Django/django
11
0
Fork 0
Code Pull Requests Projects Releases Activity
22,117 Commits 26 Branches 382 Tags
Commit Graph

53 Commits

Author SHA1 Message Date
alan
6de259abcf Revert "Revert "Apply all patches up to CVE-2023-36053"" 
This reverts commit 225f60a6a28626ffa36438447e57abefdb6b4eda.
 2023-07-25 17:10:05 -07:00
alan
225f60a6a2 Revert "Apply all patches up to CVE-2023-36053" 
This reverts commit 02766aa3ec9fcd65a7384b3b37f93eae23dee437.
 2023-07-25 14:44:26 -07:00
alan
02766aa3ec Apply all patches up to CVE-2023-36053 2023-07-24 16:14:42 -07:00
Tim Graham
45acd6d836 [1.9.x] Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True. 
This is a security fix.
 2016-10-25 15:18:29 -04:00
Collin Anderson
d1bc980db1 [1.9.x] Fixed CVE-2016-7401 -- Fixed CSRF protection bypass on a site with Google Analytics. 
This is a security fix.

Backport of "refs #26158 -- rewrote http.parse_cookie() to better match
browsers." 93a135d111c2569d88d65a3f4ad9e6d9ad291452 from master
 2016-09-26 12:54:36 -04:00
Berker Peksag
33b5bb7930 [1.9.x] Fixed #26126 -- Fixed transient failure of test_max_age_expiration 
Backport of b17a9150a0c3a132e82b53755ede62a45f897875 from master
 2016-02-15 09:26:58 -05:00
Josh Soref
8897f4b0df [1.9.x] Fixed many spelling mistakes in code, comments, and docs. 
Backport of 93452a70e8a62c7408eeded444f5088d4a26212d from master
 2015-12-03 12:49:03 -05:00
Dražen Odobašić
b1e33ceced Fixed #23395 -- Limited line lengths to 119 characters. 2015-09-12 11:40:50 -04:00
Vlastimil Zíma
cf29b6b561 Fixed #25099 -- Fixed crash in AdminEmailHandler on DisallowedHost. 2015-09-04 09:24:21 -04:00
Matt Robenolt
4dcfbd7923 Fixed #25211 -- Added HttpRequest.get_port() and USE_X_FORWARDED_PORT setting. 2015-08-04 09:50:57 -04:00
Vlastimil Zíma
8f8c54f70b Fixed #25099 -- Cleaned up HttpRequest representations in error reporting. 2015-07-13 19:22:39 -04:00
Tim Graham
0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Adam Taylor
039465a6a7 Fixed typos in code comments. 2015-01-20 12:18:03 -05:00
Tim Graham
b19b81b396 Fixed #24153 -- Fixed cookie test compatibility with Python 3.4.3+ 2015-01-19 15:12:57 -05:00
Tim Graham
df3cc53fda Fixed #23450 -- Fixed transient failure of requests...test_far_expiration. 2014-12-30 10:23:42 -05:00
Berker Peksag
788fa9fffa Fixed #12098 -- Simplified HttpRequest.__repr__(). 2014-11-20 08:45:11 -05:00
Berker Peksag
f7969b0920 Fixed #23620 -- Used more specific assertions in the Django test suite. 2014-11-03 11:56:37 -05:00
Unai Zalakain
c548c8d0d1 Fixed #18456 -- Added path escaping to HttpRequest.get_full_path(). 2014-11-03 07:59:19 -05:00
Thomas Chaumeny
b2aad7b836 Replaced set([foo, ...]) by {foo, ...} literals. Refs PR 3282. 
Thanks Collin Anderson for the review.
 2014-09-29 00:01:38 +07:00
qingfeng
0d23450e81 Fixed #19802 -- Fixed HttpResponse.set_cookie() with unicode data on Python 2. 
Thanks django at patrickbregman.eu for the report.
 2014-08-03 12:50:25 -04:00
Tim Graham
86c74eacd6 Updated tests per previous commit. 2014-07-05 20:20:19 -04:00
Duncan Parkes
fd4ccd045c Fixed #22799 -- Made GET and POST on HttpRequest QueryDicts, and FILES a MultiValueDict. 
Previously, GET, POST, and FILES on an HttpRequest were created in
the __init__ method as dictionaries. This was not something you would
usually notice causing trouble in production as you'd only see a
WSGIRequest, but in testing using the test client, calling .getlist
on GET, POST, or FILES for a request with no get/post data resulted in
an AttributeError.

Changed GET and POST on an HttpRequest object to be mutable
QueryDicts (mutable because the Django tests, and probably many
third party tests, were expecting it).
 2014-06-24 22:03:22 -04:00
Unai Zalakain
11284a63d4 Fixed #18314 -- Corrected request.build_absolute_uri() handling of paths starting with // 
``HttpRequest.build_absolute_uri()`` now correctly handles paths starting with ``//``.
``WSGIRequest`` now doesn't remove all the leading slashes either,
because ``http://test/server`` and http://test//server`` aren't the same thing
(RFC2396).

Thanks to SmileyChris for the initial patch.
 2014-06-07 08:59:02 -04:00
Aymeric Augustin
0f9560855e Removed legacy transaction management per the deprecation timeline. 2014-03-21 21:06:50 +01:00
Shai Berger
0615eaf24a Corrected a few missed references to old test settings 2014-03-09 08:33:33 +02:00
Michael Manfre
e1d839237f Make mysql's CursorWrapper a contextmanager. 2014-02-02 22:43:53 +01:00
Michael Manfre
3ffeb93186 Ensure cursors are closed when no longer needed. 
This commit touchs various parts of the code base and test framework. Any
found usage of opening a cursor for the sake of initializing a connection
has been replaced with 'ensure_connection()'.
 2014-02-02 12:47:21 -05:00
Aymeric Augustin
e32095616c Imported override_settings from its new location. 2013-12-23 21:37:56 +01:00
Baptiste Mispelon
ceecc962ad Fixed #21447 -- Restored code erroneously removed in 20472aa827669d2b83b74e521504e88e18d086a1. 
Also added some tests for HttpRequest.__repr__.
Note that the added tests don't actually catch the accidental code
removal (see ticket) but they do cover a codepath that wasn't tested
before.

Thanks to Tom Christie for the report and the original patch.
 2013-11-16 01:09:35 +01:00
Alex Gaynor
c347f78cc1 Fixed all E226 violations 2013-11-03 10:08:55 -08:00
coagulant
3bc0d46a84 Fixed all E261 warnings 2013-11-02 18:20:39 -04:00
Tim Graham
36ded01527 Fixed #21302 -- Fixed unused imports and import *. 2013-11-02 15:24:56 -04:00
Claude Paroz
c052699be3 Fixed #20338 -- Stripped ending dot during host validation 
Thanks manfre for the report and Timo Graham for the review.
 2013-10-24 21:24:04 +02:00
Alasdair Nicol
c3aa2948c6 Fixed #21298 -- Fixed E301 pep8 warnings 2013-10-23 13:45:03 +01:00
Alasdair Nicol
b289fcf1bf Fixed #21288 -- Fixed E126 pep8 warnings 2013-10-21 08:31:30 -04:00
Tim Graham
96d1d4e292 Removed unused local variables in tests. 2013-10-19 08:31:38 -04:00
Alasdair Nicol
a800036981 Fixed #21287 -- Fixed E123 pep8 warnings 2013-10-18 10:07:39 +01:00
Alasdair Nicol
bab9123daa Fixed #21268 -- Fixed E303 pep8 warnings 2013-10-18 01:46:24 +01:00
Tim Graham
58d555caf5 Fixed #16822 -- Added RawPostDataException 
Thanks jaylett for the patch.
 2013-10-08 08:05:39 -04:00
Aymeric Augustin
6a6428a36f Took advantage of django.utils.six.moves.urllib.*. 2013-09-05 14:39:23 -05:00
Will Hardy
1c3c21b38d Fixed #19987 -- Disabled host validation when DEBUG=True. 
The documentation promises that host validation is disabled when
DEBUG=True, that all hostnames are accepted. Domains not compliant with
RFC 1034/1035 were however being validated, this validation has now been
removed when DEBUG=True.

Additionally, when DEBUG=False a more detailed SuspiciousOperation
exception message is provided when host validation fails because the
hostname is not RFC 1034/1035 compliant.
 2013-07-31 10:38:59 -04:00
Claude Paroz
73f86f4441 Isolated host validation tests in own test case 2013-07-13 10:16:52 +02:00
Aymeric Augustin
404870ee1f Fixed #20724 -- Test failure on SQLite. 
This test failure happened if the connection's NAME was set to a file
system path, and its TEST_NAME wasn't.

Thanks Claude for the report.
 2013-07-09 21:41:30 +02:00
Aymeric Augustin
cfcf4b3605 Stopped using django.utils.unittest in the test suite. 
Refs #20680.
 2013-07-01 14:29:33 +02:00
Aymeric Augustin
c6e6d4eeb7 Defined available_apps in relevant tests. 
Fixed #20483.
 2013-06-10 11:30:01 +02:00
Claude Paroz
de66b56790 Fixed #18481 -- Wrapped request.FILES read error in UnreadablePostError 
Thanks KyleMac for the report, André Cruz for the initial patch and
Hiroki Kiyohara for the tests.
 2013-06-01 10:26:46 +02:00
Aymeric Augustin
4bed64c417 Made test introduced in 566e284c pass on Python 3. 2013-05-18 13:34:52 +02:00
Senko Rasic
566e284c56 Added test for multipart, non form-data POST. 
Closes #9054. The bug itself is no longer present.
 2013-05-18 12:50:28 +02:00
Baptiste Mispelon
c250f9c99b Fixed #20038 -- Better error message for host validation. 2013-04-03 14:27:20 -06:00
Julien Phalip
2f81a0ca65 Fixed #20169 -- Ensured that the WSGI request's path is correctly based on the SCRIPT_NAME environment parameter or the FORCE_SCRIPT_NAME setting, regardless of whether or not those have a trailing slash. Thanks to bmispelon for the review. 2013-04-01 12:04:44 -07:00