Hopiu/django-defender
1
0
Fork 0
mirror of https://github.com/jazzband/django-defender.git synced 2026-05-21 13:51:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed circumventing blocking by appending whitespace to username

Browse source
This commit is contained in:
Attila Földes 2025-07-01 13:10:33 +02:00
parent cc35032a0c
commit 29addd23cc
2 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
defender/tests.py
View file

@ -1149,6 +1149,16 @@ class TestUtils(DefenderTestCase):
"defender:blocked:username:johndoe", "blocked:username:"),
"defender:blocked:username:johndoe")
def test_whitespace_block_circumvention(self):
username = "johndoe"
req = HttpRequest()
req.POST["username"] = f"{username} " # username with appended whitespace
req.META["HTTP_X_REAL_IP"] = "1.2.3.4"
utils.block_username(username)
self.assertTrue(utils.is_already_locked(req))
class TestRedisConnection(TestCase):
""" Test the redis connection parsing """

2
defender/utils.py
View file

@ -195,7 +195,7 @@ def increment_key(key):
def username_from_request(request):
""" unloads username from default POST request """
if config.USERNAME_FORM_FIELD in request.POST:
return request.POST[config.USERNAME_FORM_FIELD][:255]
return request.POST[config.USERNAME_FORM_FIELD][:255].strip()
return None