From bcdac413bee35e39715d1acde09e6e5f894d97ae Mon Sep 17 00:00:00 2001 From: Yohan Boniface Date: Mon, 28 Aug 2023 17:57:44 +0200 Subject: [PATCH] ajax proxy: quote URL before passing it to Nginx --- umap/tests/test_views.py | 9 ++++++--- umap/views.py | 5 +++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/umap/tests/test_views.py b/umap/tests/test_views.py index 94ae80f4..780cf5ad 100644 --- a/umap/tests/test_views.py +++ b/umap/tests/test_views.py @@ -127,9 +127,9 @@ def test_invalid_proxy_url_should_return_400(client): def test_valid_proxy_request_with_x_accel_redirect(client, settings): - settings.UMAP_XSENDFILE_HEADER = 'X-Accel-Redirect' + settings.UMAP_XSENDFILE_HEADER = "X-Accel-Redirect" url = reverse("ajax-proxy") - params = {"url": "http://example.org", "ttl": 300} + params = {"url": "http://example.org?foo=bar&bar=foo", "ttl": 300} headers = { "HTTP_X_REQUESTED_WITH": "XMLHttpRequest", "HTTP_REFERER": settings.SITE_URL, @@ -137,7 +137,10 @@ def test_valid_proxy_request_with_x_accel_redirect(client, settings): response = client.get(url, params, **headers) assert response.status_code == 200 assert "X-Accel-Redirect" in response.headers - assert response["X-Accel-Redirect"] == "/proxy/http://example.org" + assert ( + response["X-Accel-Redirect"] + == "/proxy/http%3A//example.org%3Ffoo%3Dbar%26bar%3Dfoo" + ) assert "X-Accel-Expires" in response.headers assert response["X-Accel-Expires"] == "300" diff --git a/umap/views.py b/umap/views.py index b44cd2f4..d8935957 100644 --- a/umap/views.py +++ b/umap/views.py @@ -7,6 +7,7 @@ from datetime import date, timedelta from http.client import InvalidURL from pathlib import Path from urllib.error import URLError +from urllib.parse import quote from django.conf import settings from django.contrib import messages @@ -346,7 +347,6 @@ def validate_url(request): class AjaxProxy(View): def get(self, *args, **kwargs): - # You should not use this in production (use Nginx or so) try: url = validate_url(self.request) except AssertionError: @@ -357,11 +357,12 @@ class AjaxProxy(View): ttl = None if getattr(settings, "UMAP_XSENDFILE_HEADER", None): response = HttpResponse() - response[settings.UMAP_XSENDFILE_HEADER] = f"/proxy/{url}" + response[settings.UMAP_XSENDFILE_HEADER] = f"/proxy/{quote(url)}" if ttl: response["X-Accel-Expires"] = ttl return response + # You should not use this in production (use Nginx or so) headers = {"User-Agent": "uMapProxy +http://wiki.openstreetmap.org/wiki/UMap"} request = Request(url, headers=headers) opener = build_opener()