Explicitly disallow NUL characters in URL parameters

This would already not work at a lower layer, but would typically
generate an internal server error exception instead of just an error
message.

Instead, put an explicit check in the middleware that's already
validating the query parameters and reject them with a 400 error.

diff --git a/pgweb/util/middleware.py b/pgweb/util/middleware.py
index 1cf652a7bab059d802ddd757c8e323eb26752a91..2120876fbc853e099486a958353b877bd3b87cd5 100644 (file)
--- a/pgweb/util/middleware.py
+++ b/pgweb/util/middleware.py
@@ -1,5 +1,6 @@
 from django.conf import settings
 from django.http import QueryDict
+from django.core.exceptions import SuspiciousOperation
 
 from pgweb.util.templateloader import initialize_template_collection, get_all_templates
 
@@ -102,6 +103,8 @@ class PgMiddleware(object):
             for k in request.GET.keys():
                 if k not in allowed:
                     del result[k]
+                if "\0" in request.GET[k]:
+                    raise SuspiciousOperation("NUL escapes not allowed in query parameters")
             result.mutable = False
             request.GET = result
         else: