#25017 closed Cleanup/optimization (fixed)
settings.DISALLOWED_USER_AGENTS should raise PermissionDenied
Reported by: | François Schiettecatte | Owned by: | Sujay S Kumar |
---|---|---|---|
Component: | Core (Other) | Version: | 1.8 |
Severity: | Normal | Keywords: | DISALLOWED_USER_AGENTS, PermissionDenied |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
The check against settings.DISALLOWED_USER_AGENTS should throw a PermissionDenied exception as opposed to returning an HttpResponseForbidden() so that handler403 is invoked.
Code touched would be:
https://github.com/django/django/blob/master/django/middleware/common.py#L10
from django.core.exceptions import PermissionDenied
https://github.com/django/django/blob/master/django/middleware/common.py#L47-56
if 'HTTP_USER_AGENT' in request.META: for user_agent_regex in settings.DISALLOWED_USER_AGENTS: if user_agent_regex.search(request.META['HTTP_USER_AGENT']): logger.warning('Forbidden (User agent): %s', request.path, extra={ 'status_code': 403, 'request': request } ) raise PermissionDenied
https://github.com/django/django/blob/master/tests/middleware/tests.py#L254-261
@override_settings(DISALLOWED_USER_AGENTS=[re.compile(r'foo')]) def test_disallowed_user_agents(self): with patch_logger('django.request', 'warning') as log_messages: request = self.rf.get('/slash') request.META['HTTP_USER_AGENT'] = 'foo' with self.assertRaises(self, PermissionDenied): CommonMiddleware().process_request(request) self.assertEqual(log_messages, ['Forbidden (User agent): /slash'])
Change History (8)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 10 years ago
Has patch: | set |
---|---|
Needs tests: | set |
comment:5 by , 10 years ago
Needs tests: | unset |
---|---|
Summary: | settings.DISALLOWED_USER_AGENTS should throw PermissionDenied exception → settings.DISALLOWED_USER_AGENTS should raise PermissionDenied |
Triage Stage: | Unreviewed → Accepted |
comment:6 by , 9 years ago
Patch needs improvement: | set |
---|
Note:
See TracTickets
for help on using tickets.
Could you submit a pull request?