From 66c3143bfd9b7676b3490c9fa73660fa4fff9fc3 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Marek=20St=C4=99pniowski?= <marek@stepniowski.com>
Date: Tue, 16 Sep 2008 10:22:09 +0200
Subject: [PATCH] Prevented one form of DoS attack by limiting number of tags
 in query to 6. Don't show search form if there are already 6 tags chosen.

---
 apps/catalogue/templatetags/catalogue_tags.py     | 2 +-
 apps/catalogue/views.py                           | 4 ++++
 wolnelektury/media/css/master.css                 | 4 +++-
 wolnelektury/templates/catalogue/breadcrumbs.html | 5 ++++-
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/apps/catalogue/templatetags/catalogue_tags.py b/apps/catalogue/templatetags/catalogue_tags.py
index 537e3ec56..90cbec3b6 100644
--- a/apps/catalogue/templatetags/catalogue_tags.py
+++ b/apps/catalogue/templatetags/catalogue_tags.py
@@ -132,7 +132,7 @@ def authentication_form():
 def breadcrumbs(tags, search_form=True):
     from catalogue.forms import SearchForm
     context = {'tag_list': tags}
-    if search_form:
+    if search_form and len(tags) < 6:
         context['search_form'] = SearchForm(tags=tags)
     return context
 
diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index 052537491..d8a61e35e 100644
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -97,6 +97,10 @@ def book_list(request):
 
 
 def tagged_object_list(request, tags=''):
+    # Prevent DoS attacks on our database
+    if len(tags.split('/')) > 6:
+        raise Http404
+        
     try:
         tags = models.Tag.get_tag_list(tags)
     except models.Tag.DoesNotExist:
diff --git a/wolnelektury/media/css/master.css b/wolnelektury/media/css/master.css
index 860a2dd50..82d55a811 100644
--- a/wolnelektury/media/css/master.css
+++ b/wolnelektury/media/css/master.css
@@ -132,7 +132,8 @@ em {
     margin: 0;
     padding: 0;
     list-style: none;
-    display: inline;
+    display: block;
+    float: left;
 }
 
 #search-form li.category, #search-form li.book-title {
@@ -144,6 +145,7 @@ em {
     -moz-border-radius: 3px;
     -webkit-border-radius: 3px;
     border-radius: 3px;
+    margin-right: 0.25em;
 }
 
 #search-form li.book-title {
diff --git a/wolnelektury/templates/catalogue/breadcrumbs.html b/wolnelektury/templates/catalogue/breadcrumbs.html
index 896d9997c..ecf8dbafa 100644
--- a/wolnelektury/templates/catalogue/breadcrumbs.html
+++ b/wolnelektury/templates/catalogue/breadcrumbs.html
@@ -4,6 +4,9 @@
         {% for tag in tag_list %}
         <li class="category"><a href="{% catalogue_url tag %}">{{ tag }}</a> | <a href="{% catalogue_url tag_list -tag %}">x</a></li>
         {% endfor %}
-        <li>{{ search_form.q }} {{ search_form.tags }} <input type="submit" value="Szukaj"/></li>
+        {% if search_form %}
+            <li>{{ search_form.q }} {{ search_form.tags }} <input type="submit" value="Szukaj"/></li>
+        {% endif %}
     </ol>
+    <div class="clearboth"></div>
 </form>
\ No newline at end of file
-- 
2.20.1