Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

[1.5.x] Dropped fix_IE_for_vary/attach.

This is a security fix. Disclosure following shortly.
  • Loading branch information...
commit 4001ec8698f577b973c5a540801d8a0bbea1205b 1 parent 41ab97b
@aaugustin aaugustin authored timgraham committed
View
2  django/core/handlers/base.py
@@ -22,8 +22,6 @@ class BaseHandler(object):
response_fixes = [
http.fix_location_header,
http.conditional_content_removal,
- http.fix_IE_for_attach,
- http.fix_IE_for_vary,
]
def __init__(self):
View
3  django/http/__init__.py
@@ -6,5 +6,4 @@
HttpResponseRedirect, HttpResponseNotModified, HttpResponseBadRequest,
HttpResponseForbidden, HttpResponseNotFound, HttpResponseNotAllowed,
HttpResponseGone, HttpResponseServerError, Http404, BadHeaderError)
-from django.http.utils import (fix_location_header, conditional_content_removal,
- fix_IE_for_attach, fix_IE_for_vary)
+from django.http.utils import fix_location_header, conditional_content_removal
View
55 django/http/utils.py
@@ -39,58 +39,3 @@ def conditional_content_removal(request, response):
else:
response.content = ''
return response
-
-
-def fix_IE_for_attach(request, response):
- """
- This function will prevent Django from serving a Content-Disposition header
- while expecting the browser to cache it (only when the browser is IE). This
- leads to IE not allowing the client to download.
- """
- useragent = request.META.get('HTTP_USER_AGENT', '').upper()
- if 'MSIE' not in useragent and 'CHROMEFRAME' not in useragent:
- return response
-
- offending_headers = ('no-cache', 'no-store')
- if response.has_header('Content-Disposition'):
- try:
- del response['Pragma']
- except KeyError:
- pass
- if response.has_header('Cache-Control'):
- cache_control_values = [value.strip() for value in
- response['Cache-Control'].split(',')
- if value.strip().lower() not in offending_headers]
-
- if not len(cache_control_values):
- del response['Cache-Control']
- else:
- response['Cache-Control'] = ', '.join(cache_control_values)
-
- return response
-
-
-def fix_IE_for_vary(request, response):
- """
- This function will fix the bug reported at
- http://support.microsoft.com/kb/824847/en-us?spid=8722&sid=global
- by clearing the Vary header whenever the mime-type is not safe
- enough for Internet Explorer to handle. Poor thing.
- """
- useragent = request.META.get('HTTP_USER_AGENT', '').upper()
- if 'MSIE' not in useragent and 'CHROMEFRAME' not in useragent:
- return response
-
- # These mime-types that are decreed "Vary-safe" for IE:
- safe_mime_types = ('text/html', 'text/plain', 'text/sgml')
-
- # The first part of the Content-Type field will be the MIME type,
- # everything after ';', such as character-set, can be ignored.
- mime_type = response.get('Content-Type', '').partition(';')[0]
- if mime_type not in safe_mime_types:
- try:
- del response['Vary']
- except KeyError:
- pass
-
- return response
View
44 tests/regressiontests/utils/http.py
@@ -67,50 +67,6 @@ def test_urlencode(self):
]
self.assertTrue(result in acceptable_results)
- def test_fix_IE_for_vary(self):
- """
- Regression for #16632.
-
- `fix_IE_for_vary` shouldn't crash when there's no Content-Type header.
- """
-
- # functions to generate responses
- def response_with_unsafe_content_type():
- r = HttpResponse(content_type="text/unsafe")
- r['Vary'] = 'Cookie'
- return r
-
- def no_content_response_with_unsafe_content_type():
- # 'Content-Type' always defaulted, so delete it
- r = response_with_unsafe_content_type()
- del r['Content-Type']
- return r
-
- # request with & without IE user agent
- rf = RequestFactory()
- request = rf.get('/')
- ie_request = rf.get('/', HTTP_USER_AGENT='MSIE')
-
- # not IE, unsafe_content_type
- response = response_with_unsafe_content_type()
- utils.fix_IE_for_vary(request, response)
- self.assertTrue('Vary' in response)
-
- # IE, unsafe_content_type
- response = response_with_unsafe_content_type()
- utils.fix_IE_for_vary(ie_request, response)
- self.assertFalse('Vary' in response)
-
- # not IE, no_content
- response = no_content_response_with_unsafe_content_type()
- utils.fix_IE_for_vary(request, response)
- self.assertTrue('Vary' in response)
-
- # IE, no_content
- response = no_content_response_with_unsafe_content_type()
- utils.fix_IE_for_vary(ie_request, response)
- self.assertFalse('Vary' in response)
-
def test_base36(self):
# reciprocity works
for n in [0, 1, 1000, 1000000]:
Please sign in to comment.
Something went wrong with that request. Please try again.