diff options
Diffstat (limited to 'postgresqleu/static/views.py')
| -rw-r--r-- | postgresqleu/static/views.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/postgresqleu/static/views.py b/postgresqleu/static/views.py index 9c04dd05..d45cbfb2 100644 --- a/postgresqleu/static/views.py +++ b/postgresqleu/static/views.py @@ -1,6 +1,10 @@ from django.http import HttpResponse, Http404 from django.template import loader, TemplateDoesNotExist +import re + +re_staticfilenames = re.compile("^[0-9A-Z/_-]+$", re.IGNORECASE) + # Fallback handler for URLs not matching anything else. Fall them # back to a static template. If that one is not found, send a 404 @@ -10,6 +14,14 @@ def static_fallback(request, url): if url.find('..') > -1: raise Http404('Page not found') + if not re_staticfilenames.match(url): + raise Http404('Page not found.') + + if len(url) > 250: + # Maximum length is really per-directory, but we shouldn't have any pages/fallback + # urls with anywhere *near* that, so let's just limit it on the whole + raise Http404('Page not found.') + try: t = loader.get_template('pages/%s.html' % url) return HttpResponse(t.render()) |