Fixed #25017 -- Allowed customizing the DISALLOWED_USER_AGENTS response

This commit is contained in:
sujayskumar 2015-06-24 15:41:43 +05:30 committed by Tim Graham
parent a50b66da30
commit 2e70bf3785
3 changed files with 11 additions and 10 deletions

View File

@ -5,6 +5,7 @@ import re
from django import http
from django.conf import settings
from django.core import urlresolvers
from django.core.exceptions import PermissionDenied
from django.core.mail import mail_managers
from django.utils.encoding import force_text
@ -47,13 +48,7 @@ class CommonMiddleware(object):
if 'HTTP_USER_AGENT' in request.META:
for user_agent_regex in settings.DISALLOWED_USER_AGENTS:
if user_agent_regex.search(request.META['HTTP_USER_AGENT']):
logger.warning('Forbidden (User agent): %s', request.path,
extra={
'status_code': 403,
'request': request
}
)
return http.HttpResponseForbidden('<h1>Forbidden</h1>')
raise PermissionDenied('Forbidden user agent')
# Check for a redirect based on settings.APPEND_SLASH
# and settings.PREPEND_WWW

View File

@ -452,6 +452,12 @@ Requests and Responses
<django.http.HttpRequest.urlconf>` to ``None`` to revert any changes made
by previous middleware and return to using the :setting:`ROOT_URLCONF`.
* The :setting:`DISALLOWED_USER_AGENTS` check in
:class:`~django.middleware.common.CommonMiddleware` now raises a
:class:`~django.core.exceptions.PermissionDenied` exception as opposed to
returning an :class:`~django.http.HttpResponseForbidden` so that
:data:`~django.conf.urls.handler403` is invoked.
Tests
^^^^^

View File

@ -9,6 +9,7 @@ from unittest import skipIf
from django.conf import settings
from django.core import mail
from django.core.exceptions import PermissionDenied
from django.http import (
FileResponse, HttpRequest, HttpResponse, HttpResponsePermanentRedirect,
HttpResponseRedirect, StreamingHttpResponse,
@ -256,9 +257,8 @@ class CommonMiddlewareTest(SimpleTestCase):
with patch_logger('django.request', 'warning') as log_messages:
request = self.rf.get('/slash')
request.META['HTTP_USER_AGENT'] = 'foo'
r = CommonMiddleware().process_request(request)
self.assertEqual(r.status_code, 403)
self.assertEqual(log_messages, ['Forbidden (User agent): /slash'])
with self.assertRaisesMessage(PermissionDenied, 'Forbidden user agent'):
CommonMiddleware().process_request(request)
def test_non_ascii_query_string_does_not_crash(self):
"""Regression test for #15152"""