84

I already have a django project and it logical like those:

url: URL?username=name&pwd=passwd

view:

def func(request): dic = request.GET username = dic.get("username") pwd = dic.get("pwd")

but now we need encrypt the data. Then, the request become this:

url: URL?crypt=XXXXXXXXXX (XXXXXXXX is encrypted str for "username=name&pwd=passwd")

so I need modify every view function. But now I want decrypt in django middleware to prevent from modifying every view function.

but when I modify request.GET, I recive error msg "This QueryDict instance is immutable". How can I modify it?

Improve this question
3

5 Answers 5

Reset to default
132

django.http.QueryDict objects that are assigned to request.GET and request.POST are immutable.

You can convert it to a mutable QueryDict instance by copying it:

request.GET = request.GET.copy()

Afterwards you'll be able to modify the QueryDict:

>>> from django.test.client import RequestFactory >>> request = RequestFactory().get('/') >>> request.GET <QueryDict: {}> >>> request.GET['foo'] = 'bar' AttributeError: This QueryDict instance is immutable >>> request.GET = request.GET.copy() <QueryDict: {}> >>> request.GET['foo'] = 'bar' >>> request.GET <QueryDict: {'foo': 'bar'}>

This has been purposefully designed so that none of the application components are allowed to edit the source request data, so even creating a immutable QueryDict again would break this design. I would still suggest that you follow the guidelines and assign additional request data directly on the request object in your middleware, despite the fact that it might cause you to edit your sources.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

In Django 2.0, when I try to do this, I get an AttributeError "can't set attribute"
70

Remove immutability:

if not request.GET._mutable: request.GET._mutable = True # now you can spoil it request.GET['pwd'] = 'iloveyou'

Update

The Django sanctioned way is: request.GET.copy().

According to the docs:

The QueryDicts at request.POST and request.GET will be immutable when accessed in a normal request/response cycle. To get a mutable version you need to use QueryDict.copy().

Nothing guarantees future Django versions will use _mutable. This has more chances to change than the copy() method.

Improve this answer

6 Comments

This is better to avoid the cost associated with copy() on a POST request
...but worse because it modifies an internal attribute.
After setting your value(s) you can just do: request.GET._mutable = False to make it unmutable again.
Please don't recommend doing this.
can anybody tell me "is this approach secure?"
|
9

You shouldn't use GET to send the username and password, it's bad practice (since it shows the information on the URL bar, and might pose a security risk). Instead, use POST. Also, I'm guessing you're trying to authenticate your users, and it seems like you're doing too much work (creating a new middleware) to deal with something that is completely built in, to take the example from the docs:

from django.contrib.auth import authenticate, login def my_view(request): username = request.POST['username'] password = request.POST['password'] user = authenticate(username=username, password=password) if user is not None: if user.is_active: login(request, user) # Redirect to a success page. else: # Return a 'disabled account' error message else: # Return an 'invalid login' error message.

I myself really like using the login_required decorator, very simple to use. Hope that helps

Improve this answer

7 Comments

thanks for your answer. that's just a example. We not only use GET but also use POST. Even though use post, we must encrypt the data.Because I'm afraid some tools like 'tcpdump' crawl packet.So, encrypt/decrypt is necessary.The question Confusing me is how can I modify view function as less as possible. So I want use middleware
Look into the documentation about creating your own middleware. You want to use process_request or process_view, but keep in mind that accessing the request.POST inside those would cause the view not to run (csrf is an exception to that rule, so look into how it works to figure how to write your own) docs.djangoproject.com/en/dev/topics/http/middleware
There is no security problem with GET request per se. It's kind of bad practice because they're in the address bar ... but I just want to make sure that everybody is clear that over HTTPS, GET and POST payloads are equally protected in transit. Via HTTP, they are equally unprotected.
@AdamNelson if you pass anything into a GET request then it becomes available in log files, internet history, and the redirect HTTP header. It's not secure at all, even over HTTPS. They are not equally protected in transit.
@Jordan the log file and Internet history parts are legitimate side channel attacks and you're right that they make GET worse than POST for security, but the protection inside the HTTPS envelope is exactly the same whether it's POST or GET
|
4 
request.GET._mutable = True

you need this.

def func(request): dic = request.GET request.GET._mutable = True #to make it editable username = dic.get("username") request.GET.pop("pwd") request.GET._mutable = False #make it False once edit done
Improve this answer

Comments

0

You just have to change the request.data:

def func(request): request.data._mutable = True dic = request.data username = dic['username'] pwd = dic['pwd']
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.