diff options
author | Magnus Hagander | 2021-11-04 16:07:50 +0000 |
---|---|---|
committer | Magnus Hagander | 2021-11-04 16:10:59 +0000 |
commit | 37a5e6640319eddce61798dcaf3326c98b6fdccf (patch) | |
tree | 98e9406f48da55374dcfaddf6e86c66bd3d7290a /pgweb/util/middleware.py | |
parent | c4b2b65e8a9fc1bb60e5b7c1d80fbb7d3f807a44 (diff) |
Return a HttpResponse instead of an exception on NUL in query string parameters
Raising an exception triggers an email-to-admin-action, and the whole
reason we have this NUL check is to *avoid* triggering those emails...
Hopefully explicitly returning a 400 HttpResponse will maek them go
away.
Diffstat (limited to 'pgweb/util/middleware.py')
-rw-r--r-- | pgweb/util/middleware.py | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/pgweb/util/middleware.py b/pgweb/util/middleware.py index 2120876f..28868459 100644 --- a/pgweb/util/middleware.py +++ b/pgweb/util/middleware.py @@ -1,6 +1,5 @@ from django.conf import settings -from django.http import QueryDict -from django.core.exceptions import SuspiciousOperation +from django.http import QueryDict, HttpResponse from pgweb.util.templateloader import initialize_template_collection, get_all_templates @@ -104,7 +103,11 @@ class PgMiddleware(object): if k not in allowed: del result[k] if "\0" in request.GET[k]: - raise SuspiciousOperation("NUL escapes not allowed in query parameters") + return HttpResponse( + "NUL escapes not allowed in query parameters", + content_type='text/plain', + status=400 + ) result.mutable = False request.GET = result else: |