From da5db051b5dc4f0f554ef505a4ced201159ec25c Mon Sep 17 00:00:00 2001
From: Ilya Shakhat <ishakhat@mirantis.com>
Date: Thu, 9 Jan 2014 17:10:34 +0400
Subject: [PATCH] Unquote HTTP parameters before using

* HTTP parameters and values need to be unquoted after retrieval from
flask request.
* Properly encode-decode parameters in client-side make_link function

Fixes bug 1261487

Change-Id: I2062e85f97040ebb8cbdfca79bb025d3bf1de80e
---
 dashboard/parameters.py                       |  5 +--
 dashboard/static/js/stackalytics-ui.js        |  4 +--
 dashboard/templates/_macros/activity_log.html |  2 +-
 tests/unit/test_web_utils.py                  | 34 +++++++++++++++++++
 4 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/dashboard/parameters.py b/dashboard/parameters.py
index 2ff9a30e7..daf3cb260 100644
--- a/dashboard/parameters.py
+++ b/dashboard/parameters.py
@@ -12,6 +12,7 @@
 # implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+import urllib
 
 import flask
 
@@ -64,9 +65,9 @@ def get_parameter(kwargs, singular_name, plural_name=None, use_default=True):
     else:
         p = flask.request.args.get(singular_name)
         if (not p) and plural_name:
-            flask.request.args.get(plural_name)
+            p = flask.request.args.get(plural_name)
     if p:
-        return p.split(',')
+        return urllib.unquote_plus(p).split(',')
     elif use_default:
         default = get_default(singular_name)
         return [default] if default else []
diff --git a/dashboard/static/js/stackalytics-ui.js b/dashboard/static/js/stackalytics-ui.js
index 72ad07598..f4ec09975 100644
--- a/dashboard/static/js/stackalytics-ui.js
+++ b/dashboard/static/js/stackalytics-ui.js
@@ -247,7 +247,7 @@ function render_punch_card(chart_id, chart_data) {
 function getUrlVars() {
     var vars = {};
     var parts = window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi, function (m, key, value) {
-        vars[key] = value;
+        vars[key] = decodeURIComponent(value);
     });
     return vars;
 }
@@ -286,7 +286,7 @@ function make_std_options() {
 
 function reload() {
     window.location.search = $.map(make_std_options(),function (val, index) {
-        return index + "=" + val;
+        return index + "=" + encodeURIComponent(val);
     }).join("&")
 }
 
diff --git a/dashboard/templates/_macros/activity_log.html b/dashboard/templates/_macros/activity_log.html
index c5782d17b..63a4cd701 100644
--- a/dashboard/templates/_macros/activity_log.html
+++ b/dashboard/templates/_macros/activity_log.html
@@ -8,7 +8,7 @@
         uri_options["user_id"] = "{{ user_id }}";
     {% endif %}
     {% if company %}
-        uri_options["company"] = "{{ company }}";
+        uri_options["company"] = "{{ company|safe }}";
     {% endif %}
     {% if blueprint_id %}
         uri_options["blueprint_id"] = "{{ blueprint_id }}";
diff --git a/tests/unit/test_web_utils.py b/tests/unit/test_web_utils.py
index 619decd0d..fbdaf78b3 100644
--- a/tests/unit/test_web_utils.py
+++ b/tests/unit/test_web_utils.py
@@ -17,6 +17,7 @@ import mock
 import testtools
 
 from dashboard import helpers
+from dashboard import parameters
 
 
 class TestWebUtils(testtools.TestCase):
@@ -104,3 +105,36 @@ Implements Blueprint ''' + (
             'John Doe (Mirantis) contribution to neutron in Havana release',
             helpers.make_page_title(
                 'Mirantis', 'John Doe', 'neutron', 'Havana'))
+
+    @mock.patch('flask.request')
+    @mock.patch('dashboard.parameters.get_default')
+    def test_parameters_get_parameter(self, get_default, flask_request):
+
+        flask_request.args = mock.Mock()
+        flask_request.args.get = mock.Mock(side_effect=lambda x: x)
+
+        def make(values=None):
+            def f(arg):
+                return values.get(arg, None) if values else None
+            return f
+
+        get_default.side_effect = make()
+        flask_request.args.get.side_effect = make({'param': 'foo'})
+        self.assertEqual(['foo'], parameters.get_parameter(
+            {'param': 'foo'}, 'param'))
+
+        flask_request.args.get.side_effect = make({'param': 'foo'})
+        self.assertEqual(['foo'], parameters.get_parameter({}, 'param'))
+
+        flask_request.args.get.side_effect = make({'param': 'foo'})
+        self.assertEqual([], parameters.get_parameter(
+            {}, 'other', use_default=False))
+
+        flask_request.args.get.side_effect = make({'params': 'foo'})
+        self.assertEqual(['foo'], parameters.get_parameter(
+            {}, 'param', plural_name='params'))
+
+        flask_request.args.get.side_effect = make({})
+        get_default.side_effect = make({'param': 'foo'})
+        self.assertEqual(['foo'], parameters.get_parameter({}, 'param'))
+        self.assertEqual([], parameters.get_parameter({}, 'other'))