Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | Used double quotation marks for csrf form element. | CHI Cheng | 2018-05-03 | 1 | -1/+1 | |
| | ||||||
* | Fixed #27863 -- Added support for the SameSite cookie flag. | Alex Gaynor | 2018-04-13 | 1 | -0/+8 | |
| | | | Thanks Alex Gaynor for contributing to the patch. | |||||
* | Fixed #28693 -- Fixed crash in CsrfViewMiddleware when an HTTPS request has ↵ | Tomer Chachamu | 2018-02-14 | 1 | -0/+13 | |
| | | | | an invalid host. | |||||
* | Fixed #28488 -- Reallowed error handlers to access CSRF tokens. | Florian Apolloner | 2017-09-20 | 1 | -1/+36 | |
| | | | | Regression in eef95ea96faef0b7dbbe0c8092202b74f68a899b. | |||||
* | Initialized CsrfViewMiddleware once in csrf_tests. | Florian Apolloner | 2017-09-20 | 1 | -53/+54 | |
| | ||||||
* | Refs #23919 -- Assumed request COOKIES and META are str | Claude Paroz | 2017-01-30 | 1 | -22/+2 | |
| | ||||||
* | Refs #23919 -- Replaced super(ClassName, self) with super(). | chillaranand | 2017-01-25 | 1 | -2/+2 | |
| | ||||||
* | Refs #23919 -- Stopped inheriting from object to define new style classes. | Simon Charette | 2017-01-19 | 1 | -1/+1 | |
| | ||||||
* | Refs #23919 -- Removed six.<various>_types usage | Claude Paroz | 2017-01-18 | 1 | -2/+1 | |
| | | | | Thanks Tim Graham and Simon Charette for the reviews. | |||||
* | Refs #23919 -- Removed encoding preambles and future imports | Claude Paroz | 2017-01-18 | 1 | -3/+0 | |
| | ||||||
* | Moved csrf_tests views to a spearate file. | Tim Graham | 2016-11-30 | 1 | -68/+13 | |
| | ||||||
* | Refs #16859 -- Allowed storing CSRF tokens in sessions. | Raphael Michel | 2016-11-30 | 1 | -189/+304 | |
| | | | | | Major thanks to Shai for helping to refactor the tests, and to Shai, Tim, Florian, and others for extensive and helpful review. | |||||
* | Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings. | za | 2016-11-10 | 1 | -19/+18 | |
| | ||||||
* | Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True. | Tim Graham | 2016-11-01 | 1 | -1/+1 | |
| | | | | This is a security fix. | |||||
* | Fixed #26747 -- Used more specific assertions in the Django test suite. | Jon Dufresne | 2016-06-16 | 1 | -4/+4 | |
| | ||||||
* | Fixed #26628 -- Changed CSRF logger to django.security.csrf. | Holly Becker | 2016-06-04 | 1 | -14/+25 | |
| | ||||||
* | Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them | Shai Berger | 2016-05-19 | 1 | -9/+91 | |
| | | | | | | | | | | | | | | | Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews. | |||||
* | Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True). | chemary | 2016-01-20 | 1 | -0/+17 | |
| | ||||||
* | Fixed many spelling mistakes in code, comments, and docs. | Josh Soref | 2015-12-03 | 1 | -1/+1 | |
| | ||||||
* | Fixed #24496 -- Added CSRF Referer checking against CSRF_COOKIE_DOMAIN. | Matt Robenolt | 2015-09-16 | 1 | -13/+92 | |
| | | | | | Thanks Seth Gottlieb for help with the documentation and Carl Meyer and Joshua Kehn for reviews. | |||||
* | Cleaned up docstrings in csrf_tests/tests.py. | Joshua Kehn | 2015-09-05 | 1 | -15/+13 | |
| | ||||||
* | Fixed #25334 -- Provided a way to allow cross-origin unsafe requests over HTTPS. | Joshua Kehn | 2015-09-05 | 1 | -0/+13 | |
| | | | | | | Added the CSRF_TRUSTED_ORIGINS setting which contains a list of other domains that are included during the CSRF Referer header verification for secure (HTTPS) requests. | |||||
* | Refs #24652 -- Used SimpleTestCase where appropriate. | Simon Charette | 2015-05-20 | 1 | -2/+2 | |
| | ||||||
* | Fixed #24696 -- Made CSRF_COOKIE computation lazy. | Jay Cox | 2015-05-02 | 1 | -3/+10 | |
| | | | | | | | | | | | | Only compute the CSRF_COOKIE when it is actually used. This is a significant speedup for clients not using cookies. Changed result of the “test_token_node_no_csrf_cookie” test: It gets a valid CSRF token now which seems like the correct behavior. Changed auth_tests.test_views.LoginTest.test_login_csrf_rotate to use get_token() to trigger CSRF cookie inclusion instead of changing request.META["CSRF_COOKIE_USED"] directly. | |||||
* | Fixed #21495 -- Added settings.CSRF_HEADER_NAME | Grzegorz Slusarek | 2015-03-05 | 1 | -0/+10 | |
| | ||||||
* | Sorted imports with isort; refs #23860. | Tim Graham | 2015-02-06 | 1 | -2/+5 | |
| | ||||||
* | Used None-related assertions in CSRF tests | Claude Paroz | 2015-01-06 | 1 | -11/+11 | |
| | | | | Thanks Markus Holtermann for spotting this. | |||||
* | Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middleware | Claude Paroz | 2015-01-06 | 1 | -0/+5 | |
| | | | | | Thanks codeitloadit for the report, living180 for investigations and Tim Graham for the review. | |||||
* | Moved context_processors from django.core to django.template. | Aymeric Augustin | 2014-12-28 | 1 | -1/+1 | |
| | ||||||
* | Fixed #23620 -- Used more specific assertions in the Django test suite. | Berker Peksag | 2014-11-03 | 1 | -3/+3 | |
| | ||||||
* | Fixed #20128 -- Made CsrfViewMiddleware ignore IOError when reading POST data. | Tim Graham | 2014-06-25 | 1 | -0/+41 | |
| | | | | Thanks Walter Doekes. | |||||
* | Fixed #22185 -- Added settings.CSRF_COOKIE_AGE | Roger Hu | 2014-03-06 | 1 | -0/+44 | |
| | | | | Thanks Paul McMillan for the review. | |||||
* | Imported override_settings from its new location. | Aymeric Augustin | 2013-12-23 | 1 | -2/+1 | |
| | ||||||
* | PEP8 cleanup | Jason Myers | 2013-11-02 | 1 | -0/+5 | |
| | | | | Signed-off-by: Jason Myers <jason@jasonamyers.com> | |||||
* | Fix all violators of E231 | Alex Gaynor | 2013-10-26 | 1 | -3/+3 | |
| | ||||||
* | Removed some more unused local vars | Alex Gaynor | 2013-09-08 | 1 | -1/+1 | |
| | ||||||
* | Fixed #19436 -- Don't log warnings in ensure_csrf_cookie. | Olivier Sels | 2013-05-18 | 1 | -12/+39 | |
| | ||||||
* | Fixed #20411 -- Don't let invalid referers blow up CSRF same origin checks. | Florian Apolloner | 2013-05-18 | 1 | -0/+13 | |
| | | | | Thanks to edevil for the report and saz for the patch. | |||||
* | Merged regressiontests and modeltests into the test root. | Florian Apolloner | 2013-02-26 | 1 | -0/+342 | |