diff options
author | Jelle van der Waa <jelle@vdwaa.nl> | 2019-07-28 12:29:32 +0200 |
---|---|---|
committer | Jelle van der Waa <jelle@vdwaa.nl> | 2019-07-28 12:29:32 +0200 |
commit | c47aacb30fbf14b3b9ea1f0d05c0a3b08311f9e8 (patch) | |
tree | 2cf4b0dbb25b6c0546c1913a73b7142c2738d12a | |
parent | 4678d90c86078e0f43648193242d07635e107c1f (diff) | |
download | archweb-c47aacb30fbf14b3b9ea1f0d05c0a3b08311f9e8.tar.gz archweb-c47aacb30fbf14b3b9ea1f0d05c0a3b08311f9e8.zip |
Handle null byte searches
Some vulnerability scanners try to find security issues in all webforms
and submit invalid null byte into the search from. This is cleaned out
by django and leads to 'q' not being set which gives a 500 error. Check
if the 'q' key exists in the cleaned_data if not return an empty list.
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
-rw-r--r-- | packages/views/search.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/packages/views/search.py b/packages/views/search.py index 4bcd5fa1..c0289856 100644 --- a/packages/views/search.py +++ b/packages/views/search.py @@ -59,6 +59,8 @@ class PackageSearchForm(forms.Form): # only do exact match search if 'q' is sole parameter if self.changed_data != ['q']: return [] + if 'q' not in self.cleaned_data: + return [] return Package.objects.normal().filter(pkgname=self.cleaned_data['q']) |