| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
CSRF_COOKIE_DOMAIN.
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
|
|
|
|
| |
DisallowedHost.
|
| |
|
|
|
|
| |
USE_X_FORWARDED_PORT setting.
|
|
|
|
| |
in error reporting.
|
| |
|
|
|
|
|
|
|
|
| |
APPEND_SLASH is set.
This introduces a force_append_slash argument for request.get_full_path()
which is used by RedirectFallbackMiddleware and CommonMiddleware when
handling redirects for settings.APPEND_SLASH.
|
|
|
|
| |
HttpRequest._get_scheme()
|
| |
|
|
|
|
| |
generators and dict comprehension
|
|
|
|
| |
django.http.request.absolute_http_url_re
|
| |
|
|
|
|
| |
HttpRequest.get_full_path().
|
|
|
|
| |
refs #23395.
|
|
|
|
|
| |
Thanks Jorge Carleitao for the report and Aymeric Augustin, Tim Graham
for the reviews.
|
|
|
|
| |
header: ..."
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
QueryDicts, and FILES a MultiValueDict.
Previously, GET, POST, and FILES on an HttpRequest were created in
the __init__ method as dictionaries. This was not something you would
usually notice causing trouble in production as you'd only see a
WSGIRequest, but in testing using the test client, calling .getlist
on GET, POST, or FILES for a request with no get/post data resulted in
an AttributeError.
Changed GET and POST on an HttpRequest object to be mutable
QueryDicts (mutable because the Django tests, and probably many
third party tests, were expecting it).
|
|
|
|
|
|
| |
optional.
Now QueryDict() is equivalent to QueryDict('') or QueryDict(None).
|
| |
|
|
|
|
|
|
|
| |
This patch is two-fold; first it ensure that Django does close everything in
request.FILES at the end of the request and secondly the storage system should
no longer close any files during save, it's up to the caller to handle that --
or let Django close the files at the end of the request.
|
|
|
|
|
|
|
|
|
|
|
| |
handling of paths starting with //
``HttpRequest.build_absolute_uri()`` now correctly handles paths starting with ``//``.
``WSGIRequest`` now doesn't remove all the leading slashes either,
because ``http://test/server`` and http://test//server`` aren't the same thing
(RFC2396).
Thanks to SmileyChris for the initial patch.
|
| |
|
|
|
|
| |
django.utils.six.moves.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
20472aa827669d2b83b74e521504e88e18d086a1.
Also added some tests for HttpRequest.__repr__.
Note that the added tests don't actually catch the accidental code
removal (see ticket) but they do cover a codepath that wasn't tested
before.
Thanks to Tom Christie for the report and the original patch.
|
| |
|
|
|
|
| |
Thanks manfre for the report and Timo Graham for the review.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HttpRequest object
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is
appropriately set and falls back to `HttpRequest._get_scheme()` (a hook
for subclasses to implement) otherwise.
`WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI
environ variable to determine the request scheme.
`HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is
`https`.
This provides a way to check the current scheme in templates, for example.
It also allows us to deal with other schemes.
Thanks nslater for the suggestion.
|
|
|
|
| |
Thanks jaylett for the patch.
|
|
|
|
|
| |
Thanks to berkerpeksag for the report and to claudep
for the review.
|
|
|
|
|
|
|
|
|
|
|
| |
The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.
Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.
|
|
|
|
|
| |
Should be unneeded with Python 2.7 and up.
Added some unicode_literals along the way.
|
| |
|
|
|
|
|
|
|
| |
UnreadablePostError
Thanks KyleMac for the report, André Cruz for the initial patch and
Hiroki Kiyohara for the tests.
|
|
|
|
|
|
|
|
|
|
|
|
| |
SuspiciousOperation.
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.
Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
|
| |
|
|
|
|
|
|
| |
always exists.
Obviously it isn't set until the URL is resolved.
|
|
|
|
|
|
| |
header validation.
This is a security fix; disclosure and advisory coming shortly.
|
| |
|
|
|
|
| |
Full disclosure and new release forthcoming.
|
|
|
|
| |
Thanks Claude Paroz.
|
|
from __init__.py to request.py, response.py and utils.py
|