Re: Adding Origin header checking to CSRF middleware (#16010)

2021-01-12 Thread Jacob Rief
Shouldn't we consider to put the CSRF token onto the deprecation list anyway? All browsers released later than 2017 support the 'SameSite' cookie attribute , making the CSRF token obsolete. I don't know what kind of policy the Django Project follows in depre

Re: Humanize duration fields

2021-01-12 Thread Adam Johnson
This seems like a sensible addition, and could possibly reuse the translated strings from within naturaltime. Have you got an example implementation? On Mon, 11 Jan 2021 at 22:52, Yasiel Cabrera wrote: > Hey guys, > > I'm starting this thread to consult if make sense add a new filter > (naturald

Re: Adding Origin header checking to CSRF middleware (#16010)

2021-01-12 Thread Tim Graham
OWASP Cheat Sheet says, "It is important to note that [the SameSite Cookie] attribute should be implemented as an additional layer *defense in depth* concept. This attribute protects the user through the browsers supporting it, and it contains as well 2 ways to bypass it as mentioned in the fol

Re: Humanize duration fields

2021-01-12 Thread Yasiel Cabrera
I haven't any implementation yet. I'm going to do an implementation trying to reuse the naturaltime translations and I'm going back here with it El martes, 12 de enero de 2021 a la(s) 06:05:57 UTC-5, Adam Johnson escribió: > This seems like a sensible addition, and could possibly reuse the > t

Re: Status of 3.2 release blockers.

2021-01-12 Thread Carlton Gibson
Hi all. Paul Ganssle has followed up his earlier PoC PR, and the previous discussion , with a smaller PR in order to *allow* using zoneinfo timezones without an error: Add support for non-pytz zones https://github.com/django/django/p

Re: Status of 3.2 release blockers.

2021-01-12 Thread Paul Ganssle
Yeah, sorry I didn't get around to this until so close to the deadline. December was a lot crazier for me than I had hoped. ☹ One thing I'll note is that this PR to allow using zoneinfo timezones is /mostly/ just adding tests. The substantive changes to the codebase are very light, and there shoul

Wanting to Contribute

2021-01-12 Thread Skyler Cain
Hello all! I've read this: https://docs.djangoproject.com/en/3.1/intro/contributing/ But after running my tests I get the following failure (when running all or individual). Any thoughts / suggestions would be much appreciated. (django) skylercain:~/code/django/tests [master]$ ./runtests.py sc

Re: Wanting to Contribute

2021-01-12 Thread Carlton Gibson
Hi Skyler. Welcome. That’ll be your SQLite version. MacOS tends to bundle an old one — and updating can be a little tricky because of the “System integrity protection”, not letting you specify a DYLD_LIBRARY_PATH. See the instructions here for getting a newer SQLite version: https://code.djang

Re: Status of 3.2 release blockers.

2021-01-12 Thread Adam Johnson
I think it's worth merging into 3.2. The change is quite small, the potential benefits are quite large, and some users live LTS to LTS so could be left without an option for a long time. I've left some review comments on the PR. On Tue, 12 Jan 2021 at 15:29, Paul Ganssle wrote: > Yeah, sorry I

Re: Wanting to Contribute

2021-01-12 Thread Skyler Cain
I ran the code to ensure that JSON1 extension is working within sqlite3. Can I check which version I need -- is that somewhere? Also if the JSON1 extension is working what other functionality do I need to check for? I was not using a customly installed version of python -- which I've now switched

Re: Adding Origin header checking to CSRF middleware (#16010)

2021-01-12 Thread Adam Johnson
Hi Tim, Thanks for working on this. I've put together some replies to your points here. On #1 - I think it's legitimate to have `CSRF_TRUSTED_ORIGINS` require the schemes. I think the setting should have included them all along, since a scheme is part of the definition of an origin. It's backward

Re: Wanting to Contribute

2021-01-12 Thread Carlton Gibson
> I ran your code to set and test the DYLD_LIBRARY_PATH and the first example worked for me. Did it give None or ‘testing’ — only if the latter is the environment variable reaching the Python process. (So only they can you override the default version) ~ $ python -c "import sqlite3; print(sqlite3

Re: Status of 3.2 release blockers.

2021-01-12 Thread Paolo Melchiorre
I agree with Adam. I've also left a small comment on the PR. Paolo On Tue, Jan 12, 2021 at 5:59 PM Adam Johnson wrote: > > I think it's worth merging into 3.2. The change is quite small, the potential > benefits are quite large, and some users live LTS to LTS so could be left > without an opt

Re: Wanting to Contribute

2021-01-12 Thread Skyler Cain
I got 'testing' returned. With that command I'm getting: (django-2) skylercain:~/code/django [master]$ python -c "import sqlite3; print(sqlite3.sqlite_version)" 3.32.3 Should I try an earlier version? On Tue, Jan 12, 2021 at 10:43 AM Carlton Gibson wrote: > > I ran your code to set and test th

Re: Wanting to Contribute

2021-01-12 Thread Carlton Gibson
OK, this was reported as https://code.djangoproject.com/ticket/31765, something* to do with macOS's bundled SQLite. * technical term. There's a workaround in master — https://github.com/django/django/commit/80a8be03d9321669a239dbced8ac48a4e7e1 I assume you're running against that, so can