filters: quote param names and values when constructing querystrings

Use urllib.quote to sanitise parameter names and values; prevents
escaped ampersands in the input qs from appearing unescaped in the
link output.

Add a testcase for the unescaped qs fragments

Signed-off-by: Jeremy Kerr <jk@ozlabs.org>

diff --git a/apps/patchwork/filters.py b/apps/patchwork/filters.py
index 77fc768dd485f3b6afbe3a2c0e5e9e42f5b1d946..52fc03fe19d655f78324cea43ef3533a7d232b6e 100644 (file)
--- a/apps/patchwork/filters.py
+++ b/apps/patchwork/filters.py
@@ -22,6 +22,7 @@ from patchwork.models import Person, State
 from django.utils.safestring import mark_safe
 from django.utils.html import escape
 from django.contrib.auth.models import User
+from urllib import quote
 
 class Filter(object):
     def __init__(self, filters):
@@ -444,7 +445,8 @@ class Filters:
             if remove.param in params.keys():
                 del params[remove.param]
 
-        return '?' + '&'.join(['%s=%s' % x for x in params.iteritems()])
+        return '?' + '&'.join(['%s=%s' % (quote(k), quote(v))
+                                for (k,v) in params.iteritems()])
 
     def querystring_without_filter(self, filter):
         return self.querystring(filter)

diff --git a/apps/patchwork/tests/__init__.py b/apps/patchwork/tests/__init__.py
index 57e15cdb2cee3caf1fed8b78ac1159c7859e284c..68fe563df004850a703c59aaf72e7ac5e0f8a761 100644 (file)
--- a/apps/patchwork/tests/__init__.py
+++ b/apps/patchwork/tests/__init__.py
@@ -22,3 +22,4 @@ from patchwork.tests.encodings import *
 from patchwork.tests.bundles import *
 from patchwork.tests.mboxviews import *
 from patchwork.tests.updates import *
+from patchwork.tests.filters import *

diff --git a/apps/patchwork/tests/filters.py b/apps/patchwork/tests/filters.py
new file mode 100644 (file)
index 0000000..4744583
--- /dev/null
+++ b/apps/patchwork/tests/filters.py
@@ -0,0 +1,36 @@
+# Patchwork - automated patch tracking system
+# Copyright (C) 2011 Jeremy Kerr <jk@ozlabs.org>
+#
+# This file is part of the Patchwork package.
+#
+# Patchwork is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Patchwork is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Patchwork; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+import unittest
+from django.test import TestCase
+from django.test.client import Client
+from patchwork.tests.utils import defaults, create_user, find_in_context
+
+class FilterQueryStringTest(TestCase):
+    def testFilterQSEscaping(self):
+        """test that filter fragments in a query string are properly escaped,
+           and stray ampersands don't get reflected back in the filter
+           links"""
+        project = defaults.project
+        defaults.project.save()
+        url = '/project/%s/list/?submitter=a%%26b=c' % project.linkname
+        response = self.client.get(url)
+        self.failUnlessEqual(response.status_code, 200)
+        self.failIf('submitter=a&amp;b=c' in response.content)
+        self.failIf('submitter=a&b=c' in response.content)