1
0
mirror of https://github.com/django/django.git synced 2025-10-23 21:59:11 +00:00
Commit Graph

68 Commits

Author SHA1 Message Date
Sarah Boyce
39e2297210 Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.
Thank you sw0rd1ight for the report.
2025-04-02 10:21:33 +02:00
Khudyakov Artem
9aabe7eae3 Fixed #35440 -- Simplified parse_header_parameters by leveraging stdlid's Message.
The `parse_header_parameters` function historically used Python's `cgi`
module  (now deprecated). In 34e2148fc7,
the logic was inlined to work around this deprecation ( #33173). Later,
in d4d5427571, the header parsing logic
was further cleaned up to align with `multipartparser.py` (#33697).

This change takes it a step further by replacing the copied `cgi` logic with
Python's `email.message.Message` API for a more robust and maintainable header
parsing implementation.

Thanks to Raphael Gaschignard for testing, and to Adam Johnson and Shai
Berger for reviews.

Co-authored-by: Ben Cail <bcail@crossway.org>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-03-27 08:57:03 -03:00
Mariusz Felisiak
efb7f9ced2 Refs #36005 -- Used datetime.UTC alias instead of datetime.timezone.utc.
datetime.UTC was added in Python 3.11.
2025-02-18 08:35:36 +01:00
Alex Vandiver
8914b571eb Fixed #36023 -- Handled controls chars in content_disposition_header.
To use the simple `filename="..."` form, the value must conform to the
official grammar from RFC6266[^1]:

    filename-parm       = "filename" "=" value
    value               = <value, defined in [RFC2616], Section 3.6>
                        ; token | quoted-string

The `quoted-string` definition comes from RFC 9110[^2]:

```
    quoted-string  = DQUOTE *( qdtext / quoted-pair ) DQUOTE
    qdtext         = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text

The backslash octet ("\") can be used as a single-octet quoting
mechanism within quoted-string and comment constructs. Recipients that
process the value of a quoted-string MUST handle a quoted-pair as if
it were replaced by the octet following the backslash.

    quoted-pair    = "\" ( HTAB / SP / VCHAR / obs-text )

A sender SHOULD NOT generate a quoted-pair in a quoted-string except
where necessary to quote DQUOTE and backslash octets occurring within
that string.
```

That is, quoted strings are able to express horizontal tabs, space
characters, and everything in the range from 0x21 to 0x7e, expect for
0x22 (`"`) and 0x5C (`\`), which can still be expressed but must be
escaped with their own `\`.

We ignore the case of `obs-text`, which is defined as the range
0x80-0xFF, since its presence is there for permissive parsing of
accidental high-bit characters, and it should not be generated by
conforming implementations.

Transform this character range into a regex and apply it in addition
to the "is ASCII" check.  This ensures that all simple filenames are
expressed in the simple format, and that all filenames with newlines
and other control characters are properly expressed with the
percent-encoded `filename*=...`form.

[^1]: https://datatracker.ietf.org/doc/html/rfc6266#section-4.1
[^2]: https://datatracker.ietf.org/doc/html/rfc9110#name-quoted-strings
2025-01-07 09:22:09 +01:00
Nick Pope
6089230d3e Refs #34986 -- Fixed mocking in utils_tests.test_http.HttpDateProcessingTests.test_parsing_rfc850.
Mocking in the `datetime` module can be tricky. In CPython the datetime
C module is used, but PyPy uses a pure Python implementation. This
caused issues with the prior approach to mocking `datetime.datetime`.

See https://docs.python.org/3/library/unittest.mock-examples.html#partial-mocking
2023-11-28 06:19:38 +01:00
Mariusz Felisiak
4afaeb14c2 Refs #30116 -- Simplified tests related with dictionary order.
Dicts preserve order since Python 3.6.
2023-07-12 11:06:59 +02:00
Alex Vandiver
cbce427c17 Fixed #34194 -- Added django.utils.http.content_disposition_header(). 2022-12-05 13:08:00 +01:00
Nick Pope
9bd174b9a7 Updated documentation and comments for RFC updates.
- Updated references to RFC 1123 to RFC 5322
  - Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
  - Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
2022-11-10 13:52:17 +01:00
Michael Manfre
03eec9ff6c Updated vendored _urlsplit() to strip newline and tabs.
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
2022-07-01 08:48:38 +02:00
Mehrdad
d4d5427571 Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams.
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
2022-06-28 09:42:47 +02:00
Carlton Gibson
34e2148fc7 Refs #33173 -- Removed use of deprecated cgi module.
https://peps.python.org/pep-0594/#cgi
2022-05-11 14:06:31 +02:00
django-bot
9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Ad Timmering
bdf3e156b4 Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate. 2022-01-07 12:25:06 +01:00
Nick Pope
d06c5b3581 Fixed #32366 -- Updated datetime module usage to recommended approach.
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
2021-05-12 11:08:41 +02:00
Mariusz Felisiak
ec0ff40631 Fixed #32355 -- Dropped support for Python 3.6 and 3.7 2021-02-10 10:20:54 +01:00
Mariusz Felisiak
9e456f3166 Refs #30747 -- Removed django.utils.http.is_safe_url() per deprecation timeline. 2021-01-14 17:50:04 +01:00
Mariusz Felisiak
88ed1c8d08 Refs #27753 -- Removed django.utils.http urllib aliases per deprecation timeline. 2021-01-14 17:50:04 +01:00
Nick Pope
fd209f62f1 Refs #21231 -- Backport urllib.parse.parse_qsl() from Python 3.8. 2020-09-03 14:24:42 +02:00
Hasan Ramezani
f121621073 Fixed #31521 -- Skipped test_parsing_rfc850 test on 32-bit systems. 2020-04-30 06:51:47 +02:00
Ad Timmering
7b5f8acb9e Fixed #28690 -- Fixed handling of two-digit years in parse_http_date().
Due to RFC7231 ayear that appears to be more than 50 years in the
future are interpreted as representing the past.
2019-09-30 14:42:56 +02:00
Ad Timmering
7cbd25a06e Refs #28690 -- Added more tests for parse_http_date(). 2019-09-30 14:42:51 +02:00
Carlton Gibson
4f61810751 Fixed #30747 -- Renamed is_safe_url() to url_has_allowed_host_and_scheme(). 2019-09-02 15:32:23 +02:00
swatantra
73ac9e3f04 Fixed #30677 -- Improved error message for urlencode() and Client when None is passed as data. 2019-08-11 20:15:23 +02:00
Jon Dufresne
b903bb438f Refs #30485 -- Removed non-representative test that emitted a warning.
Previously, when running the Django test suite with warnings enabled,
the following was emitted:

    /usr/lib64/python3.7/urllib/parse.py:915: BytesWarning: str() on a bytearray instance
      v = quote_via(str(v), safe, encoding, errors)

This occurred due to the bytearray() being passed to
urllib.parse.urlencode() which eventually calls str() on it. The test
does not represent desired real world behavior. Rather than test for and
assert strange unspecified behavior that emits a warning, remove it.

This was also discussed in PR #11374.
2019-06-19 13:03:52 +02:00
Johan Lübcke
0670b1b403 Fixed #30485 -- Adjusted django.utils.http.urlencode for doseq=False case. 2019-05-24 17:15:34 +02:00
Mariusz Felisiak
c9888bc8ec Fixed #30264 -- Fixed crash of test_parsing_year_less_than_70() on 32-bit systems.
Thanks Andreas Beckmann and Chris Lamb for the report.
2019-03-20 13:44:30 +01:00
Tim Graham
83c2bc52c2 Refs #27753 -- Deprecated django.utils.http urllib aliases. 2019-02-04 18:53:11 -05:00
Tim Graham
958a7b4ca6 Refs #28965 -- Removed utils.http.cookie_date() per deprecation timeline. 2019-01-17 10:52:19 -05:00
Jon Dufresne
6fe9c45b72 Fixed #30024 -- Made urlencode() and Client raise TypeError when None is passed as data. 2018-12-27 11:19:55 -05:00
Hasan Ramezani
6b7f1c2530 Increased test coverage of django.utils.http. 2018-11-03 11:13:28 -04:00
Andreas Hug
a656a68127 Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware. 2018-08-01 09:28:42 -04:00
Przemysław Suliga
d22b90b4ea Fixed #29525 -- Allowed is_safe_url()'s allowed_hosts arg to be a string. 2018-06-29 10:17:52 -04:00
Jon Dufresne
1e81a4b897 Fixed #28638 -- Made allowed_hosts a required argument of is_safe_url(). 2018-01-11 07:03:50 -05:00
Tim Graham
ab7f4c3306 Refs #28965 -- Deprecated unused django.utils.http.cookie_date(). 2018-01-02 11:23:04 -05:00
François Freitag
41be85862d Fixed #28679 -- Fixed urlencode()'s handling of bytes.
Regression in fee42fd99e.

Thanks Claude Paroz, Jon Dufresne, and Tim Graham for the guidance.
2017-10-12 09:08:33 -04:00
François Freitag
0e212a705e Split django.utils.http tests into separate test classes. 2017-10-10 08:53:01 -04:00
Tim Graham
96107e2844 Refs #26956 -- Removed the host parameter of django.utils.http.is_safe_url().
Per deprecation timeline.
2017-09-22 12:51:18 -04:00
Mads Jensen
41a7876991 Added test for too large input to django.utils.http.base36_to_int(). 2017-09-21 10:21:02 -04:00
UmanShahzad
856072dd4a Fixed #28142 -- Fixed is_safe_url() crash on invalid IPv6 URLs. 2017-05-10 09:02:20 -04:00
Tim Graham
5ea48a70af Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.
This is a security fix.
2017-04-04 10:42:06 -04:00
Claude Paroz
c716fe8782 Refs #23919 -- Removed six.PY2/PY3 usage
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
Claude Paroz
d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Tim Graham
8119b679eb Refs #27025 -- Fixed "invalid escape sequence" warnings in Python 3.6.
http://bugs.python.org/issue27364
2016-09-17 15:44:06 -04:00
Kevin Christopher Henry
4ef0e019b7 Fixed #27083 -- Added support for weak ETags. 2016-09-10 08:14:52 -04:00
Jon Dufresne
f227b8d15d Refs #26956 -- Allowed is_safe_url() to validate against multiple hosts 2016-09-07 19:56:25 -07:00
Przemysław Suliga
5e5a17028f Fixed #26902 -- Allowed is_safe_url() to require an https URL.
Thanks Andrew Nester, Berker Peksag, and Tim Graham for reviews.
2016-08-19 18:51:33 -04:00
Tim Graham
92053acbb9 Fixed E128 flake8 warnings in tests/. 2016-04-08 10:12:33 -04:00
Claude Paroz
552f03869e Added safety to URL decoding in is_safe_url() on Python 2
The errors='replace' parameter to force_text altered the URL before checking
it, which wasn't considered sane. Refs 24fc935218 and ada7a4aef.
2016-03-04 23:33:35 +01:00
Claude Paroz
ada7a4aefb Fixed #26308 -- Prevented crash with binary URLs in is_safe_url()
This fixes a regression introduced by c5544d2892.
Thanks John Eskew for the reporti and Tim Graham for the review.
2016-03-04 21:14:14 +01:00
Mark Striemer
c5544d2892 Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
2016-03-01 11:25:28 -05:00