diff options
| author | Magnus Hagander | 2021-02-22 09:43:59 +0000 |
|---|---|---|
| committer | Magnus Hagander | 2021-02-22 09:43:59 +0000 |
| commit | 0724c08e402d0bffb0eb53192c4363dac1311fe3 (patch) | |
| tree | 75272afa5747967c5568f79bcb089f36ca572d62 /pgweb/util/middleware.py | |
| parent | b23309c95d5bb931c7d6ce4b782e919bd7449a22 (diff) | |
Require explicit tagging on views taking query parameters
Require each view to declare which query parameters it wants, and filter
out any other parameters.
We have very few views that actually take query parameters, and random
additional query patterns will have no effect on the view. However, they
will break frontend caching (in making them look like different pages).
This will be extended into an implementation in the caching frontends as
well, btu it's needed in the backend to ensure that local testing will
have tbe same effect as the caches.
Diffstat (limited to 'pgweb/util/middleware.py')
| -rw-r--r-- | pgweb/util/middleware.py | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/pgweb/util/middleware.py b/pgweb/util/middleware.py index 1609e001..6a6e3dbf 100644 --- a/pgweb/util/middleware.py +++ b/pgweb/util/middleware.py @@ -1,4 +1,5 @@ from django.conf import settings +from django.http import QueryDict from pgweb.util.templateloader import initialize_template_collection, get_all_templates @@ -76,3 +77,29 @@ class PgMiddleware(object): response['X-XSS-Protection'] = "1; mode=block" return response + + def process_view(self, request, view_func, view_args, view_kwargs): + # Filter out any query parameters that are not explicitly allowed. We do the same thing in Varnish, + # and it's better to also do it in django if they show up here, so issues because of it are caught + # in local testing where there is no Varnish. + if not request.GET: + # If there are no parameters, just skip this whole process + return None + + if request.path.startswith('/admin/'): + # django-admin uses it a lot and it's not for us to change + return None + + allowed = getattr(view_func, 'queryparams', None) + + if allowed: + # Filter the QueryDict for only the allowed parameters + result = request.GET.copy() + for k in request.GET.keys(): + if k not in allowed: + del result[k] + result.mutable = False + request.GET = result + else: + request.GET = QueryDict() + return None |