github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

allow_sql config option to disable custom SQL, closes #284

Browse source
This commit is contained in:
Simon Willison 2018-05-24 22:50:50 -07:00
commit f722b0a730
No known key found for this signature in database
GPG key ID: 17E2DEA2588B7F52
7 changed files with 53 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
datasette/views/database.py
View file

@ -11,6 +11,8 @@ class DatabaseView(BaseView):
async def data(self, request, name, hash):
if request.args.get("sql"):
if not self.ds.config["allow_sql"]:
raise DatasetteError("sql= is not allowed", status=400)
sql = request.raw_args.pop("sql")
validate_sql_select(sql)
return await self.custom_sql(request, name, hash, sql)