Age | Commit message (Collapse) | Author |
|
Raising an exception triggers an email-to-admin-action, and the whole
reason we have this NUL check is to *avoid* triggering those emails...
Hopefully explicitly returning a 400 HttpResponse will maek them go
away.
|
|
This would already not work at a lower layer, but would typically
generate an internal server error exception instead of just an error
message.
Instead, put an explicit check in the middleware that's already
validating the query parameters and reject them with a 400 error.
|
|
This was broken when the querystring limiter was put in place
in 0724c08e402d0bffb0eb53192c4363dac1311fe3.
|
|
Require each view to declare which query parameters it wants, and filter
out any other parameters.
We have very few views that actually take query parameters, and random
additional query patterns will have no effect on the view. However, they
will break frontend caching (in making them look like different pages).
This will be extended into an implementation in the caching frontends as
well, btu it's needed in the backend to ensure that local testing will
have tbe same effect as the caches.
|
|
If an xkey tag is already set on a response when it reaches the
middleware, add it to the set of automated xkeys generated from the
templates instead of overwriting it.
|
|
We don't have non-ascii characters in any of our correct URLs, but
people can still specify them on the URL. In this case the xkey isn't
going to match anything anyway, so it is not critical how we handle it,
especially since the generated page is going to be a 404 anyway. So just
use the simple built-in replace function.
|
|
|
|
|
|
|
|
|
|
|
|
In a quest to reach pep8, use spaces to indent rather than tabs.
|
|
|
|
This is used for the recaptcha. Also enable this for oauth signups,
previously missed.
|
|
Turns out data: is not included in "*" for images, so just add it. For
fonts, data: is used by google fonts.
|
|
Based on CSP reports collected
|
|
|
|
It needs a tleast both www.google-analytics and ssl.google-analytics..
|
|
The following security policy headers are set:
X-XSS-Protection: 1; mode=block -- always set
X-Frame-Options: DENY is set for all pages except for the documentation
pages, primarily because pgadmin4 loads them in an iframe which would
break.
Content-Security-Policy: <x>-src
Is set to allow the default of self only, then allowing scripts for
google analytics and fonts for google fonts. Images are allowed from everywhere.
frame-ancestors 'none' is set by the same rules as X-Frame-Options
This also adds a decorator for @script_sources to have a single view
allow extra sources, and this is used for recaptcha. A generic decorator
is also made for other types of exclusions, though we don't have any at
this point.
If the setting SECURITY_POLICY_REPORT_ONLY is set to True then the policy
will be report-only and not enforced (for testing), otherwise enforcing
mode is enabled.
The setting SECURITY_POLICY_REPORT_URI sets where to send security
policy reports, if any.
|
|
|
|
This adds an xkey header to all outgoing requests with the hash of the
name of all templates loaded. In the future we will be able to use this
to purge "all pages that included a specific template", regardless of
where in the hierarchy it was loaded.
Do this by faking a template loader that never finds anything -- but it
will record the path of the template that it tried to load, and then
leave it to another template loader to actually load it. Store this in
thread local storage (it's a bit ugly, but it's the only thing Django
supports for storing things at the request level from a template
loader), and fetch it from the middleware.
|
|
|
|
Clean up the whitespace in the primary Python / HTML files in
order to make it easier to apply changes going forward.
|
|
The site is now served regardless of SSL, and assumes that the webserver
or web cache ensures that things rae always SSL.
|
|
|
|
This bug is fixed before django 1.8, so remove our workaround which
should now be unnecessary.
|
|
Persistent admin filters are fixed in django 1.8
|
|
Hopefully this will stop the system spamming us..
|
|
This can break things (d'uh).
Do this by introducing a new decorator, @ssl_optional. When this is
present, no SSL redirection will happen, regardless of whether the
access comes in over http or https.
This decorator overrides @ssl_required, but for redability's sake,
never use both at the same time.
|
|
Remove unused imports and some other completely unused code.
|
|
http://code.djangoproject.com/ticket/3777
|
|
The decorator now retains all attributes of the original view and adds a
new 'view.ssl_required = True' attribute.
|
|
seems impossible to get it working properly in the webserver...
|
|
Add a way to skip https redirection, so we can still run it locally,
and mark a couple of forms as requiring https.
|
|
Contains basic functionality, and an import of most of the static content
from the old site.
There is still plenty more to do...
|