From 8f87e14ee87b2b989acee1d5b5267f4dd105aeb9 Mon Sep 17 00:00:00 2001
From: Thomas NOEL <tnoel@entrouvert.com>
Date: Fri, 8 Dec 2017 16:19:04 +0100
Subject: [PATCH] misc: accept only http and https as URL scheme (#20523)

---
 tests/test_datasource.py | 33 +++++++++++++++++++++++++++++++++
 wcs/qommon/misc.py       |  4 +++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/tests/test_datasource.py b/tests/test_datasource.py
index 2c6382d2..85b2e3c3 100644
--- a/tests/test_datasource.py
+++ b/tests/test_datasource.py
@@ -24,6 +24,9 @@ def setup_module(module):
     global pub, req
 
     pub = create_temporary_pub()
+    pub.cfg['debug'] = {'logger': True}
+    pub.write_cfg()
+    pub.set_config()
 
     req = HTTPRequest(None, {'SERVER_NAME': 'example.net', 'SCRIPT_NAME': ''})
     pub._set_request(req)
@@ -228,6 +231,36 @@ def test_json_datasource(http_requests):
     assert data_sources.get_items(datasource) == []
     assert data_sources.get_structured_items(datasource) == []
 
+def test_json_datasource_bad_url(http_requests, caplog):
+    datasource = {'type': 'json', 'value': 'http://remote.example.net/404'}
+    assert data_sources.get_items(datasource) == []
+    assert 'Error loading JSON data source' in caplog.records[-1].message
+    assert 'status: 404' in caplog.records[-1].message
+
+    datasource = {'type': 'json', 'value': 'http://remote.example.net/xml'}
+    assert data_sources.get_items(datasource) == []
+    assert 'Error reading JSON data source output' in caplog.records[-1].message
+    assert 'No JSON object could be decoded' in caplog.records[-1].message
+
+    datasource = {'type': 'json', 'value': 'http://remote.example.net/connection-error'}
+    assert data_sources.get_items(datasource) == []
+    assert 'Error loading JSON data source' in caplog.records[-1].message
+    assert 'error' in caplog.records[-1].message
+
+def test_json_datasource_bad_url_scheme(caplog):
+    datasource = {'type': 'json', 'value': ''}
+    assert data_sources.get_items(datasource) == []
+    assert caplog.records[-1].message == 'Empty URL in JSON data source'
+
+    datasource = {'type': 'json', 'value': 'foo://bar'}
+    assert data_sources.get_items(datasource) == []
+    assert 'Error loading JSON data source' in caplog.records[-1].message
+    assert 'invalid scheme in URL' in caplog.records[-1].message
+
+    datasource = {'type': 'json', 'value': '/bla/blo'}
+    assert data_sources.get_items(datasource) == []
+    assert 'Error loading JSON data source' in caplog.records[-1].message
+    assert 'invalid scheme in URL' in caplog.records[-1].message
 
 def test_item_field_named_python_datasource():
     NamedDataSource.wipe()
diff --git a/wcs/qommon/misc.py b/wcs/qommon/misc.py
index e58fb5a8..142472aa 100644
--- a/wcs/qommon/misc.py
+++ b/wcs/qommon/misc.py
@@ -277,8 +277,10 @@ def _http_request(url, method='GET', body=None, headers={}, cert_file=None, time
 
     if url.startswith('http://'):
         hostname, query = urllib.splithost(url[5:])
-    else:
+    elif url.startswith('https://'):
         hostname, query = urllib.splithost(url[6:])
+    else:
+        raise ConnectionError('invalid scheme in URL %s' % url)
 
     auth = None
     if '@' in hostname:
-- 
2.15.0