[Django] #21389: Frisian is not accepted as HTTP Accept-Language
Django
--------------------------------------+--------------------
Reporter: bouke | Owner: nobody
Type: Uncategorized | Status: new
Component: Internationalization | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+--------------------
In `get_language_from_request` there are
[https://github.com/django/django/blob/master/django/utils/translation/trans_real.py#L499-L501
these lines]:
{{{
normalized = locale.locale_alias.get(to_locale(accept_lang, True))
if not normalized:
continue
}}}
However, `fy_nl` is not in
[http://svn.python.org/projects/python/trunk/Lib/locale.py `locale_alias`]
(use search). Hence, the `fy`/`fy_nl` language code is rejected.
--
Ticket URL: <https://code.djangoproject.com/ticket/21389>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: bouke | Owner: nobody
Type: Uncategorized | Status: new
Internationalization | Resolution:
Severity: Normal | Triage Stage:
Keywords: | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by bouke):
* cc: bouke@… (added)
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/21389#comment:1>
Django
Reporter: bouke | Owner: nobody
Type: Bug | Status: new
Component: Internationalization | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by claudep):
* type: Uncategorized => Bug
* stage: Unreviewed => Accepted
Comment:
The fact that `get_language_from_request` relies on `locale.locale_alias`
is too limiting. The problem is that `locale.locale_alias` is using the
(on my system) Xlib `/usr/share/X11/locale/locale.alias` list, which is
not as exhaustive as the libc `/usr/share/i18n/SUPPORTED`. So we have to
fix this, but we have to be careful because this was introduced in a
security fix [842a771e0527c].
--
Ticket URL: <https://code.djangoproject.com/ticket/21389#comment:2>
Django
Reporter: bouke | Owner: nobody
Type: Bug | Status: new
Component: Internationalization | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by bouke):
The [[https://www.djangoproject.com/weblog/2007/oct/26/security-
fix/|security fix referred to]] is a DoS-related attack:
> A per-process cache used by Django's internationalization ("i18n")
system to store the results of translation lookups for particular values
of the HTTP Accept-Language header used the full value of that header as a
key. An attacker could take advantage of this by sending repeated requests
with extremely large strings in the Accept-Language header, potentially
causing a denial of service by filling available memory.
> Due to limitations imposed by Web server software on the size of HTTP
header fields, combined with reasonable limits on the number of requests
which may be handled by a single server process over its lifetime, this
vulnerability may be difficult to exploit. Additionally, it is only
present when the "USE_I18N" setting in Django is "True" and the i18n
middleware component is enabled*. Nonetheless, all users of affected
versions of Django are encouraged to update.
So there should be some limitation on which languages can be provided by
the user to prevent such an attack, while allowing all possible languages
and sublanguages.
--
Ticket URL: <https://code.djangoproject.com/ticket/21389#comment:3>
Django
--------------------------------------+------------------------------------
Reporter: bouke | Owner: nobody
Type: Bug | Status: new
Component: Internationalization | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
--
Ticket URL: <https://code.djangoproject.com/ticket/21389#comment:4>
Django
--------------------------------------+------------------------------------
Reporter: bouke | Owner: nobody
Type: Bug | Status: new
Component: Internationalization | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
--
Ticket URL: <https://code.djangoproject.com/ticket/21389#comment:5>
Django
--------------------------------------+------------------------------------
Type: Bug | Status: assigned
Component: Internationalization | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by bouke):
* owner: nobody => bouke
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/21389#comment:6>
Django
--------------------------------------+------------------------------------
Reporter: bouke | Owner: bouke
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by bouke):
* has_patch: 0 => 1
Comment:
PR: https://github.com/django/django/pull/1912
--
Ticket URL: <https://code.djangoproject.com/ticket/21389#comment:7>
Django
--------------------------------------+------------------------------------
Reporter: bouke | Owner: bouke
Component: Internationalization | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Claude Paroz <claude@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"2bab9d6d9ea095c4bcaeede2df576708afd46291"]:
{{{
#!CommitTicketReference repository=""
revision="2bab9d6d9ea095c4bcaeede2df576708afd46291"
Fixed #21389 -- Accept most valid language codes
By removing the 'supported' keyword from the detection methods and only
relying
on a cached settings.LANGUAGES, the speed of said methods has been
improved;
around 4x raw performance. This allows us to stop checking Python's
incomplete
list of locales, and rely on a less restrictive regular expression for
accepting certain locales.
HTTP Accept-Language is defined as being case-insensitive, based on this
fact
extra performance improvements have been made; it wouldn't make sense to
check for case differences.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21389#comment:8>