django

mirror of https://github.com/django/django.git synced 2025-10-31 01:25:32 +00:00

Author	SHA1	Message	Date
Shai Berger	5112e65ef2	Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.	2016-05-19 05:02:19 +03:00
Tim Graham	f6ca63a9f8	Refs #26464 -- Added a link to OWASP Top 10 in security topic guide.	2016-04-09 07:49:40 -04:00
Tim Graham	15a20dc9af	Removed a reference to Django 1.3.1 in docs.	2016-04-04 11:55:34 -04:00
Tim Graham	f2b45ddd99	Fixed #26206 -- Fixed docs comments causing empty code blocks.	2016-02-11 07:58:15 -05:00
Tim Graham	9c43d8252a	Fixed Sphinx highlight warnings in docs.	2016-01-25 11:57:14 -05:00
Alex Gaynor	d7580e286a	Removed a misleading comment about HTTPS. For all practical purposes, there are no common cases for which a website cannot be deployed with HTTPS.	2015-12-21 06:47:11 -05:00
Jon Dufresne	7aabd62380	Fixed #25778 -- Updated docs links to use https when available.	2015-12-01 08:01:34 -05:00
Agnieszka Lasyk	1f8dad6915	Fixed #25755 -- Unified spelling of "website".	2015-11-16 06:44:14 -05:00
David Sanders	cc968b9c90	Added links to new security settings introduced in 1.8.	2015-09-04 12:55:32 -04:00
Claude Paroz	e9c5c39631	Updated various links in docs	2015-08-08 13:57:15 +02:00
Claude Paroz	64982cc2fb	Updated Wikipedia links to use https	2015-08-08 12:02:32 +02:00
Tim Graham	97fa7fe961	Fixed #25212 -- Documented the RawSQL expression.	2015-08-05 07:54:54 -04:00
Carl Meyer	d16bc7f0e4	Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute. Thanks "djbug" for the report.	2014-09-26 11:07:55 -06:00
Tim Graham	9432f1e750	Fixed some doc errors that caused syntax highlighting to fail.	2014-08-18 20:37:47 -04:00
Tim Graham	f65eb15ac6	Fixed #22504 -- Corrected domain terminology in security guide. Thanks chris at chrullrich.net.	2014-04-25 10:27:13 -04:00
Moayad Mardini	3776926cfe	Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection Thanks Erik Romijn for the suggestion.	2014-04-25 09:54:49 -04:00
Tim Graham	4965a77407	Removed PIL compatability layer per deprecation timeline. refs #19934.	2014-03-21 10:54:53 -04:00
Tim Graham	df6760f12c	Added a warning regarding risks in serving user uploaded media. Thanks Preston Holmes for the draft text.	2013-11-27 16:35:25 -05:00
Tim Graham	a3372f67cb	Added a warning regarding session security and subdomains.	2013-10-18 09:42:45 -04:00
Aymeric Augustin	1267d2d9bc	Fixed #20330 -- Normalized spelling of "web server". Thanks Baptiste Mispelon for the report.	2013-04-29 19:40:43 +02:00
Carl Meyer	d51fb74360	Added a new required ALLOWED_HOSTS setting for HTTP host header validation. This is a security fix; disclosure and advisory coming shortly.	2013-02-19 11:23:29 -07:00
Aymeric Augustin	ebd2598596	Removed django.contrib.markup.	2012-12-29 21:59:07 +01:00
Tim Graham	b3a8c9dab8	Fixed broken links, round 3. refs #19516	2012-12-26 19:07:22 -05:00
Florian Apolloner	27560924ec	Fixed a security issue in get_host. Full disclosure and new release forthcoming.	2012-12-10 22:11:40 +01:00
David Fischer	58786897a1	Formatting fix for host headers section	2012-09-06 16:10:08 -04:00
David Fischer	c65100248d	Added CSRF with HTTPS/HSTS and forwarding note	2012-09-06 16:08:14 -04:00
David Fischer	ba141e6906	Added note about Strict Transport Security (HSTS)	2012-09-06 15:13:31 -04:00
Luke Plant	0199bdc0b4	Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER.	2012-06-04 21:41:05 +01:00
Luke Plant	718f149bb2	Added more explicit warnings about unconfigured reStructured Text usage in docs. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37	2012-04-19 15:00:55 +00:00
Adrian Holovaty	d3055b3382	Quick edit of docs/topics/security.txt to catch some basic formatting problems and reword an awkward section git-svn-id: http://code.djangoproject.com/svn/django/trunk@17222 bcc190cf-cafb-0310-a4f2-bffc1f526a37	2011-12-17 02:48:27 +00:00
Russell Keith-Magee	893cea211a	Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37	2011-09-10 00:46:38 +00:00
Jannis Leidel	f0280f2e94	Fixes #16482 -- Fixes typo in security docs. Thanks, charettes. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16560 bcc190cf-cafb-0310-a4f2-bffc1f526a37	2011-07-29 09:39:55 +00:00
Luke Plant	9896b0df73	Grammar fixes and content tweaks to XSS section of security docs. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37	2011-07-17 14:17:26 +00:00
Luke Plant	f5c9c2246e	Improved warning about file uploads in docs, and added link from security overview page git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37	2011-07-06 23:44:54 +00:00
Jannis Leidel	3ee076b135	Fixed #16248 -- Corrected a few typos in the security docs. Thanks, buddelkiste. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16397 bcc190cf-cafb-0310-a4f2-bffc1f526a37	2011-06-14 10:34:52 +00:00
Luke Plant	528157ce73	Fixed #14201 - Add a "security overview" page to the docs Thanks to davidfischer for the initial patch! git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360 bcc190cf-cafb-0310-a4f2-bffc1f526a37	2011-06-10 15:14:36 +00:00

36 Commits