test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #25017 -- Allowed customizing the DISALLOWED_USER_AGENTS response

This commit is contained in:
sujayskumar 2015-06-24 15:41:43 +05:30 committed by Tim Graham
parent a50b66da30
commit 2e70bf3785
3 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
django/middleware/common.py
View File

@ -5,6 +5,7 @@ import re
from django import http from django import http
from django.conf import settings from django.conf import settings
from django.core import urlresolvers from django.core import urlresolvers
from django.core.exceptions import PermissionDenied
from django.core.mail import mail_managers from django.core.mail import mail_managers
from django.utils.encoding import force_text from django.utils.encoding import force_text
@ -47,13 +48,7 @@ class CommonMiddleware(object):
if 'HTTP_USER_AGENT' in request.META: if 'HTTP_USER_AGENT' in request.META:
for user_agent_regex in settings.DISALLOWED_USER_AGENTS: for user_agent_regex in settings.DISALLOWED_USER_AGENTS:
if user_agent_regex.search(request.META['HTTP_USER_AGENT']): if user_agent_regex.search(request.META['HTTP_USER_AGENT']):
logger.warning('Forbidden (User agent): %s', request.path, raise PermissionDenied('Forbidden user agent')
extra={
'status_code': 403,
'request': request
}
)
return http.HttpResponseForbidden('<h1>Forbidden</h1>')
# Check for a redirect based on settings.APPEND_SLASH # Check for a redirect based on settings.APPEND_SLASH
# and settings.PREPEND_WWW # and settings.PREPEND_WWW

6
docs/releases/1.9.txt
View File

@ -452,6 +452,12 @@ Requests and Responses
<django.http.HttpRequest.urlconf>` to ``None`` to revert any changes made <django.http.HttpRequest.urlconf>` to ``None`` to revert any changes made
by previous middleware and return to using the :setting:`ROOT_URLCONF`. by previous middleware and return to using the :setting:`ROOT_URLCONF`.
* The :setting:`DISALLOWED_USER_AGENTS` check in
:class:`~django.middleware.common.CommonMiddleware` now raises a
:class:`~django.core.exceptions.PermissionDenied` exception as opposed to
returning an :class:`~django.http.HttpResponseForbidden` so that
:data:`~django.conf.urls.handler403` is invoked.
Tests Tests
^^^^^ ^^^^^

6
tests/middleware/tests.py
View File

@ -9,6 +9,7 @@ from unittest import skipIf
from django.conf import settings from django.conf import settings
from django.core import mail from django.core import mail
from django.core.exceptions import PermissionDenied
from django.http import ( from django.http import (
FileResponse, HttpRequest, HttpResponse, HttpResponsePermanentRedirect, FileResponse, HttpRequest, HttpResponse, HttpResponsePermanentRedirect,
HttpResponseRedirect, StreamingHttpResponse, HttpResponseRedirect, StreamingHttpResponse,
@ -256,9 +257,8 @@ class CommonMiddlewareTest(SimpleTestCase):
with patch_logger('django.request', 'warning') as log_messages: with patch_logger('django.request', 'warning') as log_messages:
request = self.rf.get('/slash') request = self.rf.get('/slash')
request.META['HTTP_USER_AGENT'] = 'foo' request.META['HTTP_USER_AGENT'] = 'foo'
r = CommonMiddleware().process_request(request) with self.assertRaisesMessage(PermissionDenied, 'Forbidden user agent'):
self.assertEqual(r.status_code, 403) CommonMiddleware().process_request(request)
self.assertEqual(log_messages, ['Forbidden (User agent): /slash'])
def test_non_ascii_query_string_does_not_crash(self): def test_non_ascii_query_string_does_not_crash(self):
"""Regression test for #15152""" """Regression test for #15152"""