Projet

Général

Profil

0001-misc-return-400-when-an-improrer-next-parameter-is-g.patch

Frédéric Péters, 02 juin 2019 18:31

Télécharger (2,54 ko)

Voir les différences: 

Subject: [PATCH] misc: return 400 when an improrer next parameter is given to
 login (#33082)


 combo/public/views.py |  7 +++++--
 tests/test_public.py  | 15 +++++++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)
combo/public/views.py
60 60 
    if any(get_idps()):
61 61 
        if not 'next' in request.GET:
62 62 
            return HttpResponseRedirect(resolve_url('mellon_login'))
63 
        return HttpResponseRedirect(resolve_url('mellon_login') + '?next='
64 
                                    + urllib.quote(request.GET.get('next')))
63 
        try:
64 
            quoted_next_url = urllib.quote(request.GET.get('next'))
65 
        except KeyError:
66 
            return HttpResponseBadRequest('invalid value for "next" parameter')
67 
        return HttpResponseRedirect(resolve_url('mellon_login') + '?next=' + quoted_next_url)
65 68 
    return auth_views.login(request, *args, **kwargs)
66 69 

  		




  67
  70
  
    
def logout(request, next_page=None):

  		












  

    
      tests/test_public.py
    
  





  16
  16
  
    
from django.test import override_settings

  		




  17
  17
  
    
from django.test.utils import CaptureQueriesContext

  		




  18
  18
  
    

  		




  
  19
  
    
try:

  		




  
  20
  
    
    import mellon

  		




  
  21
  
    
except ImportError:

  		




  
  22
  
    
    mellon = None

  		




  
  23
  
    

  		




  19
  24
  
    
from combo.wsgi import application

  		




  20
  25
  
    
from combo.data.models import (Page, CellBase, TextCell, ParentContentCell,

  		




  21
  26
  
    
        FeedCell, LinkCell, ConfigJsonCell, Redirect, JsonCell)

  		




  ......




  73
  78
  
    
    resp = app.get('/', status=200)

  		




  74
  79
  
    
    assert not 'Foobar' in resp.text

  		




  75
  80
  
    

  		




  
  81
  
    
@pytest.mark.skipif('mellon is None')

  		




  
  82
  
    
def test_mellon_login(app):

  		




  
  83
  
    
    with mock.patch('combo.public.views.get_idps') as get_idps:

  		




  
  84
  
    
        get_idps.return_value = ['xxx']

  		




  
  85
  
    
        resp = app.get('/login/')

  		




  
  86
  
    
        assert urlparse.urlparse(resp.location).path == '/accounts/mellon/login/'

  		




  
  87
  
    
        resp = app.get('/login/?next=whatever')

  		




  
  88
  
    
        assert urlparse.urlparse(resp.location).query == 'next=whatever'

  		




  
  89
  
    
        resp = app.get('/login/?next=%e0%40', status=400)

  		




  
  90
  
    

  		




  76
  91
  
    
def test_page_contents_group_presence(app, normal_user):

  		




  77
  92
  
    
    group = Group(name='plop')

  		




  78
  93
  
    
    group.save()

  		




  79
  
  
    
-