diff options
| -rw-r--r-- | debug_toolbar/middleware.py | 4 | ||||
| -rw-r--r-- | debug_toolbar/urls.py | 12 | ||||
| -rw-r--r-- | debug_toolbar/views.py | 17 |
3 files changed, 23 insertions, 10 deletions
diff --git a/debug_toolbar/middleware.py b/debug_toolbar/middleware.py index 8dcf454..c3cf5f9 100644 --- a/debug_toolbar/middleware.py +++ b/debug_toolbar/middleware.py @@ -8,6 +8,8 @@ from django.utils.encoding import smart_unicode from django.conf.urls.defaults import include, patterns import debug_toolbar.urls from debug_toolbar.toolbar.loader import DebugToolbar +from debug_toolbar.urls import DEBUG_TB_URL_PREFIX +import os _HTML_TYPES = ('text/html', 'application/xhtml+xml') @@ -37,7 +39,7 @@ class DebugToolbarMiddleware(object): def show_toolbar(self, request): if not settings.DEBUG: return False - if request.is_ajax(): + if request.is_ajax() and not request.path.startswith(os.path.join('/', DEBUG_TB_URL_PREFIX)): #Allow ajax requests from the debug toolbar return False if not request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS: return False diff --git a/debug_toolbar/urls.py b/debug_toolbar/urls.py index 77d1a80..05233e2 100644 --- a/debug_toolbar/urls.py +++ b/debug_toolbar/urls.py @@ -7,10 +7,12 @@ this into the urlconf for the request. from django.conf.urls.defaults import * from django.conf import settings +DEBUG_TB_URL_PREFIX = '__debug__' + urlpatterns = patterns('', - url(r'^__debug__/m/(.*)$', 'debug_toolbar.views.debug_media'), - url(r'^__debug__/sql_select/$', 'debug_toolbar.views.sql_select', name='sql_select'), - url(r'^__debug__/sql_explain/$', 'debug_toolbar.views.sql_explain', name='sql_explain'), - url(r'^__debug__/sql_profile/$', 'debug_toolbar.views.sql_profile', name='sql_profile'), - url(r'^__debug__/template_source/$', 'debug_toolbar.views.template_source', name='template_source'), + url(r'^%s/m/(.*)$' % DEBUG_TB_URL_PREFIX, 'debug_toolbar.views.debug_media'), + url(r'^%s/sql_select/$' % DEBUG_TB_URL_PREFIX, 'debug_toolbar.views.sql_select', name='sql_select'), + url(r'^%s/sql_explain/$' % DEBUG_TB_URL_PREFIX, 'debug_toolbar.views.sql_explain', name='sql_explain'), + url(r'^%s/sql_profile/$' % DEBUG_TB_URL_PREFIX, 'debug_toolbar.views.sql_profile', name='sql_profile'), + url(r'^%s/template_source/$' % DEBUG_TB_URL_PREFIX, 'debug_toolbar.views.template_source', name='template_source'), ) diff --git a/debug_toolbar/views.py b/debug_toolbar/views.py index e3bb5b1..0fb4168 100644 --- a/debug_toolbar/views.py +++ b/debug_toolbar/views.py @@ -8,11 +8,17 @@ import os import django.views.static from django.conf import settings from django.db import connection -from django.http import HttpResponse, HttpResponseBadRequest +from django.http import HttpResponseBadRequest from django.shortcuts import render_to_response from django.utils import simplejson from django.utils.hashcompat import sha_constructor +class InvalidSQLError(Exception): + def __init__(self, value): + self.value = value + def __str__(self): + return repr(self.value) + def debug_media(request, path): root = getattr(settings, 'DEBUG_TOOLBAR_MEDIA_ROOT', None) if root is None: @@ -36,7 +42,7 @@ def sql_select(request): hash = sha_constructor(settings.SECRET_KEY + sql + params).hexdigest() if hash != request.GET.get('hash', ''): return HttpResponseBadRequest('Tamper alert') # SQL Tampering alert - if sql.lower().startswith('select'): + if sql.lower().strip().startswith('select'): params = simplejson.loads(params) cursor = connection.cursor() cursor.execute(sql, params) @@ -50,6 +56,7 @@ def sql_select(request): 'headers': headers, } return render_to_response('debug_toolbar/panels/sql_select.html', context) + raise InvalidSQLError("Only 'select' queries are allowed.") def sql_explain(request): """ @@ -67,7 +74,7 @@ def sql_explain(request): hash = sha_constructor(settings.SECRET_KEY + sql + params).hexdigest() if hash != request.GET.get('hash', ''): return HttpResponseBadRequest('Tamper alert') # SQL Tampering alert - if sql.lower().startswith('select'): + if sql.lower().strip().startswith('select'): params = simplejson.loads(params) cursor = connection.cursor() cursor.execute("EXPLAIN %s" % (sql,), params) @@ -81,6 +88,7 @@ def sql_explain(request): 'headers': headers, } return render_to_response('debug_toolbar/panels/sql_explain.html', context) + raise InvalidSQLError("Only 'select' queries are allowed.") def sql_profile(request): """ @@ -98,7 +106,7 @@ def sql_profile(request): hash = sha_constructor(settings.SECRET_KEY + sql + params).hexdigest() if hash != request.GET.get('hash', ''): return HttpResponseBadRequest('Tamper alert') # SQL Tampering alert - if sql.lower().startswith('select'): + if sql.lower().strip().startswith('select'): params = simplejson.loads(params) cursor = connection.cursor() cursor.execute("SET PROFILING=1") # Enable profiling @@ -116,6 +124,7 @@ def sql_profile(request): 'headers': headers, } return render_to_response('debug_toolbar/panels/sql_explain.html', context) + raise InvalidSQLError("Only 'select' queries are allowed.") def template_source(request): """ |