Hopiu/django-defender
1
0
Fork 0
mirror of https://github.com/jazzband/django-defender.git synced 2026-03-16 22:10:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed circumventing blocking by appending whitespace to username (#248)

Browse source
This commit is contained in:
Attila 2025-07-01 17:23:24 +02:00 committed by GitHub
parent e420d76463
commit 37e5dd3123
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
defender/tests.py
View file

@ -1149,6 +1149,16 @@ class TestUtils(DefenderTestCase):
"defender:blocked:username:johndoe", "blocked:username:"), "defender:blocked:username:johndoe", "blocked:username:"),
"defender:blocked:username:johndoe") "defender:blocked:username:johndoe")
def test_whitespace_block_circumvention(self):
username = "johndoe"
req = HttpRequest()
req.POST["username"] = f"{username} " # username with appended whitespace
req.META["HTTP_X_REAL_IP"] = "1.2.3.4"
utils.block_username(username)
self.assertTrue(utils.is_already_locked(req))
class TestRedisConnection(TestCase): class TestRedisConnection(TestCase):
""" Test the redis connection parsing """ """ Test the redis connection parsing """

2
defender/utils.py
View file

@ -195,7 +195,7 @@ def increment_key(key):
def username_from_request(request): def username_from_request(request):
""" unloads username from default POST request """ """ unloads username from default POST request """
if config.USERNAME_FORM_FIELD in request.POST: if config.USERNAME_FORM_FIELD in request.POST:
return request.POST[config.USERNAME_FORM_FIELD][:255] return request.POST[config.USERNAME_FORM_FIELD][:255].strip()
return None return None