-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
/
middleware.py
35 lines (27 loc) · 1.18 KB
/
middleware.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import structlog
from django.http import HttpResponse
log = structlog.get_logger(__name__)
class NullCharactersMiddleware:
"""
Block all requests that contains NULL characters (0x00) on their GET attributes.
Requests containing NULL characters make our code to break. In particular,
when trying to save the content containing a NULL character into the
database, producing a 500 and creating an event in Sentry.
NULL characters are also used as an explotation technique, known as "Null Byte Injection".
"""
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
for key, value in request.GET.items():
if "\x00" in value:
log.info(
"NULL (0x00) characters in GET attributes.",
attribute=key,
value=value,
url=request.build_absolute_uri(),
)
return HttpResponse(
"There are NULL (0x00) characters in at least one of the parameters passed to the request.",
status=400,
)
return self.get_response(request)