From b87525b0734bf3c38519e0c60e30d7aec54736f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Sat, 23 Mar 2019 17:54:11 +0100
Subject: [PATCH] misc: return 400 on invalid context signature (#31666)

---
 combo/public/views.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/combo/public/views.py b/combo/public/views.py
index 04091e46..c314501e 100644
--- a/combo/public/views.py
+++ b/combo/public/views.py
@@ -27,7 +27,7 @@ from django.core import signing
 from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
 from django.db import transaction
 from django.http import (Http404, HttpResponse, HttpResponseRedirect,
-        HttpResponsePermanentRedirect)
+        HttpResponsePermanentRedirect, HttpResponseBadRequest)
 from django.shortcuts import render, resolve_url
 from django.template import engines
 from django.template.loader import get_template, TemplateDoesNotExist
@@ -142,7 +142,10 @@ def render_cell(request, cell):
         'absolute_uri': request.build_absolute_uri
     }
     if request.GET.get('ctx'):
-        context.update(signing.loads(request.GET['ctx']))
+        try:
+            context.update(signing.loads(request.GET['ctx']))
+        except signing.BadSignature:
+            return HttpResponseBadRequest('bad signature')
     modify_global_context(request, context)
 
     if cell.page_id: