0001-misc-limit-cancel-URL-to-relatable-URLs-43276.patch
tests/test_form_pages.py | ||
---|---|---|
428 | 428 |
assert resp.form |
429 | 429 | |
430 | 430 | |
431 |
def test_form_cancelurl(pub): |
|
432 |
formdef = create_formdef() |
|
433 |
formdef.data_class().wipe() |
|
434 | ||
435 |
# path |
|
436 |
resp = get_app(pub).get('/test/?cancelurl=/plop/') |
|
437 |
resp = resp.form.submit('cancel') |
|
438 |
assert resp.location == 'http://example.net/plop/' |
|
439 | ||
440 |
# full URL |
|
441 |
resp = get_app(pub).get('/test/?cancelurl=http://example.net/plop/') |
|
442 |
resp = resp.form.submit('cancel') |
|
443 |
assert resp.location == 'http://example.net/plop/' |
|
444 | ||
445 |
# remote site |
|
446 |
get_app(pub).get('/test/?cancelurl=http://example.org/plop/', status=400) |
|
447 | ||
448 |
pub.site_options.add_section('api-secrets') |
|
449 |
pub.site_options.set('api-secrets', 'example.org', 'xyz') |
|
450 |
pub.site_options.write(open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w')) |
|
451 |
resp = get_app(pub).get('/test/?cancelurl=http://example.org/plop/') |
|
452 |
resp = resp.form.submit('cancel') |
|
453 |
assert resp.location == 'http://example.org/plop/' |
|
454 | ||
455 |
pub.site_options.remove_section('api-secrets') |
|
456 |
if not pub.site_options.has_section('options'): |
|
457 |
pub.site_options.add_section('options') |
|
458 |
pub.site_options.write(open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w')) |
|
459 |
get_app(pub).get('/test/?cancelurl=http://example.org/plop/', status=400) |
|
460 | ||
461 |
pub.site_options.set('options', 'relatable-hosts', 'example.com') |
|
462 |
pub.site_options.write(open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w')) |
|
463 |
get_app(pub).get('/test/?cancelurl=http://example.org/plop/', status=400) |
|
464 | ||
465 |
pub.site_options.set('options', 'relatable-hosts', 'example.com, example.org') |
|
466 |
pub.site_options.write(open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w')) |
|
467 |
resp = get_app(pub).get('/test/?cancelurl=http://example.org/plop/') |
|
468 |
resp = resp.form.submit('cancel') |
|
469 |
assert resp.location == 'http://example.org/plop/' |
|
470 | ||
471 | ||
431 | 472 |
def test_form_submit(pub): |
432 | 473 |
formdef = create_formdef() |
433 | 474 |
formdef.data_class().wipe() |
wcs/forms/root.py | ||
---|---|---|
328 | 328 | |
329 | 329 |
if page == self.pages[0] and 'cancelurl' in get_request().form: |
330 | 330 |
cancelurl = get_request().form['cancelurl'] |
331 |
if not get_publisher().is_relatable_url(cancelurl): |
|
332 |
raise errors.RequestError('invalid cancel URL') |
|
331 | 333 |
form_data['__cancelurl'] = cancelurl |
332 | 334 |
session.add_magictoken(magictoken, form_data) |
333 | 335 |
wcs/qommon/publisher.py | ||
---|---|---|
386 | 386 |
defaults = { |
387 | 387 |
'options': { |
388 | 388 |
'unused-files-behaviour': 'remove', |
389 |
'relatable-hosts': '', |
|
389 | 390 |
}, |
390 | 391 |
} |
391 | 392 |
if self.site_options is None: |
... | ... | |
956 | 957 |
d['manager_homepage_title'] = d.get('portal_agent_title') |
957 | 958 |
return d |
958 | 959 | |
960 |
def is_relatable_url(self, url): |
|
961 |
parsed_url = urllib.urlparse(url) |
|
962 |
if not parsed_url.netloc: |
|
963 |
return True |
|
964 |
if parsed_url.netloc == urllib.urlparse(self.get_frontoffice_url()).netloc: |
|
965 |
return True |
|
966 |
if parsed_url.netloc == urllib.urlparse(self.get_backoffice_url()).netloc: |
|
967 |
return True |
|
968 |
if parsed_url.netloc in [x.strip() for x in self.get_site_option('relatable-hosts').split(',')]: |
|
969 |
return True |
|
970 |
try: |
|
971 |
if parsed_url.netloc in self.site_options.options('api-secrets'): |
|
972 |
return True |
|
973 |
except ConfigParser.NoSectionError: |
|
974 |
pass |
|
975 |
return False |
|
976 | ||
959 | 977 |
extra_sources = [] |
960 | 978 |
@classmethod |
961 | 979 |
def register_extra_source(cls, source): |
962 |
- |