From 66c3143bfd9b7676b3490c9fa73660fa4fff9fc3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Marek=20St=C4=99pniowski?= Date: Tue, 16 Sep 2008 10:22:09 +0200 Subject: [PATCH] Prevented one form of DoS attack by limiting number of tags in query to 6. Don't show search form if there are already 6 tags chosen. --- apps/catalogue/templatetags/catalogue_tags.py | 2 +- apps/catalogue/views.py | 4 ++++ wolnelektury/media/css/master.css | 4 +++- wolnelektury/templates/catalogue/breadcrumbs.html | 5 ++++- 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/apps/catalogue/templatetags/catalogue_tags.py b/apps/catalogue/templatetags/catalogue_tags.py index 537e3ec56..90cbec3b6 100644 --- a/apps/catalogue/templatetags/catalogue_tags.py +++ b/apps/catalogue/templatetags/catalogue_tags.py @@ -132,7 +132,7 @@ def authentication_form(): def breadcrumbs(tags, search_form=True): from catalogue.forms import SearchForm context = {'tag_list': tags} - if search_form: + if search_form and len(tags) < 6: context['search_form'] = SearchForm(tags=tags) return context diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py index 052537491..d8a61e35e 100644 --- a/apps/catalogue/views.py +++ b/apps/catalogue/views.py @@ -97,6 +97,10 @@ def book_list(request): def tagged_object_list(request, tags=''): + # Prevent DoS attacks on our database + if len(tags.split('/')) > 6: + raise Http404 + try: tags = models.Tag.get_tag_list(tags) except models.Tag.DoesNotExist: diff --git a/wolnelektury/media/css/master.css b/wolnelektury/media/css/master.css index 860a2dd50..82d55a811 100644 --- a/wolnelektury/media/css/master.css +++ b/wolnelektury/media/css/master.css @@ -132,7 +132,8 @@ em { margin: 0; padding: 0; list-style: none; - display: inline; + display: block; + float: left; } #search-form li.category, #search-form li.book-title { @@ -144,6 +145,7 @@ em { -moz-border-radius: 3px; -webkit-border-radius: 3px; border-radius: 3px; + margin-right: 0.25em; } #search-form li.book-title { diff --git a/wolnelektury/templates/catalogue/breadcrumbs.html b/wolnelektury/templates/catalogue/breadcrumbs.html index 896d9997c..ecf8dbafa 100644 --- a/wolnelektury/templates/catalogue/breadcrumbs.html +++ b/wolnelektury/templates/catalogue/breadcrumbs.html @@ -4,6 +4,9 @@ {% for tag in tag_list %}
  • {{ tag }} | x
  • {% endfor %} -
  • {{ search_form.q }} {{ search_form.tags }}
  • + {% if search_form %} +
  • {{ search_form.q }} {{ search_form.tags }}
  • + {% endif %} +
    \ No newline at end of file -- 2.20.1