Mercurial > p > roundup > code
comparison roundup/cgi/actions.py @ 5162:3ee79a2d95d4
rename clean_url method to examine_url. the method doesn't realy clean anything, it throws a ValueError if it finds a problem
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 23 Jul 2016 15:22:06 -0400 |
| parents | 12190efa30d4 |
| children | 114d9628fd77 |
comparison
equal
deleted
inserted
replaced
| 5161:12190efa30d4 | 5162:3ee79a2d95d4 |
|---|---|
| 38 def execute(self): | 38 def execute(self): |
| 39 """Execute the action specified by this object.""" | 39 """Execute the action specified by this object.""" |
| 40 self.permission() | 40 self.permission() |
| 41 return self.handle() | 41 return self.handle() |
| 42 | 42 |
| 43 def clean_url(self, url): | 43 def examine_url(self, url): |
| 44 '''Return URL validated to be under self.base and properly escaped | 44 '''Return URL validated to be under self.base and properly escaped |
| 45 | 45 |
| 46 If url not properly escaped or validation fails raise ValueError. | 46 If url not properly escaped or validation fails raise ValueError. |
| 47 | 47 |
| 48 To try to prevent XSS attacks, validate that the url that is | 48 To try to prevent XSS attacks, validate that the url that is |
| 820 self.db.commit() | 820 self.db.commit() |
| 821 | 821 |
| 822 # Allow an option to stay on the page to create new things | 822 # Allow an option to stay on the page to create new things |
| 823 if '__redirect_to' in self.form: | 823 if '__redirect_to' in self.form: |
| 824 raise exceptions.Redirect('%s&@ok_message=%s'%( | 824 raise exceptions.Redirect('%s&@ok_message=%s'%( |
| 825 self.clean_url(self.form['__redirect_to'].value), | 825 self.examine_url(self.form['__redirect_to'].value), |
| 826 urllib_.quote(messages))) | 826 urllib_.quote(messages))) |
| 827 | 827 |
| 828 # otherwise redirect to the new item's page | 828 # otherwise redirect to the new item's page |
| 829 raise exceptions.Redirect('%s%s%s?@ok_message=%s&@template=%s' % ( | 829 raise exceptions.Redirect('%s%s%s?@ok_message=%s&@template=%s' % ( |
| 830 self.base, self.classname, self.nodeid, urllib_.quote(messages), | 830 self.base, self.classname, self.nodeid, urllib_.quote(messages), |
| 1139 # 3. Delete @error_message and @ok_message if present. | 1139 # 3. Delete @error_message and @ok_message if present. |
| 1140 # 4. Define a new redirect_url missing the @...message entries. | 1140 # 4. Define a new redirect_url missing the @...message entries. |
| 1141 # This will be redefined if there is a login error to include | 1141 # This will be redefined if there is a login error to include |
| 1142 # a new error message | 1142 # a new error message |
| 1143 | 1143 |
| 1144 clean_url = self.clean_url(self.form['__came_from'].value) | 1144 clean_url = self.examine_url(self.form['__came_from'].value) |
| 1145 redirect_url_tuple = urllib_.urlparse(clean_url) | 1145 redirect_url_tuple = urllib_.urlparse(clean_url) |
| 1146 # now I have a tuple form for the __came_from url | 1146 # now I have a tuple form for the __came_from url |
| 1147 try: | 1147 try: |
| 1148 query=urllib_.parse_qs(redirect_url_tuple.query) | 1148 query=urllib_.parse_qs(redirect_url_tuple.query) |
| 1149 if "@error_message" in query: | 1149 if "@error_message" in query: |