def test_compare(self):
        # ALLOWED_HOSTS with django.http.request.validate_host

        self.assertTrue(
            validate_host("192.168.1.2", self.fnmatch_ips)
        )

        self.assertFalse(
            validate_host("10.0.1.2", self.fnmatch_ips)
        )
Example #2
0
 def test_iterable(self):
     """
     this is what Django does internally in django.http.request
     allowed_cls is synonymous with settings.ALLOWED_HOSTS
     """
     allowed_cls = AllowedSites(defaults=['yay.com'])
     with self.assertNumQueries(1):
         self.assertTrue(validate_host('example.com', allowed_cls))
     with self.assertNumQueries(1):
         self.assertTrue(validate_host('example.org', allowed_cls))
     with self.assertNumQueries(1):
         self.assertFalse(validate_host('djangoproject.com', allowed_cls))
     # ideally this should be 0 queries, because it's a default ...
     with self.assertNumQueries(1):
         self.assertTrue(validate_host('yay.com', allowed_cls))
Example #3
0
def proxy(request):
    PROXY_ALLOWED_HOSTS = (ogc_server_settings.hostname,) + getattr(settings, 'PROXY_ALLOWED_HOSTS', ())

    if 'url' not in request.GET:
        return HttpResponse(
                "The proxy service requires a URL-encoded URL as a parameter.",
                status=400,
                content_type="text/plain"
                )

    raw_url = request.GET['url']
    url = urlsplit(raw_url)
    locator = url.path
    if url.query != "":
        locator += '?' + url.query
    if url.fragment != "":
        locator += '#' + url.fragment

    if not settings.DEBUG:
        if not validate_host(url.hostname, PROXY_ALLOWED_HOSTS):
            return HttpResponse(
                    "DEBUG is set to False but the host of the path provided to the proxy service is not in the"
                    " PROXY_ALLOWED_HOSTS setting.",
                    status=403,
                    content_type="text/plain"
                    )
    headers = {}

    if settings.SESSION_COOKIE_NAME in request.COOKIES and is_safe_url(url=raw_url, host=ogc_server_settings.netloc):
        headers["Cookie"] = request.META["HTTP_COOKIE"]

    if request.method in ("POST", "PUT") and "CONTENT_TYPE" in request.META:
        headers["Content-Type"] = request.META["CONTENT_TYPE"]

    if url.scheme =='https':
        conn = HTTPSConnection(url.hostname, url.port)
    else:
        conn = HTTPConnection(url.hostname, url.port)
    conn.request(request.method, locator, request.raw_post_data, headers)

    result = conn.getresponse()

    # If we get a redirect, let's add a useful message.
    if result.status in (301, 302, 303, 307):
         response = HttpResponse(
            ('This proxy does not support redirects. The server in "%s" '
            'asked for a redirect to "%s"' % (url, result.getheader('Location'))),
            status=result.status,
            content_type=result.getheader("Content-Type", "text/plain")
            )

         response['Location']=result.getheader('Location')
    else:
        response = HttpResponse(
            result.read(),
            status=result.status,
            content_type=result.getheader("Content-Type", "text/plain")
            )

    return response
Example #4
0
 def validate_redirect_url(self, sub=False):
     """
     Returns the next_url path if next_url matches allowed hosts.
     """
     next_url = self.request.GET.get(REDIRECT_FIELD_NAME, None)
     if not next_url:
         return None
     parts = urlparse.urlparse(next_url)
     if parts.netloc:
         domain, _ = split_domain_port(parts.netloc)
         allowed_hosts = (['*'] if django_settings.DEBUG
             else django_settings.ALLOWED_HOSTS)
         if not (domain and validate_host(domain, allowed_hosts)):
             return None
     path = parts.path
     if sub:
         try:
             # We replace all ':slug/' by '%(slug)s/' so that we can further
             # create an instantiated url through Python string expansion.
             path = re.sub(r':(%s)/' % settings.ACCT_REGEX,
                 r'%(\1)s/', path) % self.kwargs
         except KeyError:
             # We don't have all keys necessary. A safe defaults is to remove
             # them. Most likely a redirect URL is present to pick between
             # multiple choices.
             path = re.sub(r'%(\S+)s/', '', path)
     return urlparse.urlunparse((None, '', path,
         parts.params, parts.query, parts.fragment))
Example #5
0
def get_local_referrer(request):
    """Get the referrer URL if it is not external to this application"""

    if "HTTP_REFERER" in request.META:
        # Adopted from here:
        # https://github.com/django/django/blob/7fc317ae736e8fda1aaf4d4ede84d95fffaf5281/django/http/request.py#L124-L130
        allowed_hosts = settings.ALLOWED_HOSTS
        if settings.DEBUG and not allowed_hosts:
            allowed_hosts = [".localhost", "127.0.0.1", "[::1]"]

        referrer = urlsplit(request.META["HTTP_REFERER"])

        if validate_host(referrer.hostname, allowed_hosts):
            # If the referrer header points to "ourselves", return a "safe copy"
            # removing everything but the path+query+fragment part
            return SplitResult(
                scheme="",
                netloc="",
                path=referrer.path,
                query=referrer.query,
                fragment=referrer.fragment,
            ).geturl()
        else:
            return None
    else:
        return None
Example #6
0
    def __call__(self, request):
        host = request._get_raw_host()
        domain, port = split_domain_port(host)

        # Set request.site
        request.site = self.default_site
        for name, config in settings.XMPP_HOSTS.items():
            if validate_host(domain, config.get('ALLOWED_HOSTS', [])):
                request.site = config

        # Attach any messages from the database to the messages system
        # These messages usually come from asynchronous tasks (-> Celery)
        if request.user.is_anonymous is False:
            with transaction.atomic():
                stored_msgs = CachedMessage.objects.filter(user=request.user)
                if stored_msgs:
                    for msg in stored_msgs:
                        messages.add_message(request, msg.level,
                                             _(msg.message) % msg.payload)

                    stored_msgs.delete()

        # Attach OS information to request
        request.os = self.get_os(request)
        request.os_mobile = request.os in ['android', 'ios', 'any']

        response = self.get_response(request)
        return response
Example #7
0
 def validate_redirect_url(self, sub=False):
     """
     Returns the next_url path if next_url matches allowed hosts.
     """
     next_url = self.request.GET.get(REDIRECT_FIELD_NAME, None)
     if not next_url:
         return None
     parts = urlparse.urlparse(next_url)
     if parts.netloc:
         domain, _ = split_domain_port(parts.netloc)
         allowed_hosts = (['*'] if django_settings.DEBUG else
                          django_settings.ALLOWED_HOSTS)
         if not (domain and validate_host(domain, allowed_hosts)):
             return None
     path = parts.path
     if sub:
         try:
             # We replace all ':slug/' by '%(slug)s/' so that we can further
             # create an instantiated url through Python string expansion.
             path = re.sub(r':(%s)/' % settings.ACCT_REGEX, r'%(\1)s/',
                           path) % self.kwargs
         except KeyError:
             # We don't have all keys necessary. A safe defaults is to remove
             # them. Most likely a redirect URL is present to pick between
             # multiple choices.
             path = re.sub(r'%(\S+)s/', '', path)
     return urlparse.urlunparse(
         (None, '', path, parts.params, parts.query, parts.fragment))
Example #8
0
def validate_redirect_url(next_url, sub=False, **kwargs):
    """
    Returns the next_url path if next_url matches allowed hosts.
    """
    # This method is copy/pasted from signup.auth so we donot need
    # to add djaodjin-signup as a prerequisites. It is possible
    # the functionality has already moved into Django proper.
    if not next_url:
        return None
    parts = six.moves.urllib.parse.urlparse(next_url)
    if parts.netloc:
        domain, _ = split_domain_port(parts.netloc)
        allowed_hosts = ['*'] if django_settings.DEBUG \
            else django_settings.ALLOWED_HOSTS
        if not (domain and validate_host(domain, allowed_hosts)):
            return None
    path = parts.path
    if sub:
        from . import settings
        try:
            # We replace all ':slug/' by '%(slug)s/' so that we can further
            # create an instantiated url through Python string expansion.
            path = re.sub(r':(%s)/' % settings.ACCT_REGEX, r'%(\1)s/',
                          path) % kwargs
        except KeyError:
            # We don't have all keys necessary. A safe defaults is to remove
            # them. Most likely a redirect URL is present to pick between
            # multiple choices.
            path = re.sub(r':(%s)/' % settings.ACCT_REGEX, '', path)
    return six.moves.urllib.parse.urlunparse(
        ("", "", path, parts.params, parts.query, parts.fragment))
Example #9
0
    def filter_for_authorizations(
            self, scope: Scope,
            authorizations: models.QuerySet) -> models.QuerySet:

        # todo implement error if no loose-fk field

        authorizations_local = []
        authorizarions_external = []

        for auth in authorizations:
            loose_fk_host = urlparse(getattr(auth,
                                             self.loose_fk_field)).hostname
            allowed_hosts = settings.ALLOWED_HOSTS
            if validate_host(loose_fk_host, allowed_hosts):
                authorizations_local.append(auth)
            else:
                authorizarions_external.append(auth)

        ids_local = self.ids_by_auth(scope, authorizations_local, local=True)
        ids_external = self.ids_by_auth(scope,
                                        authorizarions_external,
                                        local=False)
        queryset = self.filter(pk__in=ids_local.union(ids_external))

        return queryset
Example #10
0
    def process_request(self, request):
        host = request.get_host().lower()
        hostname, port = split_domain_port(host)

        if not hostname:
            raise DisallowedHost('Invalid hostname in HTTP request')

        require_exact_match = getattr(
            settings, 'SITEDATA_MIDDLEWARE_REQUIRE_EXACT_HOSTNAME', False)

        if validate_host(hostname, settings.ALLOWED_HOSTS):
            request.sitedata = SiteData(
                hostname=hostname, require_exact_match=require_exact_match)
            LOCAL.sitedata_ref = weakref.ref(
                request.sitedata)  # allow sitedata to be accessed from LOCAL

        # overrides request.urlconf if specified
        if hasattr(request.sitedata, 'urlconf'
                   ) and request.sitedata.urlconf is not settings.ROOT_URLCONF:
            request.urlconf = request.sitedata.urlconf

        # Monkey patches request._get_scheme() to return 'https' instead of 'http'
        if hasattr(request.sitedata, 'scheme') and request.sitedata.exact_match_found \
                and request.sitedata.scheme is 'https':
            request._get_scheme = _get_scheme_https
Example #11
0
def proxy(request):
    PROXY_ALLOWED_HOSTS = getattr(settings, 'PROXY_ALLOWED_HOSTS', ())
    hostname = (ogc_server_settings.hostname,) if ogc_server_settings else ()
    PROXY_ALLOWED_HOSTS += hostname

    if 'url' not in request.GET:
        return HttpResponse("The proxy service requires a URL-encoded URL as a parameter.",
                            status=400,
                            content_type="text/plain"
                            )

    raw_url = request.GET['url']
    url = urlsplit(raw_url)

    locator = url.path
    if url.query != "":
        locator += '?' + url.query
    if url.fragment != "":
        locator += '#' + url.fragment

    if not settings.DEBUG:
        if not validate_host(url.hostname, PROXY_ALLOWED_HOSTS):
            return HttpResponse("DEBUG is set to False but the host of the path provided "
                                "to the proxy service is not in the "
                                "PROXY_ALLOWED_HOSTS setting.",
                                status=403,
                                content_type="text/plain"
                                )
    headers = {}

    if settings.SESSION_COOKIE_NAME in request.COOKIES and is_safe_url(url=raw_url, host=ogc_server_settings.netloc):
        headers["Cookie"] = request.META["HTTP_COOKIE"]

    if request.META.get('HTTP_AUTHORIZATION'):
        headers['AUTHORIZATION'] = request.META.get('HTTP_AUTHORIZATION')

    if request.method in ("POST", "PUT") and "CONTENT_TYPE" in request.META:
        headers["Content-Type"] = request.META["CONTENT_TYPE"]

    if request.META.get('HTTP_ACCEPT'):
        headers['ACCEPT'] = request.META['HTTP_ACCEPT']

    if url.scheme == 'https':
        conn = HTTPSConnection(url.hostname, url.port)
    else:
        conn = HTTPConnection(url.hostname, url.port)

    conn.request(request.method, locator, request.body, headers)
    result = conn.getresponse()

    response = HttpResponse(result.read(),
                            status=result.status,
                            content_type=result.getheader("Content-Type", "text/plain"),
                            )

    if result.getheader('www-authenticate'):
        response['www-authenticate'] = "GeoNode"

    return response
Example #12
0
def proxy(request):
    PROXY_ALLOWED_HOSTS = getattr(settings, 'PROXY_ALLOWED_HOSTS', ())
    hostname = (ogc_server_settings.hostname,) if ogc_server_settings else ()
    PROXY_ALLOWED_HOSTS += hostname

    if 'url' not in request.GET:
        return HttpResponse("The proxy service requires a URL-encoded URL as a parameter.",
                            status=400,
                            content_type="text/plain"
                            )

    raw_url = request.GET['url']
    url = urlsplit(raw_url)

    locator = url.path
    if url.query != "":
        locator += '?' + url.query
    if url.fragment != "":
        locator += '#' + url.fragment

    if not settings.DEBUG:
        if not validate_host(url.hostname, PROXY_ALLOWED_HOSTS):
            return HttpResponse("DEBUG is set to False but the host of the path provided "
                                "to the proxy service is not in the "
                                "PROXY_ALLOWED_HOSTS setting.",
                                status=403,
                                content_type="text/plain"
                                )
    headers = {}

    if settings.SESSION_COOKIE_NAME in request.COOKIES and is_safe_url(url=raw_url, host=ogc_server_settings.netloc):
        headers["Cookie"] = request.META["HTTP_COOKIE"]

    if request.META.get('HTTP_AUTHORIZATION'):
        headers['AUTHORIZATION'] = request.META.get('HTTP_AUTHORIZATION')

    if request.method in ("POST", "PUT") and "CONTENT_TYPE" in request.META:
        headers["Content-Type"] = request.META["CONTENT_TYPE"]

    if request.META.get('HTTP_ACCEPT'):
        headers['ACCEPT'] = request.META['HTTP_ACCEPT']

    if url.scheme == 'https':
        conn = HTTPSConnection(url.hostname, url.port)
    else:
        conn = HTTPConnection(url.hostname, url.port)

    conn.request(request.method, locator, request.body, headers)
    result = conn.getresponse()

    response = HttpResponse(result.read(),
                            status=result.status,
                            content_type=result.getheader("Content-Type", "text/plain"),
                            )

    if result.getheader('www-authenticate'):
        response['www-authenticate'] = "GeoNode"

    return response
Example #13
0
def clean_spider_inline(url):
    allowed_hosts = settings.ALLOWED_HOSTS
    if settings.DEBUG and not allowed_hosts:
        allowed_hosts = _default_allowed_hosts
    if validate_host(url, allowed_hosts):
        inline_domain = urlsplit(url)
        return inline_domain.netloc or inline_domain.path.split("/", 1)[0]
    return None
Example #14
0
def inline_path(urlsplitted):
    allowed_hosts = settings.ALLOWED_HOSTS
    if settings.DEBUG and not allowed_hosts:
        allowed_hosts = _default_allowed_hosts
    if validate_host(urlsplitted.netloc, allowed_hosts):
        # first path parameter is host
        return urlsplitted.netloc or urlsplitted.path.split("/", 1)[0]
    return None
Example #15
0
    def validate_origin(self, message, origin):
        allowed_hosts = settings.ALLOWED_HOSTS
        if settings.DEBUG and not allowed_hosts:
            allowed_hosts = ['localhost', '127.0.0.1', '[::1]']

        origin_hostname = urlparse(origin).hostname
        valid = (origin_hostname
                 and validate_host(origin_hostname, allowed_hosts))
        return valid
Example #16
0
    def validate_origin(self, message, origin):
        allowed_hosts = settings.ALLOWED_HOSTS
        if settings.DEBUG and not allowed_hosts:
            allowed_hosts = ['localhost', '127.0.0.1', '[::1]']

        origin_hostname = urlparse(origin).hostname
        valid = (origin_hostname and
                 validate_host(origin_hostname, allowed_hosts))
        return valid
Example #17
0
    def process_request(self, request):
        host = request._get_raw_host()
        domain, port = split_domain_port(host)

        for name, config in settings.XMPP_HOSTS.items():
            if validate_host(domain, config.get('ALLOWED_HOSTS', [])):
                request.site = config
                return

        request.site = settings.XMPP_HOSTS[settings.DEFAULT_XMPP_HOST]
Example #18
0
def apps_proxy(request):
    PROXY_ALLOWED_HOSTS = (ogc_server_settings.hostname, ) + getattr(
        settings, 'PROXY_ALLOWED_HOSTS', ())

    token = None
    if 'token' in request.GET:
        token = request.GET['token']
    if token is None:
        print "The proxy service requires a token."
        return HttpResponse("The proxy service requires a token.",
                            status=400,
                            content_type="text/plain")
    if not _check_token(token):
        print "The provided token is invalid."
        return HttpResponse("The provided token is invalid.",
                            status=400,
                            content_type="text/plain")

    if 'url' in request.GET:
        raw_url = request.GET['url']
    else:
        # querystring = urllib2.unquote(request.META['QUERY_STRING'])
        querystring = request.META['QUERY_STRING']
        raw_url = '%sows?%s' % (settings.OGC_SERVER['default']['LOCATION'],
                                querystring)

    url = urlsplit(raw_url)
    if url is None:
        return HttpResponse(
            "The proxy service requires a URL-encoded URL as a parameter.",
            status=400,
            content_type="text/plain")

    if not settings.DEBUG:
        print url.hostname
        if not validate_host(url.hostname, PROXY_ALLOWED_HOSTS):
            return HttpResponse(
                "DEBUG is set to False but the host of the path provided to the proxy service (%s) is not in the"
                " PROXY_ALLOWED_HOSTS setting." % url.hostname,
                status=403,
                content_type="text/plain")

    print 'proxying to %s' % raw_url
    proxy_request = urllib2.Request(raw_url)
    base64string = base64.encodestring(
        '%s:%s' % (settings.EXT_APP_USER, settings.EXT_APP_USER_PWD)).replace(
            '\n', '')
    proxy_request.add_header("Authorization", "Basic %s" % base64string)
    result = urllib2.urlopen(proxy_request)

    response = HttpResponse(result,
                            status=result.code,
                            content_type=result.headers["Content-Type"])

    return response
Example #19
0
def valid_send_request(request):
    if not settings.DEPLOY_ENV:
        return True
    user_agent = (request.META.get('HTTP_USER_AGENT') or '').lower()
    http_referer = (request.META.get('HTTP_REFERER') or '').lower()
    if not user_agent or user_agent.lower().find('windows') > 0:
        return False
    domain = http_referer and urlparse(http_referer).hostname
    if domain and not validate_host(domain, settings.ALLOWED_HOSTS):
        return False
    return True
Example #20
0
def validate_redirect_url(next_url):
    """
    Returns the next_url path if next_url matches allowed hosts.
    """
    if not next_url:
        return None
    parts = urlparse.urlparse(next_url)
    if parts.netloc:
        domain, _ = split_domain_port(parts.netloc)
        allowed_hosts = ["*"] if settings.DEBUG else settings.ALLOWED_HOSTS
        if not (domain and validate_host(domain, allowed_hosts)):
            return None
    return urlparse.urlunparse((parts.scheme, "", parts.path, parts.params, parts.query, parts.fragment))
Example #21
0
def is_trusted_origin(origin):
    if not settings.ALLOW_WEBUSER_LOGIN:
        return False
    if origin is None:
        return True
    allowed_hosts = django_settings.ALLOWED_HOSTS
    if django_settings.DEBUG and not allowed_hosts:
        allowed_hosts = ["localhost", "127.0.0.1", "[::1]"]
    try:
        origin_host = urlparse(origin.decode()).hostname
        return validate_host(origin_host, allowed_hosts)
    except UnicodeDecodeError:
        return False
Example #22
0
def validate_redirect_url(next_url):
    """
    Returns the next_url path if next_url matches allowed hosts.
    """
    if not next_url:
        return None
    parts = urlparse.urlparse(next_url)
    if parts.netloc:
        domain, _ = split_domain_port(parts.netloc)
        allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
        if not (domain and validate_host(domain, allowed_hosts)):
            return None
    return parts.path
Example #23
0
    def process_request(self, request):
        host = request.get_host()
        if validate_host(host, ORIG_ALLOWED_HOSTS):
            return None

        for net in self.allowed_cidr_nets:
            try:
                if host in net:
                    return None
            except AddrFormatError:
                # not an IP
                break

        raise DisallowedHost("Invalid HTTP_HOST header: %r." % host)
Example #24
0
def validate_redirect_url(next_url):
    """
    Returns the next_url path if next_url matches allowed hosts.
    """
    if not next_url:
        return None
    parts = six.moves.urllib.parse.urlparse(next_url)
    if parts.netloc:
        domain, _ = split_domain_port(parts.netloc)
        allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
        if not (domain and validate_host(domain, allowed_hosts)):
            return None
    return six.moves.urllib.parse.urlunparse(
        ("", "", parts.path, parts.params, parts.query, parts.fragment))
Example #25
0
 def valid_origin(self, origin):
     # None is not allowed
     if origin is None:
         return False
     # Get only hostname all allowed origins
     # Only if not full: https://domain.example.com:8443 -> domain.example.com
     #   or //domain.example.com - > domain.example.com
     #   or .example.com -> .example.com
     self.allowed_origins = [
         urlparse(pattern).hostname or urlparse("//" + pattern).hostname
         or pattern for pattern in self.allowed_origins
     ]
     # Check against our list
     return validate_host(origin, self.allowed_origins)
Example #26
0
    def configure_sites(self):
        """
        Setup sites settings in the db. (Sites is conceptually flawed, but needed for allauth.)
        """

        try:
            from django.contrib.sites.models import Site
            if validate_host(settings.SITE_CONFIG['domain'], settings.ALLOWED_HOSTS):
                Site.objects.update_or_create(pk=settings.SITE_ID, defaults=settings.SITE_CONFIG)
            else:
                raise ImproperlyConfigured('Specified domain "%s" is not in ALLOWED_HOSTS' % settings.SITE_CONFIG['domain'])
        except ProgrammingError:
            # We haven't run the migrations yet
            pass
Example #27
0
    def get_next_redirect_url(self, request: HttpRequest) -> Optional[str]:
        user = getattr(request, 'user', None)
        if user.is_authenticated:
            self.logout(request)

        next_url = get_social_next_from_referer_url(request)
        next_url = build_absolute_uri(request, next_url)
        r = urlparse(next_url)
        host = r.netloc
        domain, port = split_domain_port(host)
        allowed_hosts = settings.ALLOWED_HOSTS
        if domain and validate_host(domain, allowed_hosts):
            return next_url
        raise DisallowedRedirect("Attempted access from '%s' denied." %
                                 next_url)
Example #28
0
    def process_request(self, request):
        domain, port = split_domain_port(request.get_host())

        self._changes = {}

        for site in settings.SITES:
            site = site.copy()
            try:
                if validate_host(domain, site['HOSTS']):
                    site_settings = '.'.join(
                        [self.top_module, site['NAME'], 'settings'])
                    self._enter(import_module(site_settings))
                    break
            except ImportError:
                pass
Example #29
0
def validate_storefront_url(url):
    """Validate the storefront URL.

    Raise ValidationError if URL isn't in RFC 1808 format
    or it isn't allowed by ALLOWED_STOREFRONT_HOSTS in settings.
    """
    try:
        parsed_url = urlparse(url)
    except ValueError as error:
        raise ValidationError({"redirectUrl": str(error)})
    if not validate_host(parsed_url.netloc, settings.ALLOWED_STOREFRONT_HOSTS):
        raise ValidationError({
            "redirectUrl":
            "%s this is not valid storefront address." % parsed_url.netloc
        })
Example #30
0
def validate_storefront_url(url):
    """Validate the storefront URL.

    Raise ValidationError if URL isn't in RFC 1808 format
    or it isn't allowed by ALLOWED_CLIENT_HOSTS in settings.
    """
    try:
        parsed_url = urlparse(url)
        domain, _ = split_domain_port(parsed_url.netloc)
    except ValueError as error:
        raise ValidationError({"redirectUrl": str(error)})
    if not validate_host(domain, settings.ALLOWED_CLIENT_HOSTS):
        error_message = (f"{domain or url} is not allowed. Please check "
                         "`ALLOWED_CLIENT_HOSTS` configuration.")
        raise ValidationError({"redirectUrl": error_message})
Example #31
0
def validate_redirect_url(next_url):
    """
    Returns the next_url path if next_url matches allowed hosts.
    """
    # This method is copy/pasted from signup.auth so we donot need
    # to add djaodjin-signup as a prerequisites. It is possible
    # the functionality has already moved into Django proper.
    if not next_url:
        return None
    parts = urlparse.urlparse(next_url)
    if parts.netloc:
        domain, _ = split_domain_port(parts.netloc)
        allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
        if not (domain and validate_host(domain, allowed_hosts)):
            return None
    return parts.path
Example #32
0
def validate_redirect_url(next_url):
    """
    Returns the next_url path if next_url matches allowed hosts.
    """
    # This method is copy/pasted from signup.auth so we donot need
    # to add djaodjin-signup as a prerequisites. It is possible
    # the functionality has already moved into Django proper.
    if not next_url:
        return None
    parts = urlparse.urlparse(next_url)
    if parts.netloc:
        domain, _ = split_domain_port(parts.netloc)
        allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
        if not (domain and validate_host(domain, allowed_hosts)):
            return None
    return parts.path
Example #33
0
 def get_context_data(self, **kwargs):
     ctx = super(PaymentDetailsView, self).get_context_data(**kwargs)
     extra = Source.get_provider(
         self.checkout_session.payment_method()).extra
     ctx["payment_method"] = extra.get("verbose_name", extra["name"])
     host = ctx.get("source", None)
     if host:
         host = host.temp_form
     if host:
         host = host.action
     ctx["is_local_url"] = (host == "")
     if host is not None and not ctx["is_local_url"]:  #try harder
         domain = split_domain_port(host)[0]
         if domain and validate_host(domain, self._allowed_hosts):
             ctx["is_local_url"] = True
     return ctx
Example #34
0
    def to_internal_value(self, data):
        result = super(CaptchaField, self).to_internal_value(data)

        try:
            captcha = client.submit(recaptcha_response=result,
                                    private_key=settings.RECAPTCHA_PRIVATE_KEY,
                                    remoteip=get_client_ip(
                                        self.context['request']))
        except HTTPError:  # Catch timeouts, etc
            raise serializers.ValidationError(
                self.error_messages["captcha_error"], code="captcha_error")

        if not captcha.is_valid or not validate_host(
                captcha.extra_data['hostname'], settings.ALLOWED_HOSTS):
            raise serializers.ValidationError('Captcha value is not valid')

        return result
Example #35
0
def _is_allowed(url, require_https=False, *args, **kwargs):
    """Variation of the `django.http.url_has_allowed_host_and_scheme`
    function, checking the given URL host against the `ALLOWED_HOSTS`
    setting (including wildcards.)

    Note: `args` and `kwargs` are there to mock unused arguments from
    original function calls."""
    url = _urlparse(url)

    allowed_schemes = {'https'} if require_https else {'http', 'https'}
    allowed_hosts = settings.ALLOWED_HOSTS
    # Fallback to localhost-like patterns when debugging with an empty
    # ALLOWED_HOSTS settings
    if settings.DEBUG and not allowed_hosts:
        allowed_hosts = {'.localhost', '127.0.0.1', '[::1]'}

    return (validate_host(url.netloc, allowed_hosts)
            and (url.scheme in allowed_schemes))
Example #36
0
    def process_request(self, request):
        domain, _ = split_domain_port(request.get_host())

        for site in settings.SITES:
            site = site.copy()
            try:
                if validate_host(domain, site["HOSTS"]):
                    urlconf = ".".join([self.top_module, site["NAME"], "urls"])
                    import_module(urlconf)
                    break
            except ImportError:
                pass
            except Exception:  # pylint: disable=broad-except
                pass
        else:
            urlconf = settings.ROOT_URLCONF

        request.urlconf = urlconf
Example #37
0
    def clean_token(self):
        token = self.cleaned_data['token']

        try:
            self.con = con = Concept.active_objects.get(code=token)
        except Concept.DoesNotExist:
            raise forms.ValidationError('invalid token')

        valid_domains = con.user.valid_domains()

        host, port = split_domain_port(self.host)

        valid = request.validate_host(host, valid_domains)

        if not valid:
            raise forms.ValidationError('invalid domain')

        return token
Example #38
0
def validate_safesens_url(url):
    """Validate the safesens URL.

    Raise ValidationError if URL isn't in RFC 1808 format
    or it isn't allowed by ALLOWED_CLIENT_HOSTS in settings.
    """
    try:
        parsed_url = urlparse(url)
        domain, _ = split_domain_port(parsed_url.netloc)
        if not parsed_url.netloc:
            raise ValidationError(
                "Invalid URL. Please check if URL is in RFC 1808 format.")
    except ValueError as error:
        raise ValidationError(error)
    if not validate_host(domain, settings.ALLOWED_CLIENT_HOSTS):
        error_message = (f"{domain or url} is not allowed. Please check "
                         "`ALLOWED_CLIENT_HOSTS` configuration.")
        raise ValidationError(error_message)
Example #39
0
    def process_request(self, request):
        domain, port = split_domain_port(request.get_host())

        for site in settings.SITES:
            site = site.copy()
            try:
                if validate_host(domain, site['HOSTS']):
                    urlconf = '.'.join([self.top_module, site['NAME'], 'urls'])
                    import_module(urlconf)
                    break
            except ImportError:
                pass
            except Exception:
                pass
        else:
            urlconf = settings.ROOT_URLCONF

        request.urlconf = urlconf
Example #40
0
    def __call__(self, request):
        host = request._get_raw_host()
        domain, port = split_domain_port(host)

        # Set request.site
        request.site = self.default_site
        for name, config in settings.XMPP_HOSTS.items():
            if validate_host(domain, config.get('ALLOWED_HOSTS', [])):
                request.site = config

        # Attach any messages from the database to the messages system
        # These messages usually come from asynchronous tasks (-> Celery)
        if request.user.is_anonymous is False:
            with transaction.atomic():
                stored_msgs = CachedMessage.objects.filter(user=request.user)
                for msg in stored_msgs:
                    messages.add_message(request, msg.level, _(msg.message) % json.loads(msg.payload))

                stored_msgs.delete()

        # Attach OS information to request
        request.os = self.get_os(request)
        request.os_mobile = request.os in ['android', 'ios', 'any']

        # Get data that is used with every request and requires database access and cache it
        cache_key = 'request_context'
        cached = cache.get(cache_key)
        if cached is None:
            cached = {
                'menuitems': MenuItem.objects.all(),
            }
            for item in cached['menuitems']:
                item.cached_data  # touch cached_data to make sure that all properties serialized

            cache.set(cache_key, cached)
        request.hp_request_context = cached

        response = self.get_response(request)
        return response
Example #41
0
    def validate(request):
        domain, port = split_domain_port(request.META['HTTP_HOST'])
        if not validate_host(domain, settings.CC_ALLOWED_HOSTS):
            return HttpResponseForbidden('forbiden')

        return func(request)
Example #42
0
def proxy(request):
    PROXY_ALLOWED_HOSTS = getattr(settings, 'PROXY_ALLOWED_HOSTS', ())

    host = None

    if ogc_server_settings is not None:
        if ogc_server_settings:
            hostname = (ogc_server_settings.hostname,)
        else:
            hostname = ()
        PROXY_ALLOWED_HOSTS += hostname
        host = ogc_server_settings.netloc

    if 'url' not in request.GET:
        return HttpResponse("The proxy service requires a "
                            "URL-encoded URL as a parameter.",
                            status=400,
                            content_type="text/plain"
                            )

    raw_url = request.GET['url']
    url = urlsplit(raw_url)
    headers = {}

    # Fix up any possible non-absolute URLs that have no scheme, or even domain
    if ((callable(protocol_relative_url) and
         protocol_relative_url(raw_url)) or not url.scheme):
        if url.netloc and callable(protocol_relative_to_scheme):
            # Fix up any '//' protocol relative URLs coming from JS map viewers
            # Use request.scheme to reference origin scheme context
            # Note: Can't use request.build_absolute_uri(raw_url) for this
            raw_url = protocol_relative_to_scheme(url.geturl(),
                                                  scheme=request.scheme)
            # logger.debug("protocol_relative_to_scheme = ".format(raw_url))
        else:
            raw_url = request.build_absolute_uri(raw_url)
            # logger.debug("build_absolute_uri = ".format(raw_url))
        url = urlsplit(raw_url)

    if not settings.DEBUG:
        if not (validate_host(url.hostname, PROXY_ALLOWED_HOSTS) or
                (callable(has_ssl_config) and has_ssl_config(url.geturl()))):
            return HttpResponse(
                "DEBUG is set to False but the host of the path provided to "
                "the proxy service is not in the PROXY_ALLOWED_HOSTS setting "
                "or defined to use the proxy in SSL/PKI configurations.",
                status=403,
                content_type="text/plain"
            )

    if url.scheme.lower() == 'https' \
            and callable(has_ssl_config) and has_ssl_config(url.geturl()):
        # Adjust request to mock call to pki_request view
        # Merge queries
        pki_req_query = request.GET.copy()
        """django.http.QueryDict"""
        # Strip the url param from request query
        del pki_req_query['url']
        # Note: leave other query pairs passed to this view, e.g. access_token

        # Add any query from passed url param's URL
        url_query = url.query.strip()
        for k, v in parse_qsl(url_query, keep_blank_values=True):
            pki_req_query.appendlist(k, v)
        request.GET = pki_req_query
        request.META["QUERY_STRING"] = pki_req_query.urlencode()

        # pki_request view is restricted to local calls
        request.META["REMOTE_ADDR"] = '127.0.0.1'
        request.META["REMOTE_HOST"] = 'localhost'
        # TODO: Update HTTP_X_FORWARDED_FOR? See: api.views.get_client_ip()

        base_url = urlunsplit((None, url.netloc, url.path, None, None))\
            .replace('//', '', 1)
        # For pki_request view, resource_url has no URL scheme
        resource_url = quote(base_url)

        pki_path = reverse('pki_request',
                           kwargs={'resource_url': resource_url})
        # Reset view paths attributes
        request.path = request.path_info = pki_path
        request.META["PATH_INFO"] = pki_path
        request.resolver_match = resolve(pki_path)

        logger.debug("pki_req QueryDict: {0}".format(pki_req_query))
        # logger.debug("pki_req META: {0}".format(request.META))
        logger.debug("pki_req META['QUERY_STRING']: {0}"
                     .format(request.META["QUERY_STRING"]))
        logger.debug("Routing through pki proxy: {0}".format(resource_url))
        return pki_request(request, resource_url=resource_url)

    if settings.SESSION_COOKIE_NAME in request.COOKIES and \
            is_safe_url(url=raw_url, host=host):
        headers["Cookie"] = request.META["HTTP_COOKIE"]

    if request.method in ("POST", "PUT") and "CONTENT_TYPE" in request.META:
        headers["Content-Type"] = request.META["CONTENT_TYPE"]

    http_client = requests.session()
    http_client.verify = True
    req_method = getattr(http_client, request.method.lower())
    resp = req_method(raw_url, headers=headers, data=request.body)

    if 'Content-Type' in resp.headers:
        content_type = resp.headers['Content-Type']
    else:
        content_type = 'text/plain'

    # If we get a redirect, let's add a useful message.
    if resp.status_code in (301, 302, 303, 307):
        response = HttpResponse(
            ('This proxy does not support redirects. The server in "%s" '
             'asked for a redirect to "%s"' %
             (raw_url, resp.headers['Location'])),
            status=resp.status_code,
            content_type=content_type
        )

        response['Location'] = resp.headers['Location']
    else:
        response = HttpResponse(
            resp.content,
            status=resp.status_code,
            content_type=content_type
        )

    return response
Example #43
0
def proxy(request):
    PROXY_ALLOWED_HOSTS = getattr(settings, 'PROXY_ALLOWED_HOSTS', ())

    host = None

    #if 'geonode.geoserver' in settings.INSTALLED_APPS:
    #    from geonode.geoserver.helpers import ogc_server_settings
    #    hostname = (ogc_server_settings.hostname,) if ogc_server_settings else ()
    #    PROXY_ALLOWED_HOSTS += hostname
    #    host = ogc_server_settings.netloc

    if 'url' not in request.GET:
        return HttpResponse("The proxy service requires a URL-encoded URL as a parameter.",
                            status=400,
                            content_type="text/plain"
                            )

    raw_url = request.GET['url']
    url = urlsplit(raw_url)
    locator = url.path
    if url.query != "":
        locator += '?' + url.query
    if url.fragment != "":
        locator += '#' + url.fragment

    if not settings.DEBUG:
        if not validate_host(url.hostname, PROXY_ALLOWED_HOSTS):
            return HttpResponse("DEBUG is set to False but the host of the path provided to the proxy service"
                                " is not in the PROXY_ALLOWED_HOSTS setting.",
                                status=403,
                                content_type="text/plain"
                                )
    headers = {}

    if settings.SESSION_COOKIE_NAME in request.COOKIES and is_safe_url(url=raw_url, host=host):
        headers["Cookie"] = request.META["HTTP_COOKIE"]

    if request.method in ("POST", "PUT") and "CONTENT_TYPE" in request.META:
        headers["Content-Type"] = request.META["CONTENT_TYPE"]

    print "Raw URL: "+ raw_url
    match_regex = None
    match_tilesource = None

    # Try to match against existing tile sources
    #tilesources = TileSource.objects.exclude(pattern__isnull=True).exclude(pattern__exact='')
    tilesources = getTileSources(proxy=True)
    for tilesource in tilesources:
        match = tilesource.match(raw_url)
        #print tilesource.pattern
        if match:
            match_regex = match
            match_tilesource = tilesource
            break

    if match_tilesource and match_regex:
        return proxy_tilesource(request, match_tilesource, match_regex)
    #else:
    #    return HttpResponse('No matching tilesource found.',RequestContext(request, {}), status=404)

    # Try to match against existing origins that can automatically create tile sources (auto=true)
    match_tileorigin = None
    #tileorigins = TileOrigin.objects.exclude(pattern__isnull=True).exclude(pattern__exact='').filter(auto=True)
    tileorigins = getTileOrigins(proxy=True)
    for tileorigin in tileorigins:
        match = tileorigin.match(raw_url)
        if match:
            #print "Matched against TileOrigin", tileorigin
            match_regex = match
            match_tileorigin = tileorigin
            break

    if match_tileorigin and match_regex:
        to = match_tileorigin
        if to.multiple:
            slug = getRegexValue(match_regex, 'slug')
            ts_url = to.url.replace('{slug}', slug)
            #print "ts_url: "+ts_url
            if TileSource.objects.filter(url=ts_url).count() > 0:
                print "Error: This souldn't happen.  You should have matched the tilesource earlier so you don't duplicate"
                return None
            exts = string_to_list(to.extensions)
            ts_pattern = url_to_pattern(ts_url, extensions=exts)
            ts = TileSource(auto=True,url=ts_url,pattern=ts_pattern,name=slug,type=to.type,extensions=exts,origin=to)
            ts.save()
            reloadTileSources(proxy=False)
            reloadTileSources(proxy=True)
            return proxy_tilesource(request, ts, match_regex)
        else:
            ts = TileSource(auto=True,url=to.url,pattern=to.pattern,name=to.name,type=to.type,extensions=to.extensions)
            ts.save()
            reloadTileSources(proxy=False)
            reloadTileSources(proxy=True)
            return proxy_tilesource(request, ts, match_regex)
    else:
        return HttpResponse('No matching tile origin or tile source found.',RequestContext(request, {}), status=404)
Example #44
0
    def test_compare(self):
        # ALLOWED_HOSTS with django.http.request.validate_host

        self.assertTrue(validate_host("192.168.1.2", self.fnmatch_ips))

        self.assertFalse(validate_host("10.0.1.2", self.fnmatch_ips))
Example #45
0
def proxy(request, url=None, response_callback=None,
          sec_chk_hosts=True, sec_chk_rules=True, timeout=None, **kwargs):
    # Request default timeout
    if not timeout:
        timeout = TIMEOUT

    # Security rules and settings
    PROXY_ALLOWED_HOSTS = getattr(settings, 'PROXY_ALLOWED_HOSTS', ())

    # Sanity url checks
    if 'url' not in request.GET and not url:
        return HttpResponse("The proxy service requires a URL-encoded URL as a parameter.",
                            status=400,
                            content_type="text/plain"
                            )

    raw_url = url or request.GET['url']
    raw_url = urljoin(
        settings.SITEURL,
        raw_url) if raw_url.startswith("/") else raw_url
    url = urlsplit(raw_url)
    locator = str(url.path)
    if url.query != "":
        locator += '?' + url.query
    if url.fragment != "":
        locator += '#' + url.fragment

    # White-Black Listing Hosts
    if sec_chk_hosts and not settings.DEBUG:
        site_url = urlsplit(settings.SITEURL)
        if site_url.hostname not in PROXY_ALLOWED_HOSTS:
            PROXY_ALLOWED_HOSTS += (site_url.hostname, )

        if check_ogc_backend(geoserver.BACKEND_PACKAGE):
            from geonode.geoserver.helpers import ogc_server_settings
            hostname = (
                ogc_server_settings.hostname,
            ) if ogc_server_settings else ()
            if hostname not in PROXY_ALLOWED_HOSTS:
                PROXY_ALLOWED_HOSTS += hostname

        if url.query and ows_regexp.match(url.query):
            ows_tokens = ows_regexp.match(url.query).groups()
            if len(ows_tokens) == 4 and 'version' == ows_tokens[0] and StrictVersion(
                    ows_tokens[1]) >= StrictVersion("1.0.0") and StrictVersion(
                        ows_tokens[1]) <= StrictVersion("3.0.0") and ows_tokens[2].lower() in (
                            'getcapabilities') and ows_tokens[3].upper() in ('OWS', 'WCS', 'WFS', 'WMS', 'WPS', 'CSW'):
                if url.hostname not in PROXY_ALLOWED_HOSTS:
                    PROXY_ALLOWED_HOSTS += (url.hostname, )

        if not validate_host(
                url.hostname, PROXY_ALLOWED_HOSTS):
            return HttpResponse("DEBUG is set to False but the host of the path provided to the proxy service"
                                " is not in the PROXY_ALLOWED_HOSTS setting.",
                                status=403,
                                content_type="text/plain"
                                )

    # Security checks based on rules; allow only specific requests
    if sec_chk_rules:
        # TODO: Not yet implemented
        pass

    # Collecting headers and cookies
    headers, access_token = get_headers(request, url, raw_url)

    # Inject access_token if necessary
    parsed = urlparse(raw_url)
    parsed._replace(path=locator.encode('utf8'))

    _url = parsed.geturl()

    if request.method == "GET" and access_token and 'access_token' not in _url:
        query_separator = '&' if '?' in _url else '?'
        _url = ('%s%saccess_token=%s' %
                (_url, query_separator, access_token))

    response, content = http_client.request(_url,
                                            method=request.method,
                                            data=request.body,
                                            headers=headers,
                                            timeout=timeout,
                                            user=request.user)
    content = response.content or response.reason
    status = response.status_code
    content_type = response.headers.get('Content-Type')

    # decompress GZipped responses if not enabled
    # if content and response and response.getheader('Content-Encoding') == 'gzip':
    if content and content_type and content_type == 'gzip':
        from StringIO import StringIO
        import gzip
        buf = StringIO(content)
        f = gzip.GzipFile(fileobj=buf)
        content = f.read()

    if response and response_callback:
        kwargs = {} if not kwargs else kwargs
        kwargs.update({
            'response': response,
            'content': content,
            'status': status,
            'content_type': content_type
        })
        return response_callback(**kwargs)
    else:
        # If we get a redirect, let's add a useful message.
        if status and status in (301, 302, 303, 307):
            _response = HttpResponse(('This proxy does not support redirects. The server in "%s" '
                                      'asked for a redirect to "%s"' % (url, response.getheader('Location'))),
                                     status=status,
                                     content_type=content_type
                                     )
            _response['Location'] = response.getheader('Location')
            return _response
        else:
            def _get_message(text):
                _s = text.decode("utf-8", "replace")
                try:
                    found = re.search('<b>Message</b>(.+?)</p>', _s).group(1).strip()
                except BaseException:
                    found = _s
                return found

            return HttpResponse(
                content=content,
                reason=_get_message(content) if status not in (200, 201) else None,
                status=status,
                content_type=content_type)
Example #46
0
 def valid_origin(self, origin):
     # None is not allowed
     if origin is None:
         return False
     # Check against our list
     return validate_host(origin, self.allowed_origins)
Example #47
0
def assert_redirects(response, expected_url, status_code=302,
                     target_status_code=200, fetch_redirect_response=True):
    '''
    Assert that a response redirected to a specific URL and that the
    redirect URL can be loaded.

    Won't work for external links since it uses the test client to do a
    request (use fetch_redirect_response=False to check such links without
    fetching them).
    '''
    __tracebackhide__ = True
    if hasattr(response, 'redirect_chain'):
        # The request was a followed redirect
        assert len(response.redirect_chain) > 0, _error(
            'Response didn\'t redirect as expected: '
            'Response code was {0} (expected {1})',
            response.status_code, status_code
        )

        assert response.redirect_chain[0][1] == status_code, _error(
            'Initial response didn\'t redirect as expected: '
            'Response code was {0} (expected {1})',
            response.redirect_chain[0][1], status_code
        )

        url, status_code = response.redirect_chain[-1]
        scheme, netloc, path, query, fragment = urlsplit(url)

        assert response.status_code == target_status_code, _error(
            'Response didn\'t redirect as expected: '
            'Final Response code was {0} (expected {1})',
            response.status_code, target_status_code
        )

    else:
        # Not a followed redirect
        assert response.status_code == status_code, _error(
            'Response didn\'t redirect as expected: '
            'Response code was {0} (expected {1})',
            response.status_code, status_code
        )

        url = response.url
        scheme, netloc, path, query, fragment = urlsplit(url)

        # Prepend the request path to handle relative path redirects.
        if not path.startswith('/'):
            url = urljoin(response.request['PATH_INFO'], url)
            path = urljoin(response.request['PATH_INFO'], path)

        if fetch_redirect_response:
            # netloc might be empty, or in cases where Django tests the
            # HTTP scheme, the convention is for netloc to be 'testserver'.
            # Trust both as "internal" URLs here.
            domain, port = split_domain_port(netloc)
            if domain and not validate_host(domain, settings.ALLOWED_HOSTS):
                raise ValueError(
                    'The test client is unable to fetch remote URLs (got {0}). '
                    'If the host is served by Django, add "{1}" to ALLOWED_HOSTS. '
                    'Otherwise, use assertRedirects(..., fetch_redirect_response=False).'
                    ''.format(url, domain)
                )
            redirect_response = response.client.get(path, QueryDict(query), secure=(scheme == 'https'))

            # Get the redirection page, using the same client that was used
            # to obtain the original response.
            assert redirect_response.status_code == target_status_code, _error(
                'Couldn\'t retrieve redirection page "{0}": '
                'response code was {1} (expected {2})',
                path, redirect_response.status_code, target_status_code
            )

    assert url == expected_url, 'Response redirected to "{0}", expected "{1}"'.foramt(url, expected_url)
Example #48
0
def proxy(request, url=None, response_callback=None,
          sec_chk_hosts=True, sec_chk_rules=True, **kwargs):
    # Security rules and settings
    PROXY_ALLOWED_HOSTS = getattr(settings, 'PROXY_ALLOWED_HOSTS', ())

    # Sanity url checks
    if 'url' not in request.GET and not url:
        return HttpResponse("The proxy service requires a URL-encoded URL as a parameter.",
                            status=400,
                            content_type="text/plain"
                            )

    raw_url = url or request.GET['url']
    raw_url = urljoin(
        settings.SITEURL,
        raw_url) if raw_url.startswith("/") else raw_url
    url = urlsplit(raw_url)
    locator = str(url.path)
    if url.query != "":
        locator += '?' + url.query
    if url.fragment != "":
        locator += '#' + url.fragment

    access_token = None
    if request and 'access_token' in request.session:
        access_token = request.session['access_token']

    # White-Black Listing Hosts
    if sec_chk_hosts and not settings.DEBUG:
        site_url = urlsplit(settings.SITEURL)
        if site_url.hostname not in PROXY_ALLOWED_HOSTS:
            PROXY_ALLOWED_HOSTS += (site_url.hostname, )

        if check_ogc_backend(geoserver.BACKEND_PACKAGE):
            from geonode.geoserver.helpers import ogc_server_settings
            hostname = (
                ogc_server_settings.hostname,
            ) if ogc_server_settings else ()
            if hostname not in PROXY_ALLOWED_HOSTS:
                PROXY_ALLOWED_HOSTS += hostname

        if url.query and ows_regexp.match(url.query):
            ows_tokens = ows_regexp.match(url.query).groups()
            if len(ows_tokens) == 4 and 'version' == ows_tokens[0] and StrictVersion(
                    ows_tokens[1]) >= StrictVersion("1.0.0") and StrictVersion(
                        ows_tokens[1]) <= StrictVersion("3.0.0") and ows_tokens[2].lower() in (
                            'getcapabilities') and ows_tokens[3].upper() in ('OWS', 'WCS', 'WFS', 'WMS', 'WPS', 'CSW'):
                if url.hostname not in PROXY_ALLOWED_HOSTS:
                    PROXY_ALLOWED_HOSTS += (url.hostname, )

        if not validate_host(
                url.hostname, PROXY_ALLOWED_HOSTS):
            return HttpResponse("DEBUG is set to False but the host of the path provided to the proxy service"
                                " is not in the PROXY_ALLOWED_HOSTS setting.",
                                status=403,
                                content_type="text/plain"
                                )

    # Security checks based on rules; allow only specific requests
    if sec_chk_rules:
        # TODO: Not yet implemented
        pass

    # Collecting headers and cookies
    headers = {}
    cookies = None
    csrftoken = None

    if settings.SESSION_COOKIE_NAME in request.COOKIES and is_safe_url(
            url=raw_url, host=url.hostname):
        cookies = request.META["HTTP_COOKIE"]

    for cook in request.COOKIES:
        name = str(cook)
        value = request.COOKIES.get(name)
        if name == 'csrftoken':
            csrftoken = value
        cook = "%s=%s" % (name, value)
        cookies = cook if not cookies else (cookies + '; ' + cook)

    csrftoken = get_token(request) if not csrftoken else csrftoken

    if csrftoken:
        headers['X-Requested-With'] = "XMLHttpRequest"
        headers['X-CSRFToken'] = csrftoken
        cook = "%s=%s" % ('csrftoken', csrftoken)
        cookies = cook if not cookies else (cookies + '; ' + cook)

    if cookies:
        if 'JSESSIONID' in request.session and request.session['JSESSIONID']:
            cookies = cookies + '; JSESSIONID=' + \
                request.session['JSESSIONID']
        headers['Cookie'] = cookies

    if request.method in ("POST", "PUT") and "CONTENT_TYPE" in request.META:
        headers["Content-Type"] = request.META["CONTENT_TYPE"]

    access_token = None
    if request and 'access_token' in request.session:
        access_token = request.session['access_token']

    if access_token:
        # TODO: Bearer is currently cutted of by Djano / GeoServer
        if request.method in ("POST", "PUT"):
            headers['Authorization'] = 'Bearer %s' % access_token
        if access_token and 'access_token' not in locator:
            query_separator = '&' if '?' in locator else '?'
            locator = ('%s%saccess_token=%s' %
                       (locator, query_separator, access_token))
    elif 'HTTP_AUTHORIZATION' in request.META:
        auth = request.META.get(
            'HTTP_AUTHORIZATION',
            request.META.get('HTTP_AUTHORIZATION2'))
        if auth:
            headers['Authorization'] = auth

    site_url = urlsplit(settings.SITEURL)

    pragma = "no-cache"
    referer = request.META[
        "HTTP_REFERER"] if "HTTP_REFERER" in request.META else \
        "{scheme}://{netloc}/".format(scheme=site_url.scheme,
                                      netloc=site_url.netloc)
    encoding = request.META["HTTP_ACCEPT_ENCODING"] if "HTTP_ACCEPT_ENCODING" in request.META else "gzip"

    headers.update({"Pragma": pragma,
                    "Referer": referer,
                    "Accept-encoding": encoding, })

    if url.scheme == 'https':
        conn = HTTPSConnection(url.hostname, url.port)
    else:
        conn = HTTPConnection(url.hostname, url.port)
    conn.request(request.method, locator.encode('utf8'), request.body, headers)
    response = conn.getresponse()
    content = response.read()
    status = response.status
    content_type = response.getheader("Content-Type", "text/plain")

    # decompress GZipped responses if not enabled
    if content and response.getheader('Content-Encoding') == 'gzip':
        from StringIO import StringIO
        import gzip
        buf = StringIO(content)
        f = gzip.GzipFile(fileobj=buf)
        content = f.read()

    if response_callback:
        kwargs = {} if not kwargs else kwargs
        kwargs.update({
            'response': response,
            'content': content,
            'status': status,
            'content_type': content_type
        })
        return response_callback(**kwargs)
    else:
        # If we get a redirect, let's add a useful message.
        if status in (301, 302, 303, 307):
            _response = HttpResponse(('This proxy does not support redirects. The server in "%s" '
                                      'asked for a redirect to "%s"' % (url, response.getheader('Location'))),
                                     status=status,
                                     content_type=content_type
                                     )
            _response['Location'] = response.getheader('Location')
            return _response
        else:
            return HttpResponse(
                content=content,
                status=status,
                content_type=content_type)