diff options
| -rw-r--r-- | debug_toolbar/panels/sql.py | 7 | ||||
| -rw-r--r-- | debug_toolbar/templates/debug_toolbar/panels/sql.html | 2 | ||||
| -rw-r--r-- | debug_toolbar/views.py | 13 |
3 files changed, 16 insertions, 6 deletions
diff --git a/debug_toolbar/panels/sql.py b/debug_toolbar/panels/sql.py index 9223cb7..22d65a7 100644 --- a/debug_toolbar/panels/sql.py +++ b/debug_toolbar/panels/sql.py @@ -1,9 +1,11 @@ import time from debug_toolbar.panels import DebugPanel +from django.conf import settings from django.db import connection from django.db.backends import util from django.template.loader import render_to_string from django.utils import simplejson +from django.utils.hashcompat import sha_constructor class DatabaseStatTracker(util.CursorDebugWrapper): """ @@ -26,7 +28,8 @@ class DatabaseStatTracker(util.CursorDebugWrapper): 'sql': self.db.ops.last_executed_query(self.cursor, sql, params), 'time': stop - start, 'raw_sql': sql, - 'params': _params + 'params': _params, + 'hash': sha_constructor(settings.SECRET_KEY + sql + _params).hexdigest(), }) util.CursorDebugWrapper = DatabaseStatTracker @@ -37,7 +40,7 @@ class SQLDebugPanel(DebugPanel): """ name = 'SQL' has_content = True - + def __init__(self): self._offset = len(connection.queries) self._sql_time = 0 diff --git a/debug_toolbar/templates/debug_toolbar/panels/sql.html b/debug_toolbar/templates/debug_toolbar/panels/sql.html index 052b36a..e218f22 100644 --- a/debug_toolbar/templates/debug_toolbar/panels/sql.html +++ b/debug_toolbar/templates/debug_toolbar/panels/sql.html @@ -13,7 +13,7 @@ <td>{{ query.time|floatformat:"4" }}</td> <td> {% if query.params %} - <a class="remoteCall" href="/__debug__/sql_explain/?sql={{ query.raw_sql|urlencode }}¶ms={{ query.params|urlencode }}&time={{ query.time|floatformat:"4"|urlencode }}">EXPLAIN</a> + <a class="remoteCall" href="/__debug__/sql_explain/?sql={{ query.raw_sql|urlencode }}¶ms={{ query.params|urlencode }}&time={{ query.time|floatformat:"4"|urlencode }}&hash={{ query.hash }}">EXPLAIN</a> {% endif %} </td> <td class="syntax">{{ query.sql|safe }}</td> diff --git a/debug_toolbar/views.py b/debug_toolbar/views.py index 97739e6..b67a70b 100644 --- a/debug_toolbar/views.py +++ b/debug_toolbar/views.py @@ -8,8 +8,10 @@ import os import django.views.static from django.conf import settings from django.db import connection +from django.http import HttpResponse from django.shortcuts import render_to_response from django.utils import simplejson +from django.utils.hashcompat import sha_constructor def debug_media(request, path): root = getattr(settings, 'DEBUG_TOOLBAR_MEDIA_ROOT', None) @@ -21,16 +23,21 @@ def debug_media(request, path): def sql_explain(request): """ Returns the output of the SQL EXPLAIN on the given query. - + Expected GET variables: - sql: urlencoded sql with position arguments + sql: urlencoded sql with positional arguments params: JSON encoded parameter values time: time for SQL to execute passed in from toolbar just for redisplay + hash: the hash of (secret + sql + params) for tamper checking """ from debug_toolbar.panels.sql import reformat_sql sql = request.GET.get('sql', '') + params = request.GET.get('params', '') + hash = sha_constructor(settings.SECRET_KEY + sql + params).hexdigest() + if hash != request.GET.get('hash', ''): + return HttpResponse('<h3>Tamper alert</h3>') # SQL Tampering alert if sql.lower().startswith('select'): - params = simplejson.loads(request.GET.get('params', '')) + params = simplejson.loads(params) cursor = connection.cursor() cursor.execute("EXPLAIN %s" % (sql,), params) headers = [d[0] for d in cursor.description] |