Fatal编程技术网
  • python/
  • Python Django url参数不能包含NUL(0x00)字符

Python Django url参数不能包含NUL(0x00)字符

python django security url

Python Django url参数不能包含NUL(0x00)字符,python,django,security,url,Python,Django,Security,Url,我目前正在测试我们的网站的安全漏洞,而我自己的安全背景非常有限 运行以下请求时: http://127.0.0.1:8000/stuff/?template=%2Fe%00 我看到错误(下面是完整的堆栈跟踪): 这似乎是验证url参数的问题,不允许使用字符0x00(null)。我相当肯定,在中,我看到一些字符应该转义,但转义null似乎很奇怪 当然,我可以尝试/删除/code/stuff/views.py中的第92行,但这无疑会在其他地方出现 因此,我的问题是: 在django中,通过URL

我目前正在测试我们的网站的安全漏洞,而我自己的安全背景非常有限

运行以下请求时:

http://127.0.0.1:8000/stuff/?template=%2Fe%00
我看到错误(下面是完整的堆栈跟踪):

这似乎是验证url参数的问题,不允许使用字符0x00(null)。我相当肯定,在中,我看到一些字符应该转义,但转义null似乎很奇怪

当然,我可以尝试/删除
/code/stuff/views.py
中的第92行,但这无疑会在其他地方出现

因此,我的问题是:

  • 在django中,通过URL避免XSS攻击的最佳实践是什么
  • 这是不是已经在某个地方处理过了(我在解析器中看不到)
  • 这是否应该完全由其他地方处理
堆栈跟踪:

File "/usr/local/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
  34.             response = get_response(request)

File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  115.                 response = self.process_exception_by_middleware(e, request)

File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  113.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/usr/local/lib/python3.6/site-packages/django/views/generic/base.py" in view
  71.             return self.dispatch(request, *args, **kwargs)

File "/usr/local/lib/python3.6/site-packages/django/views/generic/base.py" in dispatch
  97.         return handler(request, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in get
  157.         context = self.get_context_data()

File "/code/stuff/views.py" in get_context_data
  92.         context = super(StuffListView, self).get_context_data(**kwargs)

File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in get_context_data
  119.             paginator, page, queryset, is_paginated = self.paginate_queryset(queryset, page_size)

File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in paginate_queryset
  69.             page = paginator.page(page_number)

File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in page
  70.         number = self.validate_number(number)

File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in validate_number
  48.         if number > self.num_pages:

File "/usr/local/lib/python3.6/site-packages/django/utils/functional.py" in __get__
  80.         res = instance.__dict__[self.name] = self.func(instance)

File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in num_pages
  97.         if self.count == 0 and not self.allow_empty_first_page:

File "/usr/local/lib/python3.6/site-packages/django/utils/functional.py" in __get__
  80.         res = instance.__dict__[self.name] = self.func(instance)

File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in count
  91.             return c()

File "/usr/local/lib/python3.6/site-packages/django/db/models/query.py" in count
  392.         return self.query.get_count(using=self.db)

File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/query.py" in get_count
  504.         number = obj.get_aggregation(using, ['__count'])['__count']

File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/query.py" in get_aggregation
  489.         result = compiler.execute_sql(SINGLE)

File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/compiler.py" in execute_sql
  1100.             cursor.execute(sql, params)

File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in execute
  99.             return super().execute(sql, params)

File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in execute
  67.         return self._execute_with_wrappers(sql, params, many=False, executor=self._execute)

File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in _execute_with_wrappers
  76.         return executor(sql, params, many, context)

File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in _execute
  84.                 return self.cursor.execute(sql, params)

Exception Type: ValueError at /stuff/
Exception Value: A string literal cannot contain NUL (0x00) characters.
基于回溯,问题不是URL参数不能包含
%00
,而是当它通过
分页器
传递到您正在使用的数据库时,数据库驱动程序正在抱怨一些事情

从错误判断,您可能正在使用Postgres。(见相关问题:)

如果愿意,可以设置一个中间件,拒绝包含
%00
的所有请求

File "/usr/local/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
  34.             response = get_response(request)

File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  115.                 response = self.process_exception_by_middleware(e, request)

File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  113.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/usr/local/lib/python3.6/site-packages/django/views/generic/base.py" in view
  71.             return self.dispatch(request, *args, **kwargs)

File "/usr/local/lib/python3.6/site-packages/django/views/generic/base.py" in dispatch
  97.         return handler(request, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in get
  157.         context = self.get_context_data()

File "/code/stuff/views.py" in get_context_data
  92.         context = super(StuffListView, self).get_context_data(**kwargs)

File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in get_context_data
  119.             paginator, page, queryset, is_paginated = self.paginate_queryset(queryset, page_size)

File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in paginate_queryset
  69.             page = paginator.page(page_number)

File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in page
  70.         number = self.validate_number(number)

File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in validate_number
  48.         if number > self.num_pages:

File "/usr/local/lib/python3.6/site-packages/django/utils/functional.py" in __get__
  80.         res = instance.__dict__[self.name] = self.func(instance)

File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in num_pages
  97.         if self.count == 0 and not self.allow_empty_first_page:

File "/usr/local/lib/python3.6/site-packages/django/utils/functional.py" in __get__
  80.         res = instance.__dict__[self.name] = self.func(instance)

File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in count
  91.             return c()

File "/usr/local/lib/python3.6/site-packages/django/db/models/query.py" in count
  392.         return self.query.get_count(using=self.db)

File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/query.py" in get_count
  504.         number = obj.get_aggregation(using, ['__count'])['__count']

File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/query.py" in get_aggregation
  489.         result = compiler.execute_sql(SINGLE)

File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/compiler.py" in execute_sql
  1100.             cursor.execute(sql, params)

File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in execute
  99.             return super().execute(sql, params)

File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in execute
  67.         return self._execute_with_wrappers(sql, params, many=False, executor=self._execute)

File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in _execute_with_wrappers
  76.         return executor(sql, params, many, context)

File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in _execute
  84.                 return self.cursor.execute(sql, params)

Exception Type: ValueError at /stuff/
Exception Value: A string literal cannot contain NUL (0x00) characters.