summaryrefslogtreecommitdiff
path: root/pgweb/util/middleware.py
AgeCommit message (Collapse)Author
2021-11-04Return a HttpResponse instead of an exception on NUL in query string parametersMagnus Hagander
Raising an exception triggers an email-to-admin-action, and the whole reason we have this NUL check is to *avoid* triggering those emails... Hopefully explicitly returning a 400 HttpResponse will maek them go away.
2021-09-12Explicitly disallow NUL characters in URL parametersMagnus Hagander
This would already not work at a lower layer, but would typically generate an internal server error exception instead of just an error message. Instead, put an explicit check in the middleware that's already validating the query parameters and reject them with a 400 error.
2021-03-24Fix debug toolbar integrationMagnus Hagander
This was broken when the querystring limiter was put in place in 0724c08e402d0bffb0eb53192c4363dac1311fe3.
2021-02-22Require explicit tagging on views taking query parametersMagnus Hagander
Require each view to declare which query parameters it wants, and filter out any other parameters. We have very few views that actually take query parameters, and random additional query patterns will have no effect on the view. However, they will break frontend caching (in making them look like different pages). This will be extended into an implementation in the caching frontends as well, btu it's needed in the backend to ensure that local testing will have tbe same effect as the caches.
2020-11-23Allow additions to auto-generated xkey tagsMagnus Hagander
If an xkey tag is already set on a response when it reaches the middleware, add it to the set of automated xkeys generated from the templates instead of overwriting it.
2020-11-18Replace non-ascii chars in template names when building xkeyMagnus Hagander
We don't have non-ascii characters in any of our correct URLs, but people can still specify them on the URL. In this case the xkey isn't going to match anything anyway, so it is not critical how we handle it, especially since the generated page is going to be a 404 anyway. So just use the simple built-in replace function.
2020-07-02Add CSP for GTM.Dave Page
2020-03-31Middleware and urls update for django 2.2Magnus Hagander
2019-01-26More generic changes from 2to3Magnus Hagander
2019-01-26Fix unicode for hashlib operationsMagnus Hagander
2019-01-17Fix whitespace and indentation, per pep8Magnus Hagander
2019-01-17Tabs, meet your new overlords: spacesMagnus Hagander
In a quest to reach pep8, use spaces to indent rather than tabs.
2019-01-17Seems GA also needs data: urls sometimesMagnus Hagander
2018-12-29Allow framing google.com on account signup pageMagnus Hagander
This is used for the recaptcha. Also enable this for oauth signups, previously missed.
2018-12-29Allow data: url for image and fontsMagnus Hagander
Turns out data: is not included in "*" for images, so just add it. For fonts, data: is used by google fonts.
2018-12-29Allow google analytics to do "connect" as wellMagnus Hagander
Based on CSP reports collected
2018-12-22Another try at fixing google analytics vs CSPMagnus Hagander
2018-12-22Allow all of google-analytics in CSPMagnus Hagander
It needs a tleast both www.google-analytics and ssl.google-analytics..
2018-12-21Enable setting of security http headersMagnus Hagander
The following security policy headers are set: X-XSS-Protection: 1; mode=block -- always set X-Frame-Options: DENY is set for all pages except for the documentation pages, primarily because pgadmin4 loads them in an iframe which would break. Content-Security-Policy: <x>-src Is set to allow the default of self only, then allowing scripts for google analytics and fonts for google fonts. Images are allowed from everywhere. frame-ancestors 'none' is set by the same rules as X-Frame-Options This also adds a decorator for @script_sources to have a single view allow extra sources, and this is used for recaptcha. A generic decorator is also made for other types of exclusions, though we don't have any at this point. If the setting SECURITY_POLICY_REPORT_ONLY is set to True then the policy will be report-only and not enforced (for testing), otherwise enforcing mode is enabled. The setting SECURITY_POLICY_REPORT_URI sets where to send security policy reports, if any.
2018-06-29Add support for doing ESI on pages in VarnishMagnus Hagander
2018-06-29Add support for automatic template based xkeyMagnus Hagander
This adds an xkey header to all outgoing requests with the hash of the name of all templates loaded. In the future we will be able to use this to purge "all pages that included a specific template", regardless of where in the hierarchy it was loaded. Do this by faking a template loader that never finds anything -- but it will record the path of the template that it tried to load, and then leave it to another template loader to actually load it. Store this in thread local storage (it's a bit ugly, but it's the only thing Django supports for storing things at the request level from a template loader), and fetch it from the middleware.
2018-06-29Remove unused importsMagnus Hagander
2017-11-29Clean up whitespace in primary Python / HTML filesJonathan S. Katz
Clean up the whitespace in the primary Python / HTML files in order to make it easier to apply changes going forward.
2016-05-24Remove SSL decorators and middlewareMagnus Hagander
The site is now served regardless of SSL, and assumes that the webserver or web cache ensures that things rae always SSL.
2016-05-24Remove SSL optional tagMagnus Hagander
2016-05-19Remove workaround for django bug #15152.Magnus Hagander
This bug is fixed before django 1.8, so remove our workaround which should now be unnecessary.
2016-05-19Remove workaround for persistent admin filtersMagnus Hagander
Persistent admin filters are fixed in django 1.8
2014-06-03Implement workaround for django bug #15152 for badly encoded URLsMagnus Hagander
Hopefully this will stop the system spamming us..
2014-01-02Don't redirect dynamic CSS from https to httpMagnus Hagander
This can break things (d'uh). Do this by introducing a new decorator, @ssl_optional. When this is present, no SSL redirection will happen, regardless of whether the access comes in over http or https. This decorator overrides @ssl_required, but for redability's sake, never use both at the same time.
2014-01-01Clean up importsMagnus Hagander
Remove unused imports and some other completely unused code.
2013-01-30Make filters in admin be sticky, according to:Magnus Hagander
http://code.djangoproject.com/ticket/3777
2012-11-11Update @ssl_required decorator to play nice with other decoratorsMarti Raudsepp
The decorator now retains all attributes of the original view and adds a new 'view.ssl_required = True' attribute.
2010-06-09Enforce redirection of /admin/ to https in the django code instead,Magnus Hagander
seems impossible to get it working properly in the webserver...
2009-09-16Make https redirection work again.Magnus Hagander
Add a way to skip https redirection, so we can still run it locally, and mark a couple of forms as requiring https.
2009-09-14A first very basic import.Magnus Hagander
Contains basic functionality, and an import of most of the static content from the old site. There is still plenty more to do...