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16213 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-11 08:58:58 +00:00
Luke Plant
cb060f0f34
Fixed #15258 - Ajax CSRF protection doesn't apply to PUT or DELETE requests
...
Thanks to brodie for the report, and further input from tow21
This is a potentially backwards incompatible change - if you were doing
PUT/DELETE requests and relying on the lack of protection, you will need to
update your code, as noted in the releaste notes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:45:54 +00:00
Luke Plant
8cbcf1d3a6
Fixed #14134 - ability to set cookie 'path' and 'secure' attributes of CSRF cookie
...
Thanks to cfattarsi for the report and initial patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 23:00:22 +00:00
Luke Plant
b6c5f8060d
Fixed #15354 - provide method to ensure CSRF token is always available for AJAX requests
...
Thanks to sayane for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16192 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-05-09 21:35:24 +00:00
Russell Keith-Magee
4c468800ee
Updates to the test suite to allow for newly deprecated and removed features
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15990 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-02 08:44:47 +00:00
Luke Plant
4a6cb38722
Cleaned up some test code.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15957 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:35:50 +00:00
Luke Plant
16f6acdb89
Deprecated csrf_response_exempt and csrf_view_exempt decorators
...
With the removal of CsrfResponseMiddleware, csrf_response_exempt serves no
purposes, and csrf_exempt and csrf_view_exempt perform the same function.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15956 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:35:41 +00:00
Luke Plant
8823021625
Removed deprecated CsrfResponseMiddleware, and corresponding tests and docs
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15949 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:26 +00:00
Luke Plant
21ef64e34c
Removed Django 1.1 fallback for CSRF checks.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15948 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:14 +00:00
Luke Plant
243d0bec19
Fixed #15617 - CSRF referer checking too strict
...
Thanks to adam for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15 20:37:09 +00:00
Russell Keith-Magee
afd040d4d3
Updated test assertions that have been deprecated by the move to unittest2. In summary, this means:
...
assert_ -> assertTrue
assertEquals -> assertEqual
failUnless -> assertTrue
For full details, see http://www.voidspace.org.uk/python/articles/unittest2.shtml#deprecations
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15728 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-03 15:04:39 +00:00
Alex Gaynor
208630aa4b
Fixed a security issue in the CSRF component. Disclosure and new release forthcoming.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:06:27 +00:00
Luke Plant
02fc6276d7
Fixed #14508 - test suite silences warnings.
...
Utility functions get_warnings_state and save_warnings_state have been added
to django.test.utils, and methods to django.test.TestCase for convenience.
The implementation is based on the catch_warnings context manager from
Python 2.6.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14526 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-11 15:06:20 +00:00
Luke Plant
90ac02300e
Fixed #14565 - No csrf_token on 404 page.
...
This solution doesn't have the negative side-effects of [14356].
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-28 11:47:15 +00:00
Russell Keith-Magee
1070c57b83
Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings to DeprecationWarnings, and removed 1.1 deprecated code.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:20:07 +00:00
Luke Plant
568b9cdf37
Fixed a test so that it actually tests what it's supposed to test.
...
Previously it passed whether or not the view was 'csrf_exempt'ed.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13735 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-10 23:56:10 +00:00
Luke Plant
364583b894
Fixed #14235 - UnicodeDecodeError in CSRF middleware
...
Thanks to jbg for the report.
This changeset essentially backs out [13698] in favour of a method that
sanitizes the token rather than escaping it.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13732 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-10 22:56:56 +00:00
James Bennett
9e3b327aca
Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-09 00:34:54 +00:00
Luke Plant
ac8b7ff021
Fixed #13716 - the CSRF get_token function stopped working for views with csrf_view_exempt
...
This was a regression caused by the the CSRF changes in 1.2.
Thanks to edevil for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13336 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-06-08 14:35:48 +00:00
Luke Plant
48edb177ed
Fixed #12053 - form examples don't validate according to w3c
...
Thanks to skyl for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12086 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-04 21:55:52 +00:00
Luke Plant
7230a995ce
Moved contrib.csrf.* to core code.
...
There is stub code for backwards compatiblity with Django 1.1 imports.
The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00