From b841878dcb332b0566b8a6ed3878b031bc1e1174 Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Fri, 30 Oct 2020 14:40:55 +0100 Subject: [PATCH] Ensure to return a 404 if an appending slash is missing --- src/pretix/base/middleware.py | 15 ++++++++++++++- src/pretix/settings.py | 4 ++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py index 253f335a33..0401a1477e 100644 --- a/src/pretix/base/middleware.py +++ b/src/pretix/base/middleware.py @@ -3,7 +3,8 @@ from urllib.parse import urlsplit import pytz from django.conf import settings -from django.http import HttpRequest, HttpResponse +from django.http import HttpRequest, HttpResponse, Http404 +from django.middleware.common import CommonMiddleware from django.urls import get_script_prefix from django.utils import timezone, translation from django.utils.cache import patch_vary_headers @@ -252,3 +253,15 @@ class SecurityMiddleware(MiddlewareMixin): del resp['Content-Security-Policy'] return resp + + +class CustomCommonMiddleware(CommonMiddleware): + + def get_full_path_with_slash(self, request): + """ + Raise an error regardless of DEBUG mode when in POST, PUT, or PATCH. + """ + new_path = super().get_full_path_with_slash(request) + if request.method in ('POST', 'PUT', 'PATCH'): + raise Http404('Please append a / at the end of the URL') + return new_path diff --git a/src/pretix/settings.py b/src/pretix/settings.py index dea8de0a53..69a3d5c2ee 100644 --- a/src/pretix/settings.py +++ b/src/pretix/settings.py @@ -351,7 +351,7 @@ CORE_MODULES = { MIDDLEWARE = [ 'pretix.api.middleware.IdempotencyMiddleware', 'pretix.multidomain.middlewares.MultiDomainMiddleware', - 'django.middleware.common.CommonMiddleware', + 'pretix.base.middleware.CustomCommonMiddleware', 'pretix.multidomain.middlewares.SessionMiddleware', 'pretix.multidomain.middlewares.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', @@ -375,7 +375,7 @@ except ImportError: if METRICS_ENABLED: - MIDDLEWARE.insert(MIDDLEWARE.index('django.middleware.common.CommonMiddleware') + 1, + MIDDLEWARE.insert(MIDDLEWARE.index('pretix.base.middleware.CustomCommonMiddleware') + 1, 'pretix.helpers.metrics.middleware.MetricsMiddleware')