| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
CSRF_COOKIE_DOMAIN.
Thanks Seth Gottlieb for help with the documentation and
Carl Meyer and Joshua Kehn for reviews.
|
|
|
|
|
|
|
|
| |
unsafe requests over HTTPS.
Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other
domains that are included during the CSRF Referer header verification
for secure (HTTPS) requests.
|
|
|
|
| |
from reporting 404s when Referer = URL.
|
| |
|
| |
|
|
|
|
|
|
| |
a slash twice in CommonMiddleware.
This speeds up affected requests by about 5%.
|
|
|
|
| |
DISALLOWED_USER_AGENTS response
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only compute the CSRF_COOKIE when it is actually used. This is a
significant speedup for clients not using cookies.
Changed result of the “test_token_node_no_csrf_cookie” test: It gets
a valid CSRF token now which seems like the correct behavior.
Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to
use get_token() to trigger CSRF cookie inclusion instead of changing
request.META["CSRF_COOKIE_USED"] directly.
|
|
|
|
| |
BrokenLinkEmailMiddleware
|
|
|
|
|
|
|
|
| |
APPEND_SLASH is set.
This introduces a force_append_slash argument for request.get_full_path()
which is used by RedirectFallbackMiddleware and CommonMiddleware when
handling redirects for settings.APPEND_SLASH.
|
|
|
|
| |
Thanks Carl Meyer for the report and Tim Graham for the review.
|
| |
|
|
|
|
|
|
| |
variable initialization
Failing in a middleware `__init__` is preventing proper debug view.
|
| |
|
|
|
|
| |
This method is unused since f567d04b249913db4a37adab8ba521cdc974d423
|
|
|
|
| |
APPEND_SLASH redirect error.
|
|
|
|
|
|
|
| |
middleware
Thanks codeitloadit for the report, living180 for investigations
and Tim Graham for the review.
|
|
|
|
| |
CommonMiddleware.response_redirect_class.
|
|
|
|
|
|
|
|
|
| |
--deploy option
Thanks Carl Meyer for django-secure and for reviewing.
Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and
Jorge Carleitao for reviews.
|
|
|
|
| |
Thanks buettgenbach at datacollect.com for the report and patch.
|
|
|
|
|
|
| |
when reading POST data.
Thanks Walter Doekes.
|
|
|
|
| |
comply with RFC 2616.
|
|
|
|
|
|
|
| |
It prevented the GZipMiddleware from compressing some data types even on
more recent version of IE where the corresponding bug was fixed.
Thanks Aaron Cannon for the report and Tim Graham for the review.
|
| |
|
|
|
|
| |
This is a security fix. Disclosure will follow shortly.
|
|
|
|
| |
version of flake8 catches
|
|
|
|
| |
Small doc changes missed in 66076268.
|
|
|
|
| |
deprecation timeline.
|
|
|
|
|
|
| |
deprecation timeline.
refs #15201.
|
|
|
|
| |
timeline.
|
|
|
|
|
|
|
| |
to-be-removed-in-django-XX warnings
Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.
|
|
|
|
| |
Thanks Paul McMillan for the review.
|
|
|
|
|
|
|
|
|
|
|
|
| |
By removing the 'supported' keyword from the detection methods and only relying
on a cached settings.LANGUAGES, the speed of said methods has been improved;
around 4x raw performance. This allows us to stop checking Python's incomplete
list of locales, and rely on a less restrictive regular expression for
accepting certain locales.
HTTP Accept-Language is defined as being case-insensitive, based on this fact
extra performance improvements have been made; it wouldn't make sense to
check for case differences.
|
|
|
|
|
|
|
|
|
| |
Current language is no longer saved to session by LocaleMiddleware
on every response (the behavior introduced in #14825).
Instead language stored in session is reintroduced into new session
after logout.
Forward port of c558a43fd6 to master.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thanks Curtis Malony and Florian Apolloner.
Squashed commit of the following:
commit 3380495e93f5e81b80a251b03ddb0a80b17685f5
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sat Nov 23 14:18:07 2013 +0100
Looked up the template_fragments cache at runtime.
commit 905a74f52b24a198f802520ff06290a94dedc687
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sat Nov 23 14:19:48 2013 +0100
Removed all uses of create_cache.
Refactored the cache tests significantly.
Made it safe to override the CACHES setting.
commit 35e289fe9285feffed3c60657af9279a6a2cfccc
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sat Nov 23 12:23:57 2013 +0100
Removed create_cache function.
commit 8e274f747a1f1c0c0e6c37873e29067f7fa022e8
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sat Nov 23 12:04:52 2013 +0100
Updated docs to describe a simplified cache backend API.
commit ee7eb0f73e6d4699edcf5d357dce715224525cf6
Author: Curtis Maloney <curtis@tinbrain.net>
Date: Sat Oct 19 09:49:24 2013 +1100
Fixed #21012 -- Thread-local caches, like databases.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Thanks to Claude Paroz for the original patch.
|
|
|
|
|
|
|
|
|
|
| |
to '_language'.
The old 'django_language' variable will still be read from in order
to migrate users. The backwards-compatability shim will be removed in
Django 1.8.
Thanks to jdunck for the report and stugots for the initial patch.
|
| |
|
|
|
|
| |
Thanks Gavin McQuillan for the report.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HttpRequest object
`HttpRequest.scheme` is `https` if `settings.SECURE_PROXY_SSL_HEADER` is
appropriately set and falls back to `HttpRequest._get_scheme()` (a hook
for subclasses to implement) otherwise.
`WSGIRequest._get_scheme()` makes use of the `wsgi.url_scheme` WSGI
environ variable to determine the request scheme.
`HttpRequest.is_secure()` simply checks if `HttpRequest.scheme` is
`https`.
This provides a way to check the current scheme in templates, for example.
It also allows us to deal with other schemes.
Thanks nslater for the suggestion.
|
| |
|
|
|
|
|
|
| |
LocaleMiddleware.response_redirect_class
Thanks ppetrid at yawd.eu for the suggestion.
|
|
|
|
|
|
| |
collections.OrderedDict)
Thanks Loic Bistuer for the review.
|
| |
|