appengine/chromium_bugs/main.py - Issue 1473493002: Limit issue wizard continue= to our domains.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: appengine/chromium_bugs/main.py

Issue 1473493002: Limit issue wizard continue= to our domains. (Closed) Base URL: https://chromium.googlesource.com/infra/infra.git@master

Patch Set: Created 5 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: appengine/chromium_bugs/main.py

diff --git a/appengine/chromium_bugs/main.py b/appengine/chromium_bugs/main.py

index 07a36f25671389c62f5db225c5336c51a9f2dc17..bf5081126147a3139defc0a15a25cb418a9f116d 100644

--- a/appengine/chromium_bugs/main.py

+++ b/appengine/chromium_bugs/main.py

@@ -75,6 +75,24 @@ MISSING_TOKEN_HTML = (

'</body></html>'

)

+# The continue_url must start with one of these.

+ALLOWED_CONTINUE_DOMAINS = [

+ 'http://localhost:8080/',

+ 'https://code.google.com/',

+ 'https://bugs.chromium.org/',

+ 'https://bugs-staging.chromium.org/',

+ ]

+INVALID_CONTINUE_HTML = (

+ '<html><body>'

+ '<h1>Invalid continue parameter</h1>'

+ '<p>This wizard can only be used with '

+ 'code.google.com and bugs.chromium.org.</p>'

+ ''

+ '</body></html>'

+ )

class MainHandler(webapp2.RequestHandler):

def get(self):

@@ -84,15 +102,22 @@ class MainHandler(webapp2.RequestHandler):

token = self.request.get('token')

if continue_url and not token:

+ logging.info('Missing token')

self.response.out.write(MISSING_TOKEN_HTML)

return

if not continue_url:

- continue_url = 'http://code.google.com/p/chromium/issues/entry.do'

+ continue_url = 'https://code.google.com/p/chromium/issues/entry.do'

# Special case, chromium-os issues are now being tracked in /p/chromium.

if '//code.google.com/p/chromium-os/issues/entry.do' in continue_url:

- continue_url = 'http://code.google.com/p/chromium/issues/entry.do'

+ continue_url = 'https://code.google.com/p/chromium/issues/entry.do'

+ if not any(continue_url.startswith(domain)

+ for domain in ALLOWED_CONTINUE_DOMAINS):

+ logging.info('Bad continue param: %r', continue_url)

+ self.response.out.write(INVALID_CONTINUE_HTML)

+ return

if '?' in continue_url:

# Codesite includes contextual parameters for search terms, etc.

@@ -100,8 +125,8 @@ class MainHandler(webapp2.RequestHandler):

else:

validate_url = continue_url

- if (not validate_url.startswith('http') or

- not validate_url.endswith('.do')):

+ if not validate_url.endswith('.do'):

+ logging.info('validate_url does not end in .do: %r', validate_url)

self.response.out.write(

'Malformed "continue" query string parameter: %r' %

urllib.quote(validate_url))

« no previous file with comments | « no previous file | no next file » | no next file with comments »