From 85d879803c88aa036934d36977a10b5d28b70aaa Mon Sep 17 00:00:00 2001 From: Rob Hudson Date: Wed, 24 Sep 2008 16:23:01 -0700 Subject: Adding a SHA-1 hash to the parameters passed to get the EXPLAIN query to avoid any sort of tampering of the SQL or parameters. --- debug_toolbar/views.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'debug_toolbar/views.py') diff --git a/debug_toolbar/views.py b/debug_toolbar/views.py index 97739e6..b67a70b 100644 --- a/debug_toolbar/views.py +++ b/debug_toolbar/views.py @@ -8,8 +8,10 @@ import os import django.views.static from django.conf import settings from django.db import connection +from django.http import HttpResponse from django.shortcuts import render_to_response from django.utils import simplejson +from django.utils.hashcompat import sha_constructor def debug_media(request, path): root = getattr(settings, 'DEBUG_TOOLBAR_MEDIA_ROOT', None) @@ -21,16 +23,21 @@ def debug_media(request, path): def sql_explain(request): """ Returns the output of the SQL EXPLAIN on the given query. - + Expected GET variables: - sql: urlencoded sql with position arguments + sql: urlencoded sql with positional arguments params: JSON encoded parameter values time: time for SQL to execute passed in from toolbar just for redisplay + hash: the hash of (secret + sql + params) for tamper checking """ from debug_toolbar.panels.sql import reformat_sql sql = request.GET.get('sql', '') + params = request.GET.get('params', '') + hash = sha_constructor(settings.SECRET_KEY + sql + params).hexdigest() + if hash != request.GET.get('hash', ''): + return HttpResponse('

Tamper alert

') # SQL Tampering alert if sql.lower().startswith('select'): - params = simplejson.loads(request.GET.get('params', '')) + params = simplejson.loads(params) cursor = connection.cursor() cursor.execute("EXPLAIN %s" % (sql,), params) headers = [d[0] for d in cursor.description] -- cgit v1.2.3