-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Fixes #3951] [Cross-site scripting test - Security related - Issue] …
…Improvements to Tastypie paginator
- Loading branch information
afabiani
committed
Oct 9, 2018
1 parent
41c59f2
commit 4337f0e
Showing
4 changed files
with
99 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
# -*- coding: utf-8 -*- | ||
######################################################################### | ||
# | ||
# Copyright (C) 2018 OSGeo | ||
# | ||
# This program is free software: you can redistribute it and/or modify | ||
# it under the terms of the GNU General Public License as published by | ||
# the Free Software Foundation, either version 3 of the License, or | ||
# (at your option) any later version. | ||
# | ||
# This program is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
# GNU General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU General Public License | ||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
# | ||
######################################################################### | ||
|
||
from django.conf import settings | ||
from tastypie.exceptions import BadRequest | ||
from tastypie.paginator import Paginator | ||
|
||
|
||
class CrossSiteXHRPaginator(Paginator): | ||
|
||
def get_limit(self): | ||
""" | ||
Determines the proper maximum number of results to return. | ||
In order of importance, it will use: | ||
* The user-requested ``limit`` from the GET parameters, if specified. | ||
* The object-level ``limit`` if specified. | ||
* ``settings.API_LIMIT_PER_PAGE`` if specified. | ||
Default is 20 per page. | ||
""" | ||
|
||
limit = self.request_data.get('limit', self.limit) | ||
if limit is None: | ||
limit = getattr(settings, 'API_LIMIT_PER_PAGE', 20) | ||
|
||
try: | ||
limit = int(limit) | ||
except ValueError: | ||
raise BadRequest("Invalid limit provided. Please provide a positive integer.") | ||
|
||
if limit < 0: | ||
raise BadRequest("Invalid limit provided. Please provide a positive integer >= 0.") | ||
|
||
if self.max_limit and (not limit or limit > self.max_limit): | ||
# If it's more than the max, we're only going to return the max. | ||
# This is to prevent excessive DB (or other) load. | ||
return self.max_limit | ||
|
||
return limit | ||
|
||
def get_offset(self): | ||
""" | ||
Determines the proper starting offset of results to return. | ||
It attempts to use the user-provided ``offset`` from the GET parameters, | ||
if specified. Otherwise, it falls back to the object-level ``offset``. | ||
Default is 0. | ||
""" | ||
offset = self.offset | ||
|
||
if 'offset' in self.request_data: | ||
offset = self.request_data['offset'] | ||
|
||
try: | ||
offset = int(offset) | ||
except ValueError: | ||
raise BadRequest("Invalid offset provided. Please provide an integer.") | ||
|
||
if offset < 0: | ||
raise BadRequest("Invalid offset provided. Please provide a positive integer >= 0.") | ||
|
||
return offset |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters