Implement static file URL filtering from pgweb

This filters filenames to be regular ascii characters, and sets a
max length for URLs. Changes the errors for some broken urls and
attempted-scriptkiddie-exploits to just be a not found instead fo an
internal server error.

1 files changed, 12 insertions, 0 deletions

diff --git a/postgresqleu/static/views.py b/postgresqleu/static/views.py
index 9c04dd05..d45cbfb2 100644
--- a/postgresqleu/static/views.py
+++ b/postgresqleu/static/views.py
@@ -1,6 +1,10 @@
 from django.http import HttpResponse, Http404
 from django.template import loader, TemplateDoesNotExist
 
+import re
+
+re_staticfilenames = re.compile("^[0-9A-Z/_-]+$", re.IGNORECASE)
+
 
 # Fallback handler for URLs not matching anything else. Fall them
 # back to a static template. If that one is not found, send a 404
@@ -10,6 +14,14 @@ def static_fallback(request, url):
     if url.find('..') > -1:
         raise Http404('Page not found')
 
+    if not re_staticfilenames.match(url):
+        raise Http404('Page not found.')
+
+    if len(url) > 250:
+        # Maximum length is really per-directory, but we shouldn't have any pages/fallback
+        # urls with anywhere *near* that, so let's just limit it on the whole
+        raise Http404('Page not found.')
+
     try:
         t = loader.get_template('pages/%s.html' % url)
         return HttpResponse(t.render())