python - Django url arg 不能包含 NUL (0x00) 字符
问题描述
我目前正在测试我们网站的安全漏洞,我自己的安全背景非常有限。
运行以下请求时:
http://127.0.0.1:8000/stuff/?template=%2Fe%00
我看到了错误(下面的完整堆栈跟踪):
Exception Type: ValueError at /stuff/
Exception Value: A string literal cannot contain NUL (0x00) characters.
这似乎是验证 url args 的问题,并且不应允许字符 0x00 (null)。我相当确定在谷歌的 gruyere中我看到一些字符应该被转义,但转义 null 似乎很奇怪。
我当然可以尝试/排除第 92 行/code/stuff/views.py
,但这无疑会在其他地方出现。
我的问题是:
- 在 django 中,通过 URL 避免 XSS 攻击的最佳做法是什么?
- 这是否已经在某处处理(我在解析器中看不到)?
- 这应该完全在其他地方处理吗?
堆栈跟踪:
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
34. response = get_response(request)
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
115. response = self.process_exception_by_middleware(e, request)
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
113. response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/base.py" in view
71. return self.dispatch(request, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/base.py" in dispatch
97. return handler(request, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in get
157. context = self.get_context_data()
File "/code/stuff/views.py" in get_context_data
92. context = super(StuffListView, self).get_context_data(**kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in get_context_data
119. paginator, page, queryset, is_paginated = self.paginate_queryset(queryset, page_size)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in paginate_queryset
69. page = paginator.page(page_number)
File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in page
70. number = self.validate_number(number)
File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in validate_number
48. if number > self.num_pages:
File "/usr/local/lib/python3.6/site-packages/django/utils/functional.py" in __get__
80. res = instance.__dict__[self.name] = self.func(instance)
File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in num_pages
97. if self.count == 0 and not self.allow_empty_first_page:
File "/usr/local/lib/python3.6/site-packages/django/utils/functional.py" in __get__
80. res = instance.__dict__[self.name] = self.func(instance)
File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in count
91. return c()
File "/usr/local/lib/python3.6/site-packages/django/db/models/query.py" in count
392. return self.query.get_count(using=self.db)
File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/query.py" in get_count
504. number = obj.get_aggregation(using, ['__count'])['__count']
File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/query.py" in get_aggregation
489. result = compiler.execute_sql(SINGLE)
File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/compiler.py" in execute_sql
1100. cursor.execute(sql, params)
File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in execute
99. return super().execute(sql, params)
File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in execute
67. return self._execute_with_wrappers(sql, params, many=False, executor=self._execute)
File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in _execute_with_wrappers
76. return executor(sql, params, many, context)
File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in _execute
84. return self.cursor.execute(sql, params)
Exception Type: ValueError at /stuff/
Exception Value: A string literal cannot contain NUL (0x00) characters.
解决方案
根据回溯,问题不在于 URL 参数不能包含%00
,而是当它通过 传递到您正在使用的数据库时Paginator
,数据库驱动程序正在抱怨事情。
从错误来看,您可能正在使用 Postgres。(请参阅此相关问题:Django + Postgres: A string literal cannot contain NUL (0x00) characters)
如果你愿意,你可以设置一个中间件来拒绝任何和所有包含%00
.
推荐阅读
- html - div元素的CSS骨架动画
- sql-server - 插入到 sql server 的温和方式
- angular - @auth0/auth0-angular 中是否有使用电子邮件和密码登录的方法?
- mysql - SQL查询根据开始和结束时间查找并发会话
- typescript - 未提供“invokeMiddleware”的参数
- javascript - 在 JavaScript 中转义撇号等
- javascript - 如何在反应中更改日期格式?
- sql - SQL。比较当前行的值与上一行的相同比较结果的值
- reactjs - 如何在codepen中运行使用“create-react-app”创建的反应项目?
- java - 方法 count(JobViewWrapper) 已经定义