From: Jeremy Kerr Date: Mon, 28 Feb 2011 06:43:31 +0000 (+0800) Subject: filters: quote param names and values when constructing querystrings X-Git-Url: https://git.ozlabs.org/?p=patchwork;a=commitdiff_plain;h=5d56a58406cbc06012d1f1c994be4b5118ecda9c filters: quote param names and values when constructing querystrings Use urllib.quote to sanitise parameter names and values; prevents escaped ampersands in the input qs from appearing unescaped in the link output. Add a testcase for the unescaped qs fragments Signed-off-by: Jeremy Kerr --- diff --git a/apps/patchwork/filters.py b/apps/patchwork/filters.py index 77fc768..52fc03f 100644 --- a/apps/patchwork/filters.py +++ b/apps/patchwork/filters.py @@ -22,6 +22,7 @@ from patchwork.models import Person, State from django.utils.safestring import mark_safe from django.utils.html import escape from django.contrib.auth.models import User +from urllib import quote class Filter(object): def __init__(self, filters): @@ -444,7 +445,8 @@ class Filters: if remove.param in params.keys(): del params[remove.param] - return '?' + '&'.join(['%s=%s' % x for x in params.iteritems()]) + return '?' + '&'.join(['%s=%s' % (quote(k), quote(v)) + for (k,v) in params.iteritems()]) def querystring_without_filter(self, filter): return self.querystring(filter) diff --git a/apps/patchwork/tests/__init__.py b/apps/patchwork/tests/__init__.py index 57e15cd..68fe563 100644 --- a/apps/patchwork/tests/__init__.py +++ b/apps/patchwork/tests/__init__.py @@ -22,3 +22,4 @@ from patchwork.tests.encodings import * from patchwork.tests.bundles import * from patchwork.tests.mboxviews import * from patchwork.tests.updates import * +from patchwork.tests.filters import * diff --git a/apps/patchwork/tests/filters.py b/apps/patchwork/tests/filters.py new file mode 100644 index 0000000..4744583 --- /dev/null +++ b/apps/patchwork/tests/filters.py @@ -0,0 +1,36 @@ +# Patchwork - automated patch tracking system +# Copyright (C) 2011 Jeremy Kerr +# +# This file is part of the Patchwork package. +# +# Patchwork is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Patchwork is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Patchwork; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +import unittest +from django.test import TestCase +from django.test.client import Client +from patchwork.tests.utils import defaults, create_user, find_in_context + +class FilterQueryStringTest(TestCase): + def testFilterQSEscaping(self): + """test that filter fragments in a query string are properly escaped, + and stray ampersands don't get reflected back in the filter + links""" + project = defaults.project + defaults.project.save() + url = '/project/%s/list/?submitter=a%%26b=c' % project.linkname + response = self.client.get(url) + self.failUnlessEqual(response.status_code, 200) + self.failIf('submitter=a&b=c' in response.content) + self.failIf('submitter=a&b=c' in response.content)