mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-25 14:46:09 +00:00
Code Issues 32 Releases Wiki Activity
22,901 Commits 30 Branches 460 Tags
fd183e1f819faa15a3205a1d9740ebfe3c8ebda0
Commit Graph

24 Commits

Author SHA1 Message Date
Camilo Nova
87584a0af1 [1.10.x] Used strict comparison in docs/ref/csrf.txt's JavaScript. 
Backport of 222e1334bf from master
 2016-06-28 12:52:05 -04:00
B. J. Potter
926529d618 [1.10.x] Fixed #26596 -- Added Jinja2 {{ csrf_input }} documentation. 
Backport of 9c53facc45 from master
 2016-06-03 15:25:50 -04:00
B. J. Potter
2e7ec15f53 [1.10.x] Added syntax highlighting to CSRF example. 
Backport of 261738990e from master
 2016-06-03 15:19:23 -04:00
Holly Becker
697ed75de5 [1.10.x] Refs #26628 -- Documented CSRF failure logging. 
Backport of ff9198ee0f from master
 2016-06-02 20:44:13 -04:00
Shai Berger
5112e65ef2 Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them 
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).

While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).

Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
 2016-05-19 05:02:19 +03:00
Florian Apolloner
9baf692a58 Fixed #26601 -- Improved middleware per DEP 0005. 
Thanks Tim Graham for polishing the patch, updating the tests, and
writing documentation. Thanks Carl Meyer for shepherding the DEP.
 2016-05-17 07:22:22 -04:00
Vasiliy Faronov
ac77c55bc5 Fixed #26567 -- Updated references to obsolete RFC2616. 
Didn't touch comments where it wasn't obvious that the code adhered to
the newer standard.
 2016-05-03 11:14:40 -04:00
Vaclav Ehrlich
369fa471f4 Fixed #26201 -- Documented the consequences of rotating the CSRF token on login. 2016-04-05 11:02:38 -04:00
acemaster
a1b1688c7d Fixed #26165 -- Added some FAQs about CSRF protection. 
Thanks Florian Apolloner and Shai Berger for review.
 2016-03-01 08:45:05 -05:00
userimack
7a7b82e6f4 Fixed #26181 -- Corrected AngularJS CSRF example. 2016-02-09 09:22:23 -05:00
Luke Plant
77974a684a Changed action="." to action="" in tests and docs. 
`action="."` strips query parameters from the URL which is not usually what
you want. Copy-paste coding of these examples could lead to difficult to
track down bugs or even data loss if the query parameter was meant to alter
the scope of a form's POST request.
 2016-01-21 13:59:15 -05:00
Danilo Bargen
6a4f13de27 Added docs about configuring CSRF support in AngularJS. 2016-01-15 10:14:52 -05:00
Tim Graham
4d83b0163e Fixed #25969 -- Replaced render_to_response() with render() in docs examples. 2015-12-23 09:14:32 -05:00
Jon Dufresne
7aabd62380 Fixed #25778 -- Updated docs links to use https when available. 2015-12-01 08:01:34 -05:00
Agnieszka Lasyk
1f8dad6915 Fixed #25755 -- Unified spelling of "website". 2015-11-16 06:44:14 -05:00
Matt Robenolt
b0c56b895f Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN. 
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
 2015-09-16 12:21:50 -04:00
Joshua Kehn
ab26b65b2f Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS. 
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
 2015-09-05 09:19:57 -04:00
Marc
f9de197268 Recommended the JavaScript Cookie library instead of jQuery cookie. 
jQuery cookie is no longer maintained in favor of the JavaScript
cookie library. This also removes the jQuery dependency.
 2015-08-19 10:04:01 -04:00
Dave Hodder
08c980d752 Updated capitalization in the word "JavaScript" for consistency 2015-05-01 13:26:42 -04:00
Grzegorz Slusarek
668d53cd12 Fixed #21495 -- Added settings.CSRF_HEADER_NAME 2015-03-05 15:03:40 -05:00
Aymeric Augustin
9eb4f28e89 Deprecated TEMPLATE_CONTEXT_PROCESSORS. 2014-12-28 17:02:31 +01:00
Aymeric Augustin
92e8f1f302 Moved context_processors from django.core to django.template. 2014-12-28 17:00:07 +01:00
Fabio Natali
fa680ce1e2 Fixed #23825 -- Added links for decorating class-based views to the CSRF docs. 2014-11-15 19:33:39 +01:00
Thomas Chaumeny
d3db878e4b Moved CSRF docs out of contrib. 2014-11-03 07:47:39 -05:00