Unquote HTTP parameters before using

* HTTP parameters and values need to be unquoted after retrieval from flask request. * Properly encode-decode parameters in client-side make_link function Fixes bug 1261487 Change-Id: I2062e85f97040ebb8cbdfca79bb025d3bf1de80e
2014-01-09 17:10:34 +04:00 · 2014-01-09 17:10:34 +04:00 · da5db051b5
commit da5db051b5
parent bb8a08e040
4 changed files with 40 additions and 5 deletions
--- a/dashboard/parameters.py
+++ b/dashboard/parameters.py
@ -12,6 +12,7 @@
 # implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+import urllib

 import flask

@ -64,9 +65,9 @@ def get_parameter(kwargs, singular_name, plural_name=None, use_default=True):
    else:
        p = flask.request.args.get(singular_name)
        if (not p) and plural_name:
-            flask.request.args.get(plural_name)
+            p = flask.request.args.get(plural_name)
    if p:
-        return p.split(',')
+        return urllib.unquote_plus(p).split(',')
    elif use_default:
        default = get_default(singular_name)
        return [default] if default else []
--- a/dashboard/static/js/stackalytics-ui.js
+++ b/dashboard/static/js/stackalytics-ui.js
@ -247,7 +247,7 @@ function render_punch_card(chart_id, chart_data) {
 function getUrlVars() {
    var vars = {};
    var parts = window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi, function (m, key, value) {
-        vars[key] = value;
+        vars[key] = decodeURIComponent(value);
    });
    return vars;
 }
@ -286,7 +286,7 @@ function make_std_options() {

 function reload() {
    window.location.search = $.map(make_std_options(),function (val, index) {
-        return index + "=" + val;
+        return index + "=" + encodeURIComponent(val);
    }).join("&")
 }

--- a/dashboard/templates/_macros/activity_log.html
+++ b/dashboard/templates/_macros/activity_log.html
@ -8,7 +8,7 @@
        uri_options["user_id"] = "{{ user_id }}";
    {% endif %}
    {% if company %}
-        uri_options["company"] = "{{ company }}";
+        uri_options["company"] = "{{ company|safe }}";
    {% endif %}
    {% if blueprint_id %}
        uri_options["blueprint_id"] = "{{ blueprint_id }}";
--- a/tests/unit/test_web_utils.py
+++ b/tests/unit/test_web_utils.py
@ -17,6 +17,7 @@ import mock
 import testtools

 from dashboard import helpers
+from dashboard import parameters


 class TestWebUtils(testtools.TestCase):
@ -104,3 +105,36 @@ Implements Blueprint ''' + (
            'John Doe (Mirantis) contribution to neutron in Havana release',
            helpers.make_page_title(
                'Mirantis', 'John Doe', 'neutron', 'Havana'))
+
+    @mock.patch('flask.request')
+    @mock.patch('dashboard.parameters.get_default')
+    def test_parameters_get_parameter(self, get_default, flask_request):
+
+        flask_request.args = mock.Mock()
+        flask_request.args.get = mock.Mock(side_effect=lambda x: x)
+
+        def make(values=None):
+            def f(arg):
+                return values.get(arg, None) if values else None
+            return f
+
+        get_default.side_effect = make()
+        flask_request.args.get.side_effect = make({'param': 'foo'})
+        self.assertEqual(['foo'], parameters.get_parameter(
+            {'param': 'foo'}, 'param'))
+
+        flask_request.args.get.side_effect = make({'param': 'foo'})
+        self.assertEqual(['foo'], parameters.get_parameter({}, 'param'))
+
+        flask_request.args.get.side_effect = make({'param': 'foo'})
+        self.assertEqual([], parameters.get_parameter(
+            {}, 'other', use_default=False))
+
+        flask_request.args.get.side_effect = make({'params': 'foo'})
+        self.assertEqual(['foo'], parameters.get_parameter(
+            {}, 'param', plural_name='params'))
+
+        flask_request.args.get.side_effect = make({})
+        get_default.side_effect = make({'param': 'foo'})
+        self.assertEqual(['foo'], parameters.get_parameter({}, 'param'))
+        self.assertEqual([], parameters.get_parameter({}, 'other'))