django modifying the request object

Question

I already have a django project and it logical like those:

url: URL?username=name&pwd=passwd

view:

def func(request):
   dic = request.GET

   username = dic.get("username")
   pwd = dic.get("pwd")

but now we need encrypt the data. Then, the request become this:

url: URL?crypt=XXXXXXXXXX (XXXXXXXX is encrypted str for "username=name&pwd=passwd")

so I need modify every view function. But now I want decrypt in django middleware to prevent from modifying every view function.

but when I modify request.GET, I recive error msg "This QueryDict instance is immutable". How can I modify it?

Sending username and password in the url is a very bad idea. — Srinivas Reddy Thatiparthy, Sep 21 '13 at 07:56
Why would you need to send username and password in the url itself? — Sudip Kafle, Sep 21 '13 at 08:02
Possible duplicate of [django - why is the request.POST object immutable?](http://stackoverflow.com/questions/12611345/django-why-is-the-request-post-object-immutable) — Ciro Santilli OurBigBook.com, Jun 07 '16 at 17:26

score 130 · Answer 1 · edited Nov 28 '16 at 12:45

django.http.QueryDict objects that are assigned to request.GET and request.POST are immutable.

You can convert it to a mutable QueryDict instance by copying it:

request.GET = request.GET.copy()

Afterwards you'll be able to modify the QueryDict:

>>> from django.test.client import RequestFactory
>>> request = RequestFactory().get('/')
>>> request.GET
<QueryDict: {}>
>>> request.GET['foo'] = 'bar'
AttributeError: This QueryDict instance is immutable
>>> request.GET = request.GET.copy()
<QueryDict: {}>
>>> request.GET['foo'] = 'bar'
>>> request.GET
<QueryDict: {'foo': 'bar'}>

This has been purposefully designed so that none of the application components are allowed to edit the source request data, so even creating a immutable QueryDict again would break this design. I would still suggest that you follow the guidelines and assign additional request data directly on the request object in your middleware, despite the fact that it might cause you to edit your sources.

In Django 2.0, when I try to do this, I get an AttributeError "can't set attribute" — cvipul, Jun 17 '18 at 04:16

score 68 · Answer 2 · edited Mar 15 '22 at 15:34

68

Remove immutability:

if not request.GET._mutable:
   request.GET._mutable = True

# now you can spoil it
request.GET['pwd'] = 'iloveyou'

Update

The Django sanctioned way is: request.GET.copy().

According to the docs:

The QueryDicts at request.POST and request.GET will be immutable when accessed in a normal request/response cycle. To get a mutable version you need to use QueryDict.copy().

Nothing guarantees future Django versions will use _mutable. This has more chances to change than the copy() method.

edited Mar 15 '22 at 15:34

djvg

11,722
5
72
103

answered Jul 14 '16 at 10:49

laffuste

16,287
8
84
91

6

This is better to avoid the cost associated with copy() on a POST request – Kevin Parker Aug 30 '16 at 16:34
17

...but worse because it modifies an internal attribute. – David Neale Nov 21 '16 at 12:16
8

After setting your value(s) you can just do: `request.GET._mutable = False` to make it unmutable again. – Caumons Mar 15 '17 at 17:00
10

Please don't recommend doing this. – Josh Smeaton Jun 06 '17 at 02:07
1

can anybody tell me "is this approach secure?" – Rai Ammad Khan Aug 17 '18 at 19:38
1

at least add a condition `hasattr(request.GET, '_mutable')`. otherwise use `copy()` – Sławomir Lenart Oct 31 '19 at 18:52

score 9 · Answer 3 · edited Mar 17 '17 at 13:14

9

You shouldn't use GET to send the username and password, it's bad practice (since it shows the information on the URL bar, and might pose a security risk). Instead, use POST. Also, I'm guessing you're trying to authenticate your users, and it seems like you're doing too much work (creating a new middleware) to deal with something that is completely built in, to take the example from the docs:

from django.contrib.auth import authenticate, login

def my_view(request):
    username = request.POST['username']
    password = request.POST['password']
    user = authenticate(username=username, password=password)
    if user is not None:
        if user.is_active:
            login(request, user)
            # Redirect to a success page.
        else:
            # Return a 'disabled account' error message
    else:
        # Return an 'invalid login' error message.

I myself really like using the login_required decorator, very simple to use. Hope that helps

edited Mar 17 '17 at 13:14

Community

1
1

answered Sep 21 '13 at 08:04

yuvi

18,155
8
56
93

thanks for your answer. that's just a example. We not only use GET but also use POST. Even though use post, we must encrypt the data.Because I'm afraid some tools like 'tcpdump' crawl packet.So, encrypt/decrypt is necessary.The question Confusing me is how can I modify view function as less as possible. So I want use middleware – user2801567 Sep 21 '13 at 08:25
Look into the documentation about creating your own middleware. You want to use process_request or process_view, but keep in mind that accessing the request.POST inside those would cause the view not to run (csrf is an exception to that rule, so look into how it works to figure how to write your own) https://docs.djangoproject.com/en/dev/topics/http/middleware/ – yuvi Sep 21 '13 at 08:37
Also, not sure how much that is relevant but take a look at this: https://pypi.python.org/pypi/django-secure – yuvi Sep 21 '13 at 08:40
1

There is no security problem with GET request per se. It's kind of bad practice because they're in the address bar ... but I just want to make sure that everybody is clear that over HTTPS, GET and POST payloads are equally protected in transit. Via HTTP, they are equally unprotected. – Adam Nelson Sep 27 '16 at 19:08
@AdamNelson You're not entirely correct, but I revised my answer to be more accurate nonetheless – yuvi Sep 27 '16 at 19:44
1

@AdamNelson if you pass anything into a GET request then it becomes available in log files, internet history, and the redirect HTTP header. It's not secure at all, even over HTTPS. They are not equally protected in transit. – Jordan Oct 26 '16 at 18:05
1

@Jordan the log file and Internet history parts are legitimate side channel attacks and you're right that they make GET worse than POST for security, but the protection inside the HTTPS envelope is exactly the same whether it's POST or GET – Adam Nelson Oct 28 '16 at 14:48

score 4 · Answer 4 · answered Dec 13 '19 at 11:33

4

request.GET._mutable = True

you need this.

def func(request):
   dic = request.GET
   request.GET._mutable = True #to make it editable 
   username = dic.get("username")
   request.GET.pop("pwd")
   request.GET._mutable = False #make it False once edit done

answered Dec 13 '19 at 11:33

Mohideen bin Mohammed

18,813
10
112
118

score 0 · Answer 5 · edited Dec 15 '21 at 06:52

0

You just have to change the request.data:

def func(request):
   request.data._mutable = True
   dic = request.data
   username = dic['username']
   pwd = dic['pwd']

edited Dec 15 '21 at 06:52

betelgeuse

1,136
3
13
25

answered Dec 15 '21 at 05:38

Heenry Garcia

1
1

django modifying the request object

5 Answers5

Linked

Related