jeff/umap
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ajax proxy: quote URL before passing it to Nginx

Browse source
This commit is contained in:
Yohan Boniface 2023-08-28 17:57:44 +02:00
parent 8c9ee91b42
commit bcdac413be
2 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
umap/tests/test_views.py
View file

@ -127,9 +127,9 @@ def test_invalid_proxy_url_should_return_400(client):
def test_valid_proxy_request_with_x_accel_redirect(client, settings): def test_valid_proxy_request_with_x_accel_redirect(client, settings):
settings.UMAP_XSENDFILE_HEADER = 'X-Accel-Redirect' settings.UMAP_XSENDFILE_HEADER = "X-Accel-Redirect"
url = reverse("ajax-proxy") url = reverse("ajax-proxy")
params = {"url": "http://example.org", "ttl": 300} params = {"url": "http://example.org?foo=bar&bar=foo", "ttl": 300}
headers = { headers = {
"HTTP_X_REQUESTED_WITH": "XMLHttpRequest", "HTTP_X_REQUESTED_WITH": "XMLHttpRequest",
"HTTP_REFERER": settings.SITE_URL, "HTTP_REFERER": settings.SITE_URL,
@ -137,7 +137,10 @@ def test_valid_proxy_request_with_x_accel_redirect(client, settings):
response = client.get(url, params, **headers) response = client.get(url, params, **headers)
assert response.status_code == 200 assert response.status_code == 200
assert "X-Accel-Redirect" in response.headers assert "X-Accel-Redirect" in response.headers
assert response["X-Accel-Redirect"] == "/proxy/http://example.org" assert (
response["X-Accel-Redirect"]
== "/proxy/http%3A//example.org%3Ffoo%3Dbar%26bar%3Dfoo"
)
assert "X-Accel-Expires" in response.headers assert "X-Accel-Expires" in response.headers
assert response["X-Accel-Expires"] == "300" assert response["X-Accel-Expires"] == "300"

5
umap/views.py
View file

@ -7,6 +7,7 @@ from datetime import date, timedelta
from http.client import InvalidURL from http.client import InvalidURL
from pathlib import Path from pathlib import Path
from urllib.error import URLError from urllib.error import URLError
from urllib.parse import quote
from django.conf import settings from django.conf import settings
from django.contrib import messages from django.contrib import messages
@ -346,7 +347,6 @@ def validate_url(request):
class AjaxProxy(View): class AjaxProxy(View):
def get(self, *args, **kwargs): def get(self, *args, **kwargs):
# You should not use this in production (use Nginx or so)
try: try:
url = validate_url(self.request) url = validate_url(self.request)
except AssertionError: except AssertionError:
@ -357,11 +357,12 @@ class AjaxProxy(View):
ttl = None ttl = None
if getattr(settings, "UMAP_XSENDFILE_HEADER", None): if getattr(settings, "UMAP_XSENDFILE_HEADER", None):
response = HttpResponse() response = HttpResponse()
response[settings.UMAP_XSENDFILE_HEADER] = f"/proxy/{url}" response[settings.UMAP_XSENDFILE_HEADER] = f"/proxy/{quote(url)}"
if ttl: if ttl:
response["X-Accel-Expires"] = ttl response["X-Accel-Expires"] = ttl
return response return response
# You should not use this in production (use Nginx or so)
headers = {"User-Agent": "uMapProxy +http://wiki.openstreetmap.org/wiki/UMap"} headers = {"User-Agent": "uMapProxy +http://wiki.openstreetmap.org/wiki/UMap"}
request = Request(url, headers=headers) request = Request(url, headers=headers)
opener = build_opener() opener = build_opener()