Skip to content

D
django
Dal (branch)/etiket değiştir
  1. 27 Eki, 2009 4 kayıt (commit)
  3. 26 Eki, 2009 2 kayıt (commit)
    • Luke Plant's avatar
      Fixed #9977 - CsrfMiddleware gets template tag added, session dependency… · 8e70cef9
      Luke Plant yazdı 
      Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.

This is a large change to CSRF protection for Django.  It includes:

 * removing the dependency on the session framework.
 * deprecating CsrfResponseMiddleware, and replacing with a core template tag.
 * turning on CSRF protection by default by adding CsrfViewMiddleware to
   the default value of MIDDLEWARE_CLASSES.
 * protecting all contrib apps (whatever is in settings.py)
   using a decorator.

For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.

Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.

Details of the rationale for these changes is found here:

http://code.djangoproject.com/wiki/CsrfProtection

As of this commit, the CSRF code is mainly in 'contrib'.  The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
      8e70cef9
    • Jacob Kaplan-Moss's avatar
      Fixed #11371: Made `django.test.Client.put()` work for non-form-data PUT (i.e.… · d1da2614
      Jacob Kaplan-Moss yazdı 
      Fixed #11371: Made `django.test.Client.put()` work for non-form-data PUT (i.e. JSON, etc.). Thanks, phyfus.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11656 bcc190cf-cafb-0310-a4f2-bffc1f526a37
      d1da2614
  5. 25 Eki, 2009 2 kayıt (commit)
  7. 24 Eki, 2009 6 kayıt (commit)
  9. 23 Eki, 2009 5 kayıt (commit)
  11. 20 Eki, 2009 1 kayıt (commit)
  13. 19 Eki, 2009 4 kayıt (commit)
  15. 17 Eki, 2009 1 kayıt (commit)
  17. 15 Eki, 2009 2 kayıt (commit)
  19. 14 Eki, 2009 2 kayıt (commit)
  21. 12 Eki, 2009 2 kayıt (commit)
  23. 09 Eki, 2009 1 kayıt (commit)
    • Jacob Kaplan-Moss's avatar
      SECURITY ALERT: Corrected regular expressions for URL and email fields. · 9f8287a3
      Jacob Kaplan-Moss yazdı 
      Certain email addresses/URLs could trigger a catastrophic backtracking situation, causing 100% CPU and server overload. If deliberately triggered, this could be the basis of a denial-of-service attack.

This security vulnerability was disclosed in public, so we're skipping our
normal security release process to get the fix out as soon as possible.

This is a security related update. A full announcement, as well as backports for the 1.1.X and 1.0.X series will follow.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11603 bcc190cf-cafb-0310-a4f2-bffc1f526a37
      9f8287a3
  25. 08 Eki, 2009 1 kayıt (commit)
  27. 01 Eki, 2009 1 kayıt (commit)
  29. 30 Eyl, 2009 1 kayıt (commit)
  31. 28 Eyl, 2009 2 kayıt (commit)
  33. 26 Eyl, 2009 1 kayıt (commit)
  35. 23 Eyl, 2009 2 kayıt (commit)