summaryrefslogtreecommitdiff
path: root/django/middleware
Commit message (Collapse)AuthorAgeFilesLines
* Fixed #34515 -- Made LocaleMiddleware prefer language from paths when i18n ↵Mariusz Felisiak2023-05-021-21/+12
| | | | | | | | | | | | | | patterns are used. Regression in 94e7f471c4edef845a4fe5e3160132997b4cca81. This reverts commit 94e7f471c4edef845a4fe5e3160132997b4cca81 (refs #34069) and partly reverts commit 3b4728310a7a64f8fcc548163b0aa5f98a5c78f5. Thanks Anthony Baillard for the report. Co-Authored-By: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
* Refs #32800 -- Removed CSRF_COOKIE_MASKED transitional setting per ↵Mariusz Felisiak2023-01-171-7/+1
| | | | deprecation timeline.
* Fixed #33735 -- Added async support to StreamingHttpResponse.Carlton Gibson2022-12-221-4/+18
| | | | | Thanks to Florian Vazelle for initial exploratory work, and to Nick Pope and Mariusz Felisiak for review.
* Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware.Andreas Pelme2022-12-171-2/+10
|
* Fixed #34074 -- Added headers argument to RequestFactory and Client classes.David Wobrock2022-11-141-2/+1
|
* Updated documentation and comments for RFC updates.Nick Pope2022-11-102-2/+2
| | | | | | | | | | | | | | | - Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents
* Used more augmented assignment statements.Nick Pope2022-10-311-2/+2
| | | | | | Identified using the following command: $ git grep -I '\(\<[_a-zA-Z0-9]\+\>\) *= *\1 *[-+/*^%&|<>@]'
* Fixed #34069 -- Made LocaleMiddleware respect language from requests when ↵Sergio2022-10-131-12/+21
| | | | i18n patterns are used.
* Fixed #33700 -- Skipped extra resolution for successful requests not ending ↵Anders Kaseorg2022-06-021-12/+11
| | | | | | | | | | | | | | | | | | | with /. By moving a should_redirect_with_slash call out of an if block, commit 9390da7fb6e251eaa9a785692f987296cb14523f negated the performance fix of commit 434d309ef6dbecbfd2b322d3a1da78aa5cb05fa8 (#24720). Meanwhile, the logging issue #26293 that it targeted was subsequently fixed more fully by commit 40b69607c751c4afa453edfd41d2ed155e58187e (#26504), so it is no longer needed. This effectively reverts it. This speeds up successful requests not ending with / when APPEND_SLASH is enabled (the default, and still useful in projects with a mix of URLs with and without trailing /). The amount of speedup varies from about 5% in a typical project to nearly 50% on a benchmark with many routes. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
* Refs #30426 -- Updated XFrameOptionsMiddleware docstring.Clemens Wolff2022-04-291-4/+4
| | | Follow up to 05d0eca635853564c57e639ac5590674a7de2ed6.
* Refs #33476 -- Reformatted code with Black.django-bot2022-02-078-156/+210
|
* Refs #32800 -- Renamed _sanitize_token() to _check_token_format().Chris Jerdonek2021-11-291-3/+3
|
* Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret.Chris Jerdonek2021-11-291-42/+65
| | | | | | | | | This also adds CSRF_COOKIE_MASKED transitional setting helpful in migrating multiple instance of the same project to Django 4.1+. Thanks Florian Apolloner and Shai Berger for reviews. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
* Fixed #33252 -- Made cache middlewares thread-safe.Iuri de Silvio2021-11-031-3/+8
|
* Fixed #32768 -- Added Vary header when redirecting to prefixed i18n pattern.Alex Hayward2021-09-011-1/+6
| | | | | | get_language_from_request() uses Accept-Language and/or Cookie to determine the correct redirect. Upstream caches need the matching Vary header to cache the result.
* Refs #32800 -- Added _add_new_csrf_cookie() helper function.Chris Jerdonek2021-08-171-20/+21
| | | | | | This centralizes the logic to use when setting a new cookie. It also eliminates the need for the _get_new_csrf_token() function, which is now removed.
* Refs #32800 -- Renamed _set_token() to _set_csrf_cookie().Chris Jerdonek2021-08-171-9/+9
|
* Refs #32800 -- Renamed _compare_masked_tokens() to _does_token_match().Chris Jerdonek2021-08-031-2/+2
|
* Refs #32916 -- Replaced request.csrf_cookie_needs_reset with ↵Chris Jerdonek2021-07-291-12/+14
| | | | request.META['CSRF_COOKIE_NEEDS_UPDATE'].
* Fixed #32916 -- Combined request.META['CSRF_COOKIE_USED'] and ↵Chris Jerdonek2021-07-291-17/+7
| | | | request.csrf_cookie_needs_reset.
* Fixed #32329 -- Made CsrfViewMiddleware catch more specific UnreadablePostError.Virtosu Bogdan2021-07-231-1/+2
| | | | Thanks Chris Jerdonek for the review.
* Fixed #32902 -- Fixed CsrfViewMiddleware.process_response()'s cookie reset ↵Chris Jerdonek2021-07-231-10/+20
| | | | | | logic. Thanks Florian Apolloner and Shai Berger for reviews.
* Fixed #32817 -- Added the token source to CsrfViewMiddleware's bad token ↵Chris Jerdonek2021-06-231-3/+15
| | | | error messages.
* Fixed #32842 -- Refactored out CsrfViewMiddleware._check_token().Chris Jerdonek2021-06-221-40/+46
|
* Fixed comment in CsrfViewMiddleware to say _reject instead of reject.Chris Jerdonek2021-06-121-1/+1
|
* Fixed #32796 -- Changed CsrfViewMiddleware to fail earlier on badly ↵Chris Jerdonek2021-06-011-8/+15
| | | | formatted cookie tokens.
* Fixed #32795 -- Changed CsrfViewMiddleware to fail earlier on badly ↵Chris Jerdonek2021-05-311-10/+32
| | | | formatted tokens.
* Refs #32778 -- Improved the name of the regex object detecting invalid CSRF ↵Chris Jerdonek2021-05-291-3/+4
| | | | | token characters. This also improves the comments near where the variable is used.
* Refs #32596 -- Added early return on safe methods in ↵Chris Jerdonek2021-05-281-69/+68
| | | | CsrfViewMiddleware.process_view().
* Refs #32596 -- Optimized CsrfViewMiddleware._check_referer() to delay ↵Chris Jerdonek2021-05-281-7/+8
| | | | computing good_referer.
* Fixed #32596 -- Added CsrfViewMiddleware._check_referer().Chris Jerdonek2021-05-281-43/+52
| | | | | | This encapsulates CsrfViewMiddleware's referer logic into a method and updates existing tests to check the "seam" introduced by the refactor, when doing so would improve the test.
* Fixed #32778 -- Avoided unnecessary recompilation of token regex in ↵abhiabhi942021-05-251-2/+3
| | | | _sanitize_token().
* Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.Tim Graham2021-04-301-4/+0
|
* Fixed #31840 -- Added support for Cross-Origin Opener Policy header.bankc2021-03-301-0/+6
| | | | | | Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com>
* Fixed #32578 -- Fixed crash in CsrfViewMiddleware when a request with Origin ↵Chris Jerdonek2021-03-251-6/+11
| | | | header has an invalid host.
* Refs #32579 -- Fixed cookie domain comment in CsrfViewMiddleware.process_view().Chris Jerdonek2021-03-251-8/+8
|
* Refs #32579 -- Optimized good_hosts creation in ↵Chris Jerdonek2021-03-251-4/+3
| | | | CsrfViewMiddleware.process_view().
* Fixed #32571 -- Made CsrfViewMiddleware handle invalid URLs in Referer header.Adam Donaghy2021-03-191-1/+4
|
* Fixed #16010 -- Added Origin header checking to CSRF middleware.Tim Graham2021-03-181-1/+50
| | | | | Thanks David Benjamin for the original patch, and Florian Apolloner, Chris Jerdonek, and Adam Johnson for reviews.
* Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.Tim Graham2021-03-181-1/+9
|
* Refs #26601 -- Made get_response argument required and don't accept None in ↵Mariusz Felisiak2021-01-142-12/+4
| | | | | | middleware classes. Per deprecation timeline.
* Made small readability improvements.Martin Thoma2020-10-281-3/+2
|
* Fixed #32124 -- Added per-view opt-out for APPEND_SLASH behavior.Carlton Gibson2020-10-221-4/+5
|
* Fixed #31789 -- Added a new headers interface to HttpResponse.Tom Carrick2020-09-145-12/+14
|
* Fixed #31928 -- Fixed detecting an async get_response in various middlewares.Kevin Michel2020-08-282-17/+11
| | | | | | | | | | | SecurityMiddleware and the three cache middlewares were not calling super().__init__() during their initialization or calling the required MiddlewareMixin._async_check() method. This made the middlewares not properly present as coroutine and confused the middleware chain when used in a fully async context. Thanks Kordian Kowalski for the report.
* Refs #30573 -- Rephrased "Of Course" and "Obvious(ly)" in documentation and ↵Adam Johnson2020-05-041-1/+1
| | | | comments.
* Fixed #28699 -- Fixed CSRF validation with remote user middleware.Colton Hicks2020-02-261-1/+4
| | | | | | Ensured process_view() always accesses the CSRF token from the session or cookie, rather than the request, as rotate_token() may have been called by an authentication middleware during the process_request() phase.
* Fixed #31291 -- Renamed salt to mask for CSRF tokens.Ram Rachum2020-02-251-20/+20
|
* Refs #26601 -- Deprecated passing None as get_response arg to middleware ↵Claude Paroz2020-02-182-0/+12
| | | | | | | | | classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
* Fixed #30765 -- Made cache_page decorator take precedence over max-age ↵Flavio Curella2020-01-161-9/+14
| | | | Cache-Control directive.
View Lorry Controller Status