From 37a5e6640319eddce61798dcaf3326c98b6fdccf Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Thu, 4 Nov 2021 17:07:50 +0100
Subject: [PATCH] Return a HttpResponse instead of an exception on NUL in query
 string parameters

Raising an exception triggers an email-to-admin-action, and the whole
reason we have this NUL check is to *avoid* triggering those emails...
Hopefully explicitly returning a 400 HttpResponse will maek them go
away.
---
 pgweb/util/middleware.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pgweb/util/middleware.py b/pgweb/util/middleware.py
index 2120876f..28868459 100644
--- a/pgweb/util/middleware.py
+++ b/pgweb/util/middleware.py
@@ -1,6 +1,5 @@
 from django.conf import settings
-from django.http import QueryDict
-from django.core.exceptions import SuspiciousOperation
+from django.http import QueryDict, HttpResponse
 
 from pgweb.util.templateloader import initialize_template_collection, get_all_templates
 
@@ -104,7 +103,11 @@ class PgMiddleware(object):
                 if k not in allowed:
                     del result[k]
                 if "\0" in request.GET[k]:
-                    raise SuspiciousOperation("NUL escapes not allowed in query parameters")
+                    return HttpResponse(
+                        "NUL escapes not allowed in query parameters",
+                        content_type='text/plain',
+                        status=400
+                    )
             result.mutable = False
             request.GET = result
         else:
-- 
2.39.5