diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py index 253f335a3..0401a1477 100644 --- a/src/pretix/base/middleware.py +++ b/src/pretix/base/middleware.py @@ -3,7 +3,8 @@ from urllib.parse import urlsplit import pytz from django.conf import settings -from django.http import HttpRequest, HttpResponse +from django.http import HttpRequest, HttpResponse, Http404 +from django.middleware.common import CommonMiddleware from django.urls import get_script_prefix from django.utils import timezone, translation from django.utils.cache import patch_vary_headers @@ -252,3 +253,15 @@ class SecurityMiddleware(MiddlewareMixin): del resp['Content-Security-Policy'] return resp + + +class CustomCommonMiddleware(CommonMiddleware): + + def get_full_path_with_slash(self, request): + """ + Raise an error regardless of DEBUG mode when in POST, PUT, or PATCH. + """ + new_path = super().get_full_path_with_slash(request) + if request.method in ('POST', 'PUT', 'PATCH'): + raise Http404('Please append a / at the end of the URL') + return new_path diff --git a/src/pretix/settings.py b/src/pretix/settings.py index dea8de0a5..69a3d5c2e 100644 --- a/src/pretix/settings.py +++ b/src/pretix/settings.py @@ -351,7 +351,7 @@ CORE_MODULES = { MIDDLEWARE = [ 'pretix.api.middleware.IdempotencyMiddleware', 'pretix.multidomain.middlewares.MultiDomainMiddleware', - 'django.middleware.common.CommonMiddleware', + 'pretix.base.middleware.CustomCommonMiddleware', 'pretix.multidomain.middlewares.SessionMiddleware', 'pretix.multidomain.middlewares.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', @@ -375,7 +375,7 @@ except ImportError: if METRICS_ENABLED: - MIDDLEWARE.insert(MIDDLEWARE.index('django.middleware.common.CommonMiddleware') + 1, + MIDDLEWARE.insert(MIDDLEWARE.index('pretix.base.middleware.CustomCommonMiddleware') + 1, 'pretix.helpers.metrics.middleware.MetricsMiddleware')