Adding a SHA-1 hash to the parameters passed to get the EXPLAIN query to avoid

any sort of tampering of the SQL or parameters.

3 files changed, 16 insertions, 6 deletions

diff --git a/debug_toolbar/panels/sql.py b/debug_toolbar/panels/sql.py
index 9223cb7..22d65a7 100644
--- a/debug_toolbar/panels/sql.py
+++ b/debug_toolbar/panels/sql.py
@@ -1,9 +1,11 @@
 import time
 from debug_toolbar.panels import DebugPanel
+from django.conf import settings
 from django.db import connection
 from django.db.backends import util
 from django.template.loader import render_to_string
 from django.utils import simplejson
+from django.utils.hashcompat import sha_constructor
 
 class DatabaseStatTracker(util.CursorDebugWrapper):
     """
@@ -26,7 +28,8 @@ class DatabaseStatTracker(util.CursorDebugWrapper):
                 'sql': self.db.ops.last_executed_query(self.cursor, sql, params),
                 'time': stop - start,
                 'raw_sql': sql,
-                'params': _params
+                'params': _params,
+                'hash': sha_constructor(settings.SECRET_KEY + sql + _params).hexdigest(),
             })
 util.CursorDebugWrapper = DatabaseStatTracker
 
@@ -37,7 +40,7 @@ class SQLDebugPanel(DebugPanel):
     """
     name = 'SQL'
     has_content = True
-    
+
     def __init__(self):
         self._offset = len(connection.queries)
         self._sql_time = 0
diff --git a/debug_toolbar/templates/debug_toolbar/panels/sql.html b/debug_toolbar/templates/debug_toolbar/panels/sql.html
index 052b36a..e218f22 100644
--- a/debug_toolbar/templates/debug_toolbar/panels/sql.html
+++ b/debug_toolbar/templates/debug_toolbar/panels/sql.html
@@ -13,7 +13,7 @@
 				<td>{{ query.time|floatformat:"4" }}</td>
 				<td>
 				{% if query.params %}
-					<a class="remoteCall" href="/__debug__/sql_explain/?sql={{ query.raw_sql|urlencode }}&params={{ query.params|urlencode }}&time={{ query.time|floatformat:"4"|urlencode }}">EXPLAIN</a>
+					<a class="remoteCall" href="/__debug__/sql_explain/?sql={{ query.raw_sql|urlencode }}&params={{ query.params|urlencode }}&time={{ query.time|floatformat:"4"|urlencode }}&hash={{ query.hash }}">EXPLAIN</a>
 				{% endif %}
 				</td>
 				<td class="syntax">{{ query.sql|safe }}</td>
diff --git a/debug_toolbar/views.py b/debug_toolbar/views.py
index 97739e6..b67a70b 100644
--- a/debug_toolbar/views.py
+++ b/debug_toolbar/views.py
@@ -8,8 +8,10 @@ import os
 import django.views.static
 from django.conf import settings
 from django.db import connection
+from django.http import HttpResponse
 from django.shortcuts import render_to_response
 from django.utils import simplejson
+from django.utils.hashcompat import sha_constructor
 
 def debug_media(request, path):
     root = getattr(settings, 'DEBUG_TOOLBAR_MEDIA_ROOT', None)
@@ -21,16 +23,21 @@ def debug_media(request, path):
 def sql_explain(request):
     """
     Returns the output of the SQL EXPLAIN on the given query.
-    
+
     Expected GET variables:
-        sql: urlencoded sql with position arguments
+        sql: urlencoded sql with positional arguments
         params: JSON encoded parameter values
         time: time for SQL to execute passed in from toolbar just for redisplay
+        hash: the hash of (secret + sql + params) for tamper checking
     """
     from debug_toolbar.panels.sql import reformat_sql
     sql = request.GET.get('sql', '')
+    params = request.GET.get('params', '')
+    hash = sha_constructor(settings.SECRET_KEY + sql + params).hexdigest()
+    if hash != request.GET.get('hash', ''):
+        return HttpResponse('<h3>Tamper alert</h3>') # SQL Tampering alert
     if sql.lower().startswith('select'):
-        params = simplejson.loads(request.GET.get('params', ''))
+        params = simplejson.loads(params)
         cursor = connection.cursor()
         cursor.execute("EXPLAIN %s" % (sql,), params)
         headers = [d[0] for d in cursor.description]