Merge pull request #1747 from MITx/fix/cdodge/should-return-404-on-bad-asset-request

if we parse an invalid location in the content store middleware, then re...

cms/djangoapps/contentstore/tests/test_contentstore.py

@@ -213,6 +213,10 @@ class ContentStoreToyCourseTest(ModuleStoreTestCase):
             resp = self.client.get(reverse('edit_unit', kwargs={'location': new_loc.url()}))
             self.assertEqual(resp.status_code, 200)
 
+    def test_bad_contentstore_request(self):
+        resp = self.client.get('http://localhost:8001/c4x/CDX/123123/asset/&images_circuits_Lab7Solution2.png')
+        self.assertEqual(resp.status_code, 400)
+
     def test_delete_course(self):
         import_from_xml(modulestore(), 'common/test/data/', ['full'])
 

common/djangoapps/contentserver/middleware.py

@@ -5,6 +5,7 @@ from django.http import HttpResponse, Http404, HttpResponseNotModified
 
 from xmodule.contentstore.django import contentstore
 from xmodule.contentstore.content import StaticContent, XASSET_LOCATION_TAG
+from xmodule.modulestore import InvalidLocationError
 from cache_toolbox.core import get_cached_content, set_cached_content
 from xmodule.exceptions import NotFoundError
 
@@ -13,7 +14,14 @@ class StaticContentServer(object):
     def process_request(self, request):
         # look to see if the request is prefixed with 'c4x' tag
         if request.path.startswith('/' + XASSET_LOCATION_TAG + '/'):
-            loc = StaticContent.get_location_from_path(request.path)
+            try:
+                loc = StaticContent.get_location_from_path(request.path)
+            except InvalidLocationError:
+                # return a 'Bad Request' to browser as we have a malformed Location
+                response = HttpResponse()
+                response.status_code = 400
+                return response     
+
             # first look in our cache so we don't have to round-trip to the DB
             content = get_cached_content(loc)
             if content is None: