django-unfriendly icon indicating copy to clipboard operation
django-unfriendly copied to clipboard

Published 20 hours ago verified publisher icon tomatohater

GET parameters ignored

Open ghost opened this issue 8 years ago • 3 comments

When I send GET parameters with the obfuscated URL like

http://yoursite.com/u/E5v4uxuNSA8I2is33c6V8lqFTcdv_IxPLDGG/?param=Hello&param2=Bye

and I debug the request, the URL is passing without any parameter, it seems like they were ignored in the deobfuscation process.

Any Idea how to send GET parameters?

ghost avatar Apr 20 '16 23:04 ghost

@mordor182 This is by design. We want to prevent end users from fucking with any aspect of the request. Therefore, the entire request is intended to be hidden from the end user. This includes GET parameters which should be embedded inside the obfuscated URL.

For example: {{ "/my/path/?param=Hello&param2=Bye"|obfuscate }}

Different GET parameters would result in different obfuscated URLs.

That being said, I'm not opposed to adding support for unobfuscated query strings if I can find an elegant way to handle it. Do you still feel this is a necessary feature addition?

tomatohater avatar Apr 21 '16 02:04 tomatohater

I see some limitations when an Ajax function (for example) is in the web page, the URL is obfuscated by django with the filter, but the params are edited by the DOM and added to the URL outside the python environment, so, there are no possibilities to obfuscate the params and they are not included in the obfuscated URL, so.. I added a simple line in the views.py to transparently pass the GET params:

...
# init a new request
    patched_request = request.__class__(environ)
    patched_request.GET = request.GET  #copy GET params form request to patched_request

    # copy over any missing request attributes - this feels hackish
    missing_items = set(dir(request)) - set(dir(patched_request))
...

Maybe this can be modulated with a Settings' Variable like: UNFRIENDLY_DEOBFUSCATED_GET_PARAMS = True or something similar

Thanks for the quick response to this issue.

ghost avatar Apr 21 '16 17:04 ghost

Not bad, but since there may have been a query string hidden inside the obfuscated request, we can't simply overwrite patched_request.GET. We'd need to elegantly merge the private GET with the public GET (and decide which wins in case of conflict).

I agree that this should be enabled by a setting as you suggest.

tomatohater avatar Apr 22 '16 04:04 tomatohater