Hopiu/django-axes
1
0
Fork 0
mirror of https://github.com/jazzband/django-axes.git synced 2026-03-16 22:30:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Limit amount of POST data logged (#73)

Browse source 
Limiting the length of value is not enough, as there could be arbitrary
number of them, or very long key names.
This commit is contained in:
Peter Kuma 2014-05-16 16:28:55 +02:00
parent 4daba3daa3
commit b6c3eeeaed
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
axes/decorators.py
View file

@ -80,20 +80,20 @@ def get_lockout_url():
return getattr(settings, 'AXES_LOCKOUT_URL', None)
def query2str(items):
def query2str(items, max_length=1024):
"""Turns a dictionary into an easy-to-read list of key-value pairs.
If there's a field called "password" it will be excluded from the output.
The length of the output is limited to max_length to avoid a DoS attack.
"""
# Limit the length of the value to avoid a DoS attack
value_maxlimit = 256
kvs = []
for k, v in items:
if k != 'password':
kvs.append(six.u('%s=%s') % (k, v[:256]))
kvs.append(six.u('%s=%s') % (k, v))
return '\n'.join(kvs)
return '\n'.join(kvs)[:max_length]
def ip_in_whitelist(ip):