diff options
author | Jeremy Kerr <jk@ozlabs.org> | 2011-02-28 14:43:31 +0800 |
---|---|---|
committer | Jeremy Kerr <jk@ozlabs.org> | 2011-03-08 12:41:18 +0800 |
commit | 5d56a58406cbc06012d1f1c994be4b5118ecda9c (patch) | |
tree | 9d19d32c2f55ea5f412e8db66497da1412ac1c41 | |
parent | 14bb22b8de1b8eee9102159a34d8e2218a8a2bd6 (diff) | |
download | patchwork-5d56a58406cbc06012d1f1c994be4b5118ecda9c.tar.bz2 patchwork-5d56a58406cbc06012d1f1c994be4b5118ecda9c.tar.xz |
filters: quote param names and values when constructing querystrings
Use urllib.quote to sanitise parameter names and values; prevents
escaped ampersands in the input qs from appearing unescaped in the
link output.
Add a testcase for the unescaped qs fragments
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
-rw-r--r-- | apps/patchwork/filters.py | 4 | ||||
-rw-r--r-- | apps/patchwork/tests/__init__.py | 1 | ||||
-rw-r--r-- | apps/patchwork/tests/filters.py | 36 |
3 files changed, 40 insertions, 1 deletions
diff --git a/apps/patchwork/filters.py b/apps/patchwork/filters.py index 77fc768..52fc03f 100644 --- a/apps/patchwork/filters.py +++ b/apps/patchwork/filters.py @@ -22,6 +22,7 @@ from patchwork.models import Person, State from django.utils.safestring import mark_safe from django.utils.html import escape from django.contrib.auth.models import User +from urllib import quote class Filter(object): def __init__(self, filters): @@ -444,7 +445,8 @@ class Filters: if remove.param in params.keys(): del params[remove.param] - return '?' + '&'.join(['%s=%s' % x for x in params.iteritems()]) + return '?' + '&'.join(['%s=%s' % (quote(k), quote(v)) + for (k,v) in params.iteritems()]) def querystring_without_filter(self, filter): return self.querystring(filter) diff --git a/apps/patchwork/tests/__init__.py b/apps/patchwork/tests/__init__.py index 57e15cd..68fe563 100644 --- a/apps/patchwork/tests/__init__.py +++ b/apps/patchwork/tests/__init__.py @@ -22,3 +22,4 @@ from patchwork.tests.encodings import * from patchwork.tests.bundles import * from patchwork.tests.mboxviews import * from patchwork.tests.updates import * +from patchwork.tests.filters import * diff --git a/apps/patchwork/tests/filters.py b/apps/patchwork/tests/filters.py new file mode 100644 index 0000000..4744583 --- /dev/null +++ b/apps/patchwork/tests/filters.py @@ -0,0 +1,36 @@ +# Patchwork - automated patch tracking system +# Copyright (C) 2011 Jeremy Kerr <jk@ozlabs.org> +# +# This file is part of the Patchwork package. +# +# Patchwork is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Patchwork is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Patchwork; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +import unittest +from django.test import TestCase +from django.test.client import Client +from patchwork.tests.utils import defaults, create_user, find_in_context + +class FilterQueryStringTest(TestCase): + def testFilterQSEscaping(self): + """test that filter fragments in a query string are properly escaped, + and stray ampersands don't get reflected back in the filter + links""" + project = defaults.project + defaults.project.save() + url = '/project/%s/list/?submitter=a%%26b=c' % project.linkname + response = self.client.get(url) + self.failUnlessEqual(response.status_code, 200) + self.failIf('submitter=a&b=c' in response.content) + self.failIf('submitter=a&b=c' in response.content) |