fix problem with spaces in request.path

peterbe · peterbe · commit b8ce98b60b9f · 2019-01-04T09:46:33.000-05:00
diff --git a/peterbecom/base/fscache.py b/peterbecom/base/fscache.py
@@ -131,6 +131,15 @@ def cache_request(request, response):
         # XXX TODO: Support JSON and xml
         "text/html" in response["Content-Type"]
     ):
+        # When you have url patterns like `/foo/(?P<oid>.*)` you can get requests
+        # that match but if the URL is something like
+        # "/foo/myslug%0Anextline" which translates to `/foo/myslug\nnextline`.
+        # The Django view will match just fine but the request.path will have a
+        # `\s` character in it.
+        # If that's the case we don't want to cache this request.
+        if "\n" in request.path or "\t" in request.path:
+            return False
+
         # let's iterate through some exceptions
         not_starts = (
             "/plog/edit/",
diff --git a/peterbecom/base/test_fscache.py b/peterbecom/base/test_fscache.py
@@ -50,3 +50,8 @@ def test_cache_request():
     request._fscache_disable = True
     response = http.HttpResponse()
     assert not fscache.cache_request(request, response)
+
+    request = RequestFactory().get("/\nsomething")
+    request.user = AnonymousUser()
+    response = http.HttpResponse()
+    assert not fscache.cache_request(request, response)
diff --git a/peterbecom/plog/tests.py b/peterbecom/plog/tests.py
@@ -188,3 +188,9 @@ def test_blog_post_ping(self):
 
         hit, = BlogItemHit.objects.all()
         assert hit.blogitem == blog
+
+    def test_blog_post_with_newline_request_path(self):
+        url = reverse("blog_post", args=["myoid"])
+        url += "\nOtherstuff"
+        response = self.client.get(url)
+        assert response.status_code == 302
diff --git a/peterbecom/plog/views.py b/peterbecom/plog/views.py
@@ -134,6 +134,8 @@ def _blog_post_key_prefixer(request):
 @cache_control(public=True, max_age=settings.DEBUG and ONE_HOUR or ONE_WEEK)
 @cache_page(settings.DEBUG and ONE_HOUR or ONE_WEEK, _blog_post_key_prefixer)
 def blog_post(request, oid):
+    if '\n' in request.path:
+        return redirect(reverse('blog_post', args=[oid]))
     if request.path.endswith("/ping"):
         # Sometimes this can happen when the URL parsing by Django
         # isn't working out.
