Explicitly disallow NUL characters in URL parameters

This would already not work at a lower layer, but would typically generate an internal server error exception instead of just an error message. Instead, put an explicit check in the middleware that's already validating the query parameters and reject them with a 400 error.
author: Magnus Hagander 2021-09-12 12:40:13 +0000
committer: Magnus Hagander 2021-09-12 12:40:13 +0000
commit: 379796952f830751f280d988199dc1a39e038ac0 (patch)
tree: be18c8ef1710fb4a5911db688db3e703f718e14b /pgweb/util/middleware.py
parent: 1adaab8955ccf022b1c22b23d62a383854eb0e9e (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/pgweb/util/middleware.py b/pgweb/util/middleware.py
index 1cf652a7..2120876f 100644
--- a/pgweb/util/middleware.py
+++ b/pgweb/util/middleware.py
@@ -1,5 +1,6 @@
 from django.conf import settings
 from django.http import QueryDict
+from django.core.exceptions import SuspiciousOperation
 
 from pgweb.util.templateloader import initialize_template_collection, get_all_templates
 
@@ -102,6 +103,8 @@ class PgMiddleware(object):
             for k in request.GET.keys():
                 if k not in allowed:
                     del result[k]
+                if "\0" in request.GET[k]:
+                    raise SuspiciousOperation("NUL escapes not allowed in query parameters")
             result.mutable = False
             request.GET = result
         else:
author	Magnus Hagander	2021-09-12 12:40:13 +0000
committer	Magnus Hagander	2021-09-12 12:40:13 +0000
commit	379796952f830751f280d988199dc1a39e038ac0 (patch)
tree	be18c8ef1710fb4a5911db688db3e703f718e14b /pgweb/util/middleware.py
parent	1adaab8955ccf022b1c22b23d62a383854eb0e9e (diff)