1
0
mirror of https://github.com/django/django.git synced 2025-10-25 14:46:09 +00:00
Commit Graph

44 Commits

Author SHA1 Message Date
Carl Meyer
a7e33c5bf3 [1.5.x] Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 10:39:03 -07:00
Anssi Kääriäinen
743263a105 [1.5.x] Removed try-except in django.db.close_connection()
The reason was that the except clause needed to remove a connection
from the django.db.connections dict, but other parts of Django do not
expect this to happen. In addition the except clause was silently
swallowing the exception messages.

Refs #19707, special thanks to Carl Meyer for pointing out that this
approach should be taken.
2013-02-13 00:22:10 +02:00
Anssi Kääriäinen
60186aa2e5 [1.5.x] Fixed #19707 -- Reset transaction state after requests
Backpatch of a4e97cf315
2013-02-10 14:09:58 +02:00
Aymeric Augustin
9919638137 [1.5.x] Fixed #19468 -- Decoded request.path correctly on Python 3.
Thanks aliva for the report and claudep for the feedback.

Backport of 1e4a27d from master.
2012-12-22 14:45:06 +01:00
Florian Apolloner
77b06e4151 [1.5.X] Fixed a security issue in get_host.
Full disclosure and new release forthcoming.
2012-12-10 22:13:28 +01:00
Aymeric Augustin
b99707bded [1.5.x] Fixed #19101 -- Decoding of non-ASCII POST data on Python 3.
Thanks Claude Paroz.

Backport of 095eca8 from master.
2012-11-03 13:07:02 +01:00
Claude Paroz
3f3076edbf [1.5.x] Fixed #5076 -- Properly decode POSTs with non-utf-8 payload encoding
Thanks daniel at blogg.se for the report and Aymeric Augustin for
his assistance on the patch.

Backport of 6de6988f9 from master.
2012-10-30 09:01:57 +01:00
Ian Clelland
edaacc4112 [1.5.x] Don't use : as an invalid cookie character
Since http://bugs.python.org/issue2193 has been resolved in favour of
the colon in cookie names, we need to test invalid cookie removal using
a different character. "@" is still considered invalid by all sources.

Backport of 419e2137fabdcadadc728cb9bd94af929157dc3b from master
2012-10-26 02:39:39 +01:00
Aymeric Augustin
d7c6a57d60 Used @override_settings in several tests. 2012-10-20 23:22:46 +02:00
Claude Paroz
cfb3eb2e3d Used FakePayload in requests tests 2012-10-20 15:54:26 +02:00
Claude Paroz
dfd4a71751 Fixed #5611 -- Restricted accepted content types in parsing POST data
Thanks paulegan for the report and Preston Holmes for the review.
2012-10-20 14:56:16 +02:00
Preston Holmes
4fb510fde4 Added missed poisoned host header tests 2012-10-18 11:10:46 -07:00
Claude Paroz
97fe70d30b [py3] Used BytesIO to test request streams 2012-08-11 11:11:20 +02:00
Aymeric Augustin
396357741b [py3] Used compatible imports of StringIO. 2012-08-08 14:50:01 +02:00
Claude Paroz
4a103086d5 Fixed #18269 -- Applied unicode_literals for Python 3 compatibility.
Thanks Vinay Sajip for the support of his django3 branch and
Jannis Leidel for the review.
2012-06-07 18:08:47 +02:00
Claude Paroz
38408f8007 Marked bytestrings with b prefix. Refs #18269
This is a preparation for unicode literals general usage in
Django (Python 3 compatibility).
2012-05-19 17:43:34 +02:00
Claude Paroz
11a5355517 Inserted more simplefilter calls to be sure warnings are emitted.
Thanks to Florian Apolloner for suggesting the patch.
2012-05-03 21:31:23 +02:00
Claude Paroz
00c0d3c44e Made warning assertions work with or without -Wall python switch 2012-05-03 20:18:05 +02:00
Claude Paroz
10cf3c6427 Used catch_warnings instead of save/restore methods. Refs #17049. 2012-05-03 18:30:07 +02:00
Aymeric Augustin
e84f79f051 Fixed #18042 -- Advanced deprecation warnings.
Thanks Ramiro for the patch.
2012-05-03 15:27:01 +02:00
Claude Paroz
a1ffb02107 Fixed #18029 -- Removed mod_python as of deprecation process. Thanks Aymeric Augustin for the review.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17835 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-31 10:34:11 +00:00
Claude Paroz
9383a2761c Removed with_statement imports, useless in Python >= 2.6. Refs #17965. Thanks jonash for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17828 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-30 08:02:08 +00:00
Aymeric Augustin
c8e2f7591d Fixed #17931 -- Accepted aware datetimes to set cookies expiry dates. Thanks jaddison for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17766 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-03-18 20:58:22 +00:00
Carl Meyer
0ce6636102 Fixed #17277 - Wrap IOErrors raised due to client disconnect in a specific IOError subclass so they can be distinguished from more serious errors. Thanks David Lowe.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17493 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-10 22:51:07 +00:00
Carl Meyer
1b312edbeb Refs #17323 -- Updated a test to use try/finally to avoid state leakage. Thanks dstufft for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17211 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-16 23:50:34 +00:00
Adrian Holovaty
3f003a3c4b Fixed #17323 -- Renamed HttpRequest.raw_post_data to request.body. Thanks for the patch, dstufft
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17210 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-16 23:40:32 +00:00
Russell Keith-Magee
893cea211a Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 00:46:38 +00:00
Jannis Leidel
a6cd78662e Fixed #15785 -- Stopped HttpRequest.read() from reading beyond the end of a wsgi.input stream and removed some redundant code in the multipartparser. Thanks, tomchristie, grahamd and isagalaev.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16479 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-28 10:17:56 +00:00
Russell Keith-Magee
9e952be26f Fixed #16201 -- Ensure that requests with Content-Length=0 don't break the multipart parser. Thanks to albsen for the report and patch
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16353 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10 08:39:38 +00:00
Luke Plant
db2f9bfae1 Fixed #16178 - Cleanup request classes' __repr__()
Thanks to julien for the patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16350 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-09 23:15:42 +00:00
Luke Plant
8bb46d8b7c Fixed #15679 - regression in HttpRequest.POST and raw_post_data access.
Thanks to vkryachko for the report.

This also fixes a slight inconsistency with raw_post_data after parsing of a
multipart request, and adds a test for that.  (Previously accessing
raw_post_data would have returned the empty string rather than raising an
Exception).

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15938 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28 16:11:40 +00:00
Russell Keith-Magee
b4f0921463 Fixed #15018 -- Corrected the handling of LimitedStream under one edge case involving size restricted buffers and newlines. Thanks to xjdrew for the report, and aaugustin for the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15222 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-16 07:31:35 +00:00
Russell Keith-Magee
78be884ea7 Fixed #3304 -- Added support for HTTPOnly cookies. Thanks to arvin for the suggestion, and rodolfo for the draft patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-26 13:30:50 +00:00
Alex Gaynor
035cb99b47 Make the requests test use unittest2, rather than the system unittest.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14487 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-07 15:41:17 +00:00
Russell Keith-Magee
269e921756 Fixed #9886 -- Added a file-like interface to HttpRequest. Thanks to Ivan Sagalaev for the suggestion and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14394 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-29 16:39:25 +00:00
Russell Keith-Magee
75536fef1f Modified the requests unit tests so that they aren't dependent on dictionary ordering.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13948 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-28 11:54:58 +00:00
Russell Keith-Magee
d63ee2097f Migrated requests doctests. Thanks to Stephan Jaekel.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13927 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-28 07:06:37 +00:00
Russell Keith-Magee
1637fefcb0 Fixed #14351 -- Modified the requests test case to avoid an timing problem in the test.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13922 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-28 04:35:50 +00:00
Malcolm Tredinnick
2d4da641a6 Allow setting HttpResponse cookie expiry times with datetime objects.
Patch from SmileyChris. Fixed #7770.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@13809 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-12 20:52:49 +00:00
Malcolm Tredinnick
646f2f6101 Fixed #7494 -- Fixed build_absolute_url() for some types of (uncommon) URLs.
Patch from tom@almostobsolete.net and RobotAdam.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8490 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 17:28:12 +00:00
Malcolm Tredinnick
bfcecbffd3 Changed/fixed the way Django handles SCRIPT_NAME and PATH_INFO (or
equivalents). Basically, URL resolving will only use the PATH_INFO and the
SCRIPT_NAME will be prepended by reverse() automatically. Allows for more
portable development and installation. Also exposes SCRIPT_NAME in the
HttpRequest instance.

There are a number of cases where things don't work completely transparently,
so mod_python and fastcgi users should read the relevant docs.

Fixed #285, #1516, #3414.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8015 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-21 07:57:10 +00:00
Malcolm Tredinnick
30bdabb2b0 Fixed #6764 -- Added some error checking around cookie decoding. Thanks,
Michael Axiak.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@7257 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-03-17 13:49:04 +00:00
Gary Wilson Jr
4487be66ef Fixed tests added in [7200] to not depend on unpredictable key order of dict, which was sometimes causing a test error.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7207 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-03-08 14:41:13 +00:00
Gary Wilson Jr
d73c70d1ed Fixed #5595 -- Made ModPythonRequest.__repr__ return a string instead of a unicode object. Fixes the printout of the request object in those server error e-mails I never get :)
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7200 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-03-08 03:06:30 +00:00