Carl Meyer 
							
						 
					 
					
						
						
							
						
						d51fb74360 
					 
					
						
						
							
							Added a new required ALLOWED_HOSTS setting for HTTP host header validation.  
						
						... 
						
						
						
						This is a security fix; disclosure and advisory coming shortly. 
						
						
					 
					
						2013-02-19 11:23:29 -07:00 
						 
				 
			
				
					
						
							
							
								Aymeric Augustin 
							
						 
					 
					
						
						
							
						
						720888a146 
					 
					
						
						
							
							Fixed   #15808  -- Added optional HttpOnly flag to the CSRF Cookie.  
						
						... 
						
						
						
						Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch. 
						
						
					 
					
						2013-02-07 09:48:08 +01:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						d774ad752d 
					 
					
						
						
							
							[py3] Made csrf context processor return Unicode  
						
						
						
						
					 
					
						2012-08-13 11:54:21 +02:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						4a103086d5 
					 
					
						
						
							
							Fixed   #18269  -- Applied unicode_literals for Python 3 compatibility.  
						
						... 
						
						
						
						Thanks Vinay Sajip for the support of his django3 branch and
Jannis Leidel for the review. 
						
						
					 
					
						2012-06-07 18:08:47 +02:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						38408f8007 
					 
					
						
						
							
							Marked bytestrings with b prefix. Refs  #18269  
						
						... 
						
						
						
						This is a preparation for unicode literals general usage in
Django (Python 3 compatibility). 
						
						
					 
					
						2012-05-19 17:43:34 +02:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						9383a2761c 
					 
					
						
						
							
							Removed with_statement imports, useless in Python >= 2.6. Refs  #17965 . Thanks jonash for the patch.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@17828  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2012-03-30 08:02:08 +00:00 
						 
				 
			
				
					
						
							
							
								Paul McMillan 
							
						 
					 
					
						
						
							
						
						a77679dfaa 
					 
					
						
						
							
							Fixes   #16827 . Adds a length check to CSRF tokens before applying the santizing regex. Thanks to jedie for the report and zsiciarz for the initial patch.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@17500  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2012-02-11 04:18:15 +00:00 
						 
				 
			
				
					
						
							
							
								Adrian Holovaty 
							
						 
					 
					
						
						
							
						
						6cca104be0 
					 
					
						
						
							
							Fixed some failing tests due to creation of HttpRequest._is_secure() methods in [17209]  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@17212  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-12-17 00:17:26 +00:00 
						 
				 
			
				
					
						
							
							
								Alex Gaynor 
							
						 
					 
					
						
						
							
						
						d362c1546f 
					 
					
						
						
							
							Convert much of the regression tests to use absolute imports.  There's still work to be done though.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@16976  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-10-13 18:51:33 +00:00 
						 
				 
			
				
					
						
							
							
								Jannis Leidel 
							
						 
					 
					
						
						
							
						
						24f4764a48 
					 
					
						
						
							
							Fixed   #16225  -- Removed unused imports. Many thanks to Aymeric Augustin for the work on the patch and Alex for reviewing.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@16539  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-07-13 09:35:51 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						73721912e2 
					 
					
						
						
							
							Fixed   #16002  - test failure due to missing from __future__ import with_statement  
						
						... 
						
						
						
						Thanks to julien for the report
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16213  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-05-11 08:58:58 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						cb060f0f34 
					 
					
						
						
							
							Fixed   #15258  - Ajax CSRF protection doesn't apply to PUT or DELETE requests  
						
						... 
						
						
						
						Thanks to brodie for the report, and further input from tow21
This is a potentially backwards incompatible change - if you were doing
PUT/DELETE requests and relying on the lack of protection, you will need to
update your code, as noted in the releaste notes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16201  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-05-09 23:45:54 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						8cbcf1d3a6 
					 
					
						
						
							
							Fixed   #14134  - ability to set cookie 'path' and 'secure' attributes of CSRF cookie  
						
						... 
						
						
						
						Thanks to cfattarsi for the report and initial patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16200  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-05-09 23:00:22 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						b6c5f8060d 
					 
					
						
						
							
							Fixed   #15354  - provide method to ensure CSRF token is always available for AJAX requests  
						
						... 
						
						
						
						Thanks to sayane for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16192  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-05-09 21:35:24 +00:00 
						 
				 
			
				
					
						
							
							
								Russell Keith-Magee 
							
						 
					 
					
						
						
							
						
						4c468800ee 
					 
					
						
						
							
							Updates to the test suite to allow for newly deprecated and removed features  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@15990  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-04-02 08:44:47 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						4a6cb38722 
					 
					
						
						
							
							Cleaned up some test code.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@15957  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-03-30 17:35:50 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						16f6acdb89 
					 
					
						
						
							
							Deprecated csrf_response_exempt and csrf_view_exempt decorators  
						
						... 
						
						
						
						With the removal of CsrfResponseMiddleware, csrf_response_exempt serves no
purposes, and csrf_exempt and csrf_view_exempt perform the same function.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15956  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-03-30 17:35:41 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						8823021625 
					 
					
						
						
							
							Removed deprecated CsrfResponseMiddleware, and corresponding tests and docs  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@15949  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-03-30 17:34:26 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						21ef64e34c 
					 
					
						
						
							
							Removed Django 1.1 fallback for CSRF checks.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@15948  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-03-30 17:34:14 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						243d0bec19 
					 
					
						
						
							
							Fixed   #15617  - CSRF referer checking too strict  
						
						... 
						
						
						
						Thanks to adam for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15840  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-03-15 20:37:09 +00:00 
						 
				 
			
				
					
						
							
							
								Russell Keith-Magee 
							
						 
					 
					
						
						
							
						
						afd040d4d3 
					 
					
						
						
							
							Updated test assertions that have been deprecated by the move to unittest2. In summary, this means:  
						
						... 
						
						
						
						assert_ -> assertTrue
 assertEquals -> assertEqual
 failUnless -> assertTrue
For full details, see http://www.voidspace.org.uk/python/articles/unittest2.shtml#deprecations 
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15728  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-03-03 15:04:39 +00:00 
						 
				 
			
				
					
						
							
							
								Alex Gaynor 
							
						 
					 
					
						
						
							
						
						208630aa4b 
					 
					
						
						
							
							Fixed a security issue in the CSRF component.  Disclosure and new release forthcoming.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@15464  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-02-09 02:06:27 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						02fc6276d7 
					 
					
						
						
							
							Fixed   #14508  - test suite silences warnings.  
						
						... 
						
						
						
						Utility functions get_warnings_state and save_warnings_state have been added
to django.test.utils, and methods to django.test.TestCase for convenience.
The implementation is based on the catch_warnings context manager from
Python 2.6.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14526  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2010-11-11 15:06:20 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						90ac02300e 
					 
					
						
						
							
							Fixed   #14565  - No csrf_token on 404 page.  
						
						... 
						
						
						
						This solution doesn't have the negative side-effects of [14356].
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14377  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2010-10-28 11:47:15 +00:00 
						 
				 
			
				
					
						
							
							
								Russell Keith-Magee 
							
						 
					 
					
						
						
							
						
						1070c57b83 
					 
					
						
						
							
							Fixed   #14436  -- Escalated 1.2 PendingDeprecationWarnings to DeprecationWarnings, and removed 1.1 deprecated code.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2010-10-11 12:20:07 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						568b9cdf37 
					 
					
						
						
							
							Fixed a test so that it actually tests what it's supposed to test.  
						
						... 
						
						
						
						Previously it passed whether or not the view was 'csrf_exempt'ed.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13735  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2010-09-10 23:56:10 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						364583b894 
					 
					
						
						
							
							Fixed   #14235  - UnicodeDecodeError in CSRF middleware  
						
						... 
						
						
						
						Thanks to jbg for the report.
This changeset essentially backs out [13698] in favour of a method that
sanitizes the token rather than escaping it.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13732  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2010-09-10 22:56:56 +00:00 
						 
				 
			
				
					
						
							
							
								James Bennett 
							
						 
					 
					
						
						
							
						
						9e3b327aca 
					 
					
						
						
							
							Patch CSRF-protection system to deal with reported security issue. Announcement and details to follow.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@13698  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2010-09-09 00:34:54 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						ac8b7ff021 
					 
					
						
						
							
							Fixed   #13716  - the CSRF get_token function stopped working for views with csrf_view_exempt  
						
						... 
						
						
						
						This was a regression caused by the the CSRF changes in 1.2.
Thanks to edevil for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13336  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2010-06-08 14:35:48 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						48edb177ed 
					 
					
						
						
							
							Fixed   #12053  - form examples don't validate according to w3c  
						
						... 
						
						
						
						Thanks to skyl for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12086  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2010-01-04 21:55:52 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						7230a995ce 
					 
					
						
						
							
							Moved contrib.csrf.* to core code.  
						
						... 
						
						
						
						There is stub code for backwards compatiblity with Django 1.1 imports.
The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2009-10-27 00:36:34 +00:00