From 5d56a58406cbc06012d1f1c994be4b5118ecda9c Mon Sep 17 00:00:00 2001 From: Jeremy Kerr Date: Mon, 28 Feb 2011 14:43:31 +0800 Subject: [PATCH] filters: quote param names and values when constructing querystrings Use urllib.quote to sanitise parameter names and values; prevents escaped ampersands in the input qs from appearing unescaped in the link output. Add a testcase for the unescaped qs fragments Signed-off-by: Jeremy Kerr --- apps/patchwork/filters.py | 4 +++- apps/patchwork/tests/__init__.py | 1 + apps/patchwork/tests/filters.py | 36 ++++++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 apps/patchwork/tests/filters.py diff --git a/apps/patchwork/filters.py b/apps/patchwork/filters.py index 77fc768..52fc03f 100644 --- a/apps/patchwork/filters.py +++ b/apps/patchwork/filters.py @@ -22,6 +22,7 @@ from patchwork.models import Person, State from django.utils.safestring import mark_safe from django.utils.html import escape from django.contrib.auth.models import User +from urllib import quote class Filter(object): def __init__(self, filters): @@ -444,7 +445,8 @@ class Filters: if remove.param in params.keys(): del params[remove.param] - return '?' + '&'.join(['%s=%s' % x for x in params.iteritems()]) + return '?' + '&'.join(['%s=%s' % (quote(k), quote(v)) + for (k,v) in params.iteritems()]) def querystring_without_filter(self, filter): return self.querystring(filter) diff --git a/apps/patchwork/tests/__init__.py b/apps/patchwork/tests/__init__.py index 57e15cd..68fe563 100644 --- a/apps/patchwork/tests/__init__.py +++ b/apps/patchwork/tests/__init__.py @@ -22,3 +22,4 @@ from patchwork.tests.encodings import * from patchwork.tests.bundles import * from patchwork.tests.mboxviews import * from patchwork.tests.updates import * +from patchwork.tests.filters import * diff --git a/apps/patchwork/tests/filters.py b/apps/patchwork/tests/filters.py new file mode 100644 index 0000000..4744583 --- /dev/null +++ b/apps/patchwork/tests/filters.py @@ -0,0 +1,36 @@ +# Patchwork - automated patch tracking system +# Copyright (C) 2011 Jeremy Kerr +# +# This file is part of the Patchwork package. +# +# Patchwork is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Patchwork is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Patchwork; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +import unittest +from django.test import TestCase +from django.test.client import Client +from patchwork.tests.utils import defaults, create_user, find_in_context + +class FilterQueryStringTest(TestCase): + def testFilterQSEscaping(self): + """test that filter fragments in a query string are properly escaped, + and stray ampersands don't get reflected back in the filter + links""" + project = defaults.project + defaults.project.save() + url = '/project/%s/list/?submitter=a%%26b=c' % project.linkname + response = self.client.get(url) + self.failUnlessEqual(response.status_code, 200) + self.failIf('submitter=a&b=c' in response.content) + self.failIf('submitter=a&b=c' in response.content) -- 2.39.2