From 90245b1cff1f542a3698273e745d858857de8722 Mon Sep 17 00:00:00 2001 From: Kevin Lowe Date: Thu, 24 Mar 2022 23:32:45 +0000 Subject: [PATCH] Fix issue with query string parsing This issue was leading to incorrect message digests which led to a 403 forbidden error. The query parameter 'fields' needed to be decoded before use. Otherwise, it would be encoded twice somewhere inside the request.META.get (i think -unconfirmed) i.e ,(comma) -> %2C -> %252C This extra encoding caused the message digests to mismatch leading to the 403 error. --- wagtail_transfer/auth.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/wagtail_transfer/auth.py b/wagtail_transfer/auth.py index 85b519b..95ecb10 100644 --- a/wagtail_transfer/auth.py +++ b/wagtail_transfer/auth.py @@ -1,19 +1,26 @@ +import logging import hashlib import hmac import re +from urllib.parse import unquote + from django.conf import settings from django.core.exceptions import PermissionDenied +logger = logging.getLogger(__name__) + GROUP_QUERY_WITH_DIGEST = re.compile('(?P.*?)&?digest=(?P[^&]*)(?P.*)') + def check_get_digest_wrapper(view_func): """ Check the digest of a request matches its GET parameters This is useful when wrapping vendored API views """ def decorated_view(request, *args, **kwargs): - query_string = request.META.get('QUERY_STRING', '') + query_string = unquote(request.META.get('QUERY_STRING', '')) + logger.info(f"Parsed Querystring: {query_string}") match = GROUP_QUERY_WITH_DIGEST.match(query_string) if not match: raise PermissionDenied @@ -52,7 +59,7 @@ def check_digest(message, digest): expected_digest = hmac.new(key, message, hashlib.sha1).hexdigest() if not hmac.compare_digest(digest, expected_digest): - raise PermissionDenied + raise PermissionDenied def digest_for_source(source, message):