VladPolskiy/postgres-web
1
0
Fork 0
mirror of https://github.com/postgres/pgweb.git synced 2025-08-12 23:05:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Explicitly disallow NUL characters in URL parameters

Browse Source 
This would already not work at a lower layer, but would typically
generate an internal server error exception instead of just an error
message.

Instead, put an explicit check in the middleware that's already
validating the query parameters and reject them with a 400 error.
This commit is contained in:
Magnus Hagander
2021-09-12 14:40:13 +02:00
parent 1adaab8955
commit 379796952f
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pgweb/util/middleware.py
View File

@ -1,5 +1,6 @@
from django.conf import settings
from django.http import QueryDict
from django.core.exceptions import SuspiciousOperation
from pgweb.util.templateloader import initialize_template_collection, get_all_templates
@ -102,6 +103,8 @@ class PgMiddleware(object):
for k in request.GET.keys():
if k not in allowed:
del result[k]
if "\0" in request.GET[k]:
raise SuspiciousOperation("NUL escapes not allowed in query parameters")
result.mutable = False
request.GET = result
else: