Commit Graph

17 Commits

Author SHA1 Message Date
Greg Price 55426894cd errors: Force a super-simpler handler for 400 errors.
This works around a bug in Django in handling the error case of a
client sending an inappropriate HTTP `Host:` header.  Various
internal Django machinery expects to be able to casually call
`request.get_host()`, which will attempt to parse that header, so an
exception will be raised.  The exception-handling machinery attempts
to catch that exception and just turn it into a 400 response... but
in a certain case, that machinery itself ends up trying to call
`request.get_host()`, and we end up with an uncaught exception that
causes a 500 response, a chain of tracebacks in the logs, and an email
to the server admins.  See example below.

That `request.get_host` call comes in the midst of some CSRF-related
middleware, which doesn't even serve any function unless you have a
form in your 400 response page that you want CSRF protection for.
We use the default 400 response page, which is a 26-byte static
HTML error message.  So, just send that with no further ado.

Example exception from server logs (lightly edited):

  2017-10-08 09:51:50.835 ERR  [django.security.DisallowedHost] Invalid HTTP_HOST header: 'example.com'. You may need to add 'example.com' to ALLOWED_HOSTS.
  2017-10-08 09:51:50.835 ERR  [django.request] Internal Server Error: /loginWithSetCookie
  Traceback (most recent call last):
    File ".../django/core/handlers/exception.py", line 41, in inner
      response = get_response(request)
    File ".../django/utils/deprecation.py", line 138, in __call__
      response = self.process_request(request)
    File ".../django/middleware/common.py", line 57, in process_request
      host = request.get_host()
    File ".../django/http/request.py", line 113, in get_host
      raise DisallowedHost(msg)
  django.core.exceptions.DisallowedHost: Invalid HTTP_HOST header: 'example.com'. You may need to add 'example.com' to ALLOWED_HOSTS.

  During handling of the above exception, another exception occurred:

  Traceback (most recent call last):
    File ".../django/core/handlers/exception.py", line 109, in get_exception_response
      response = callback(request, **dict(param_dict, exception=exception))
    File ".../django/utils/decorators.py", line 145, in _wrapped_view
      result = middleware.process_view(request, view_func, args, kwargs)
    File ".../django/middleware/csrf.py", line 276, in process_view
      good_referer = request.get_host()
    File ".../django/http/request.py", line 113, in get_host
      raise DisallowedHost(msg)
  django.core.exceptions.DisallowedHost: Invalid HTTP_HOST header: 'example.com'. You may need to add 'example.com' to ALLOWED_HOSTS.
2017-10-11 20:43:36 -07:00
Tim Abbott 234f7960a1 tests: Add @slow decorator to various methods needing it.
Also, fix the test_message_editing test having way too many cases.

Fixes #1478.
2017-10-06 15:45:04 -07:00
Cynthia Lin cfeb125624 zerver: Block access to subdirectories when visiting user docs articles.
Fixes #6770
2017-10-03 11:16:09 -07:00
rht 26f5d9a32c zerver/tests: Remove print_function. 2017-09-27 18:05:45 -07:00
rht daef6a7dbc zerver/tests: Remove `import six`. 2017-09-27 17:07:40 -07:00
rht 1e87a4b68c zerver/tests: Remove absolute_import. 2017-09-27 10:00:39 -07:00
Tim Abbott 58edf75962 api: Allow incoming webhook bots to use the send_message API. 2017-08-22 10:06:34 -07:00
Umair Khan d051bfbcb4 test_urls: Upgrade to HttpResponse.json(). 2017-08-16 07:06:58 -07:00
Tim Abbott ed10ce70d4 invites: Migrate to non-legacy API format.
This has the side effect of making it possible for a bot user to
invite users with its API key, which seems useful.
2017-07-31 13:08:06 -07:00
Tim Abbott 1e5aee054b settings: Migrate main settings-change code to API.
This was one of the few major remaining endpoints that were still on
the old-style legacy API.
2017-07-31 13:08:06 -07:00
Aditya Bansal 57bc847874 pep8: Add compliance with rule E261 to test_urls.py. 2017-05-18 03:00:32 +05:30
kunall17 e087bc24f8 streams: Migrate stream property changes to new REST endpoint.
This is one of the last major endpoints that were still done in the
pre-REST style.

While we're at it, we change the endpoint to expect a stream ID, not a
stream name.
2017-05-09 13:39:23 -07:00
Umair Khan 32849b80ad Django 1.10: Url pattern doesn't use _callback_str.
Fixes #3941
2017-03-09 00:50:12 -08:00
Tim Abbott c0f43ce343 tests: Move PublicURLTest tests to test_urls.py. 2017-03-08 03:57:37 -08:00
acrefoot e4ed9195dc Remove rest_dispatch hack and optimize imports.
For a long time, rest_dispatch has had this hack where we have to
create a copy of it in each views file using it, in order to directly
access the globals list in that file.  This removes that hack, instead
making rest_dispatch just use Django's import_string to access the
target method to use.

[tweaked and reorganized from acrefoot's original branch in various
ways by tabbott]
2016-06-24 16:11:03 -07:00
Tim Abbott 6fba0879a4 Annotate much of the rest of zerver/tests. 2016-06-04 11:53:20 -07:00
Tim Abbott be96cf809d Move Zulip backend tests to zerver.tests. 2016-04-11 22:16:09 -07:00