summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorAymeric Augustin <aymeric.augustin@m4x.org>2015-11-26 21:27:12 +0100
committerAymeric Augustin <aymeric.augustin@m4x.org>2015-11-27 08:12:49 +0100
commit8dc11dc592dbd5027943462d1bb52a60e40db034 (patch)
tree9e7b51ba368591353a8dd27e471b7bba00eaa4c2 /django
parentb4a1d545db19bb427af4043ce2c689dad856514f (diff)
[1.9.x] Fixed #25302 (again) -- Ignored scheme when checking for bad referers.
The check introduced in 4ce433e was too strict in real life. The poorly implemented bots this patch attempted to ignore are sloppy when it comes to http vs. https. Backport of 11f10b7 from master
Diffstat (limited to 'django')
-rw-r--r--django/middleware/common.py17
1 files changed, 11 insertions, 6 deletions
diff --git a/django/middleware/common.py b/django/middleware/common.py
index fa38c63a24..5aeb746f81 100644
--- a/django/middleware/common.py
+++ b/django/middleware/common.py
@@ -8,6 +8,7 @@ from django.core.exceptions import PermissionDenied
from django.core.mail import mail_managers
from django.utils.cache import get_conditional_response, set_response_etag
from django.utils.encoding import force_text
+from django.utils.six.moves.urllib.parse import urlparse
logger = logging.getLogger('django.request')
@@ -163,13 +164,17 @@ class BrokenLinkEmailsMiddleware(object):
according to project settings or in three specific situations:
- If the referer is empty.
- If a '?' in referer is identified as a search engine source.
- - If the referer is equal to the current URL (assumed to be a
- malicious bot).
+ - If the referer is equal to the current URL, ignoring the scheme
+ (assumed to be a poorly implemented bot).
"""
- full_url = "%s://%s/%s" % (request.scheme, domain, uri.lstrip('/'))
- if (not referer or
- (not self.is_internal_request(domain, referer) and '?' in referer) or
- (referer == uri or referer == full_url)):
+ if not referer:
+ return True
+
+ if not self.is_internal_request(domain, referer) and '?' in referer:
+ return True
+
+ parsed_referer = urlparse(referer)
+ if parsed_referer.netloc in ['', domain] and parsed_referer.path == uri:
return True
return any(pattern.search(uri) for pattern in settings.IGNORABLE_404_URLS)