Fixed #32698 -- Moved HttpRequest.get_raw_uri() to ExceptionReporter._get_raw_insecure_uri().

This commit is contained in:
Hasan Ramezani 2021-04-29 14:35:11 +02:00 committed by Mariusz Felisiak
parent ca34db4650
commit 8bcb00858e
7 changed files with 33 additions and 26 deletions

View File

@ -180,17 +180,6 @@ class HttpRequest:
raise raise
return value return value
def get_raw_uri(self):
"""
Return an absolute URI from variables available in this request. Skip
allowed hosts protection, so may return insecure URI.
"""
return '{scheme}://{host}{path}'.format(
scheme=self.scheme,
host=self._get_raw_host(),
path=self.get_full_path(),
)
def build_absolute_uri(self, location=None): def build_absolute_uri(self, location=None):
""" """
Build an absolute URI from the location and the variables available in Build an absolute URI from the location and the variables available in

View File

@ -274,6 +274,17 @@ class ExceptionReporter:
self.template_does_not_exist = False self.template_does_not_exist = False
self.postmortem = None self.postmortem = None
def _get_raw_insecure_uri(self):
"""
Return an absolute URI from variables available in this request. Skip
allowed hosts protection, so may return insecure URI.
"""
return '{scheme}://{host}{path}'.format(
scheme=self.request.scheme,
host=self.request._get_raw_host(),
path=self.request.get_full_path(),
)
def get_traceback_data(self): def get_traceback_data(self):
"""Return a dictionary containing traceback information.""" """Return a dictionary containing traceback information."""
if self.exc_type and issubclass(self.exc_type, TemplateDoesNotExist): if self.exc_type and issubclass(self.exc_type, TemplateDoesNotExist):
@ -337,6 +348,8 @@ class ExceptionReporter:
c['request_GET_items'] = self.request.GET.items() c['request_GET_items'] = self.request.GET.items()
c['request_FILES_items'] = self.request.FILES.items() c['request_FILES_items'] = self.request.FILES.items()
c['request_COOKIES_items'] = self.request.COOKIES.items() c['request_COOKIES_items'] = self.request.COOKIES.items()
c['request_insecure_uri'] = self._get_raw_insecure_uri()
# Check whether exception info is available # Check whether exception info is available
if self.exc_type: if self.exc_type:
c['exception_type'] = self.exc_type.__name__ c['exception_type'] = self.exc_type.__name__

View File

@ -108,7 +108,7 @@
</tr> </tr>
<tr> <tr>
<th>Request URL:</th> <th>Request URL:</th>
<td>{{ request.get_raw_uri }}</td> <td>{{ request_insecure_uri }}</td>
</tr> </tr>
{% endif %} {% endif %}
<tr> <tr>
@ -289,7 +289,7 @@ Environment:
{% if request %} {% if request %}
Request Method: {{ request.META.REQUEST_METHOD }} Request Method: {{ request.META.REQUEST_METHOD }}
Request URL: {{ request.get_raw_uri }} Request URL: {{ request_insecure_uri }}
{% endif %} {% endif %}
Django Version: {{ django_version_info }} Django Version: {{ django_version_info }}
Python Version: {{ sys_version_info }} Python Version: {{ sys_version_info }}

View File

@ -2,7 +2,7 @@
{% firstof exception_value 'No exception message supplied' %} {% firstof exception_value 'No exception message supplied' %}
{% if request %} {% if request %}
Request Method: {{ request.META.REQUEST_METHOD }} Request Method: {{ request.META.REQUEST_METHOD }}
Request URL: {{ request.get_raw_uri }}{% endif %} Request URL: {{ request_insecure_uri }}{% endif %}
Django Version: {{ django_version_info }} Django Version: {{ django_version_info }}
Python Executable: {{ sys_executable }} Python Executable: {{ sys_executable }}
Python Version: {{ sys_version_info }} Python Version: {{ sys_version_info }}

View File

@ -399,6 +399,9 @@ Miscellaneous
* The undocumented ``django.contrib.admin.utils.lookup_needs_distinct()`` * The undocumented ``django.contrib.admin.utils.lookup_needs_distinct()``
function is renamed to ``lookup_spawns_duplicates()``. function is renamed to ``lookup_spawns_duplicates()``.
* The undocumented ``HttpRequest.get_raw_uri()`` method is removed. The
:meth:`.HttpRequest.build_absolute_uri` method may be a suitable alternative.
.. _deprecated-features-4.0: .. _deprecated-features-4.0:
Features deprecated in 4.0 Features deprecated in 4.0

View File

@ -558,18 +558,6 @@ class RequestsTests(SimpleTestCase):
with self.assertRaises(UnreadablePostError): with self.assertRaises(UnreadablePostError):
request.FILES request.FILES
@override_settings(ALLOWED_HOSTS=['example.com'])
def test_get_raw_uri(self):
factory = RequestFactory(HTTP_HOST='evil.com')
request = factory.get('////absolute-uri')
self.assertEqual(request.get_raw_uri(), 'http://evil.com//absolute-uri')
request = factory.get('/?foo=bar')
self.assertEqual(request.get_raw_uri(), 'http://evil.com/?foo=bar')
request = factory.get('/path/with:colons')
self.assertEqual(request.get_raw_uri(), 'http://evil.com/path/with:colons')
class HostValidationTests(SimpleTestCase): class HostValidationTests(SimpleTestCase):
poisoned_hosts = [ poisoned_hosts = [

View File

@ -942,6 +942,20 @@ class ExceptionReporterTests(SimpleTestCase):
reporter.get_traceback_text() reporter.get_traceback_text()
m.assert_called_once_with(encoding='utf-8') m.assert_called_once_with(encoding='utf-8')
@override_settings(ALLOWED_HOSTS=['example.com'])
def test_get_raw_insecure_uri(self):
factory = RequestFactory(HTTP_HOST='evil.com')
tests = [
('////absolute-uri', 'http://evil.com//absolute-uri'),
('/?foo=bar', 'http://evil.com/?foo=bar'),
('/path/with:colons', 'http://evil.com/path/with:colons'),
]
for url, expected in tests:
with self.subTest(url=url):
request = factory.get(url)
reporter = ExceptionReporter(request, None, None, None)
self.assertEqual(reporter._get_raw_insecure_uri(), expected)
class PlainTextReportTests(SimpleTestCase): class PlainTextReportTests(SimpleTestCase):
rf = RequestFactory() rf = RequestFactory()