x/stackalytics
Code Issues Proposed changes

Unquote HTTP parameters before using

Browse Source 
* HTTP parameters and values need to be unquoted after retrieval from
flask request.
* Properly encode-decode parameters in client-side make_link function

Fixes bug 1261487

Change-Id: I2062e85f97040ebb8cbdfca79bb025d3bf1de80e
This commit is contained in:
Ilya Shakhat 2014-01-09 17:10:34 +04:00
parent bb8a08e040
commit da5db051b5
4 changed files with 40 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
dashboard/parameters.py
View File

@ -12,6 +12,7 @@
# implied. # implied.
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
import urllib
import flask import flask
@ -64,9 +65,9 @@ def get_parameter(kwargs, singular_name, plural_name=None, use_default=True):
else: else:
p = flask.request.args.get(singular_name) p = flask.request.args.get(singular_name)
if (not p) and plural_name: if (not p) and plural_name:
flask.request.args.get(plural_name) p = flask.request.args.get(plural_name)
if p: if p:
return p.split(',') return urllib.unquote_plus(p).split(',')
elif use_default: elif use_default:
default = get_default(singular_name) default = get_default(singular_name)
return [default] if default else [] return [default] if default else []

4
dashboard/static/js/stackalytics-ui.js
View File

@ -247,7 +247,7 @@ function render_punch_card(chart_id, chart_data) {
function getUrlVars() { function getUrlVars() {
var vars = {}; var vars = {};
var parts = window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi, function (m, key, value) { var parts = window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi, function (m, key, value) {
vars[key] = value; vars[key] = decodeURIComponent(value);
}); });
return vars; return vars;
} }
@ -286,7 +286,7 @@ function make_std_options() {
function reload() { function reload() {
window.location.search = $.map(make_std_options(),function (val, index) { window.location.search = $.map(make_std_options(),function (val, index) {
return index + "=" + val; return index + "=" + encodeURIComponent(val);
}).join("&") }).join("&")
} }

2
dashboard/templates/_macros/activity_log.html
View File

@ -8,7 +8,7 @@
uri_options["user_id"] = "{{ user_id }}"; uri_options["user_id"] = "{{ user_id }}";
{% endif %} {% endif %}
{% if company %} {% if company %}
uri_options["company"] = "{{ company }}"; uri_options["company"] = "{{ company|safe }}";
{% endif %} {% endif %}
{% if blueprint_id %} {% if blueprint_id %}
uri_options["blueprint_id"] = "{{ blueprint_id }}"; uri_options["blueprint_id"] = "{{ blueprint_id }}";

34
tests/unit/test_web_utils.py
View File

@ -17,6 +17,7 @@ import mock
import testtools import testtools
from dashboard import helpers from dashboard import helpers
from dashboard import parameters
class TestWebUtils(testtools.TestCase): class TestWebUtils(testtools.TestCase):
@ -104,3 +105,36 @@ Implements Blueprint ''' + (
'John Doe (Mirantis) contribution to neutron in Havana release', 'John Doe (Mirantis) contribution to neutron in Havana release',
helpers.make_page_title( helpers.make_page_title(
'Mirantis', 'John Doe', 'neutron', 'Havana')) 'Mirantis', 'John Doe', 'neutron', 'Havana'))
@mock.patch('flask.request')
@mock.patch('dashboard.parameters.get_default')
def test_parameters_get_parameter(self, get_default, flask_request):
flask_request.args = mock.Mock()
flask_request.args.get = mock.Mock(side_effect=lambda x: x)
def make(values=None):
def f(arg):
return values.get(arg, None) if values else None
return f
get_default.side_effect = make()
flask_request.args.get.side_effect = make({'param': 'foo'})
self.assertEqual(['foo'], parameters.get_parameter(
{'param': 'foo'}, 'param'))
flask_request.args.get.side_effect = make({'param': 'foo'})
self.assertEqual(['foo'], parameters.get_parameter({}, 'param'))
flask_request.args.get.side_effect = make({'param': 'foo'})
self.assertEqual([], parameters.get_parameter(
{}, 'other', use_default=False))
flask_request.args.get.side_effect = make({'params': 'foo'})
self.assertEqual(['foo'], parameters.get_parameter(
{}, 'param', plural_name='params'))
flask_request.args.get.side_effect = make({})
get_default.side_effect = make({'param': 'foo'})
self.assertEqual(['foo'], parameters.get_parameter({}, 'param'))
self.assertEqual([], parameters.get_parameter({}, 'other'))