diff options
Diffstat (limited to 'django/views')
| -rw-r--r-- | django/views/csrf.py | 17 | ||||
| -rw-r--r-- | django/views/debug.py | 21 | ||||
| -rw-r--r-- | django/views/generic/simple.py | 10 |
3 files changed, 37 insertions, 11 deletions
diff --git a/django/views/csrf.py b/django/views/csrf.py index fa996fff24..c627812dcb 100644 --- a/django/views/csrf.py +++ b/django/views/csrf.py @@ -23,7 +23,7 @@ CSRF_FAILRE_TEMPLATE = """ h1 span { font-size:60%; color:#666; font-weight:normal; } #info { background:#f6f6f6; } #info ul { margin: 0.5em 4em; } - #info p { padding-top:10px; } + #info p, #summary p { padding-top:10px; } #summary { background: #ffc; } #explanation { background:#eee; border-bottom: 0px none; } </style> @@ -32,6 +32,16 @@ CSRF_FAILRE_TEMPLATE = """ <div id="summary"> <h1>Forbidden <span>(403)</span></h1> <p>CSRF verification failed. Request aborted.</p> +{% if no_referer %} + <p>You are seeing this message because this HTTPS site requires a 'Referer + header' to be sent by your web browser, but none was sent. This header is + required for security reasons, to ensure that your browser is not being + hijacked by third parties.</p> + + <p>If you have configured your browser to disable 'Referer' headers, please + re-enable them, at least for this site, or for HTTPS connections, or for + 'same-origin' requests.</p> +{% endif %} </div> {% if DEBUG %} <div id="info"> @@ -83,7 +93,10 @@ def csrf_failure(request, reason=""): """ Default view used when request fails CSRF protection """ + from django.middleware.csrf import REASON_NO_REFERER t = Template(CSRF_FAILRE_TEMPLATE) c = Context({'DEBUG': settings.DEBUG, - 'reason': reason}) + 'reason': reason, + 'no_referer': reason == REASON_NO_REFERER + }) return HttpResponseForbidden(t.render(c), mimetype='text/html') diff --git a/django/views/debug.py b/django/views/debug.py index 6604bd3dae..7050ea38fb 100644 --- a/django/views/debug.py +++ b/django/views/debug.py @@ -12,7 +12,7 @@ from django.utils.importlib import import_module from django.utils.encoding import smart_unicode, smart_str -HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD|PROFANITIES_LIST') +HIDDEN_SETTINGS = re.compile('SECRET|PASSWORD|PROFANITIES_LIST|SIGNATURE') def linebreak_iter(template_source): yield 0 @@ -412,7 +412,7 @@ TECHNICAL_500_TEMPLATE = """ <body> <div id="summary"> <h1>{{ exception_type }} at {{ request.path_info|escape }}</h1> - <pre class="exception_value">{{ exception_value|escape }}</pre> + <pre class="exception_value">{{ exception_value|force_escape }}</pre> <table class="meta"> <tr> <th>Request Method:</th> @@ -432,7 +432,7 @@ TECHNICAL_500_TEMPLATE = """ </tr> <tr> <th>Exception Value:</th> - <td><pre>{{ exception_value|escape }}</pre></td> + <td><pre>{{ exception_value|force_escape }}</pre></td> </tr> <tr> <th>Exception Location:</th> @@ -459,7 +459,7 @@ TECHNICAL_500_TEMPLATE = """ {% if unicode_hint %} <div id="unicode-hint"> <h2>Unicode error hint</h2> - <p>The string that could not be encoded/decoded was: <strong>{{ unicode_hint|escape }}</strong></p> + <p>The string that could not be encoded/decoded was: <strong>{{ unicode_hint|force_escape }}</strong></p> </div> {% endif %} {% if template_does_not_exist %} @@ -532,8 +532,8 @@ TECHNICAL_500_TEMPLATE = """ <tbody> {% for var in frame.vars|dictsort:"0" %} <tr> - <td>{{ var.0|escape }}</td> - <td class="code"><div>{{ var.1|pprint|escape }}</div></td> + <td>{{ var.0|force_escape }}</td> + <td class="code"><div>{{ var.1|pprint|force_escape }}</div></td> </tr> {% endfor %} </tbody> @@ -582,7 +582,7 @@ Traceback: {% if frame.context_line %} {{ frame.lineno }}. {{ frame.context_line|escape }}{% endif %} {% endfor %} Exception Type: {{ exception_type|escape }} at {{ request.path_info|escape }} -Exception Value: {{ exception_value|escape }} +Exception Value: {{ exception_value|force_escape }} </textarea> <br><br> <input type="submit" value="Share this traceback on a public Web site"> @@ -778,7 +778,12 @@ TECHNICAL_404_TEMPLATE = """ </p> <ol> {% for pattern in urlpatterns %} - <li>{{ pattern }}</li> + <li> + {% for pat in pattern %} + {{ pat.regex.pattern }} + {% if forloop.last and pat.name %}[name='{{ pat.name }}']{% endif %} + {% endfor %} + </li> {% endfor %} </ol> <p>The current URL, <code>{{ request_path|escape }}</code>, didn't match any of these.</p> diff --git a/django/views/generic/simple.py b/django/views/generic/simple.py index 3b5309df96..435cd7623d 100644 --- a/django/views/generic/simple.py +++ b/django/views/generic/simple.py @@ -17,7 +17,7 @@ def direct_to_template(request, template, extra_context=None, mimetype=None, **k t = loader.get_template(template) return HttpResponse(t.render(c), mimetype=mimetype) -def redirect_to(request, url, permanent=True, **kwargs): +def redirect_to(request, url, permanent=True, query_string=False, **kwargs): """ Redirect to a given URL. @@ -33,7 +33,15 @@ def redirect_to(request, url, permanent=True, **kwargs): If the ``permanent`` argument is False, then the response will have a 302 HTTP status code. Otherwise, the status code will be 301. + + If the ``query_string`` argument is True, then the GET query string + from the request is appended to the URL. + """ + args = request.META["QUERY_STRING"] + if args and query_string and url is not None: + url = "%s?%s" % (url, args) + if url is not None: klass = permanent and HttpResponsePermanentRedirect or HttpResponseRedirect return klass(url % kwargs) |