Show More
| @@ -620,11 +620,11 b' class TestAdminSettingsIssueTracker(obje' | |||||
| 620 | post_url = route_path('admin_settings_issuetracker_update') |
|
620 | post_url = route_path('admin_settings_issuetracker_update') | |
| 621 | post_data = { |
|
621 | post_data = { | |
| 622 | 'new_pattern_pattern_0': pattern, |
|
622 | 'new_pattern_pattern_0': pattern, | |
| 623 | 'new_pattern_url_0': 'url', |
|
623 | 'new_pattern_url_0': 'http://url', | |
| 624 | 'new_pattern_prefix_0': 'prefix', |
|
624 | 'new_pattern_prefix_0': 'prefix', | |
| 625 | 'new_pattern_description_0': 'description', |
|
625 | 'new_pattern_description_0': 'description', | |
| 626 | 'new_pattern_pattern_1': another_pattern, |
|
626 | 'new_pattern_pattern_1': another_pattern, | |
| 627 | 'new_pattern_url_1': 'url1', |
|
627 | 'new_pattern_url_1': 'https://url1', | |
| 628 | 'new_pattern_prefix_1': 'prefix1', |
|
628 | 'new_pattern_prefix_1': 'prefix1', | |
| 629 | 'new_pattern_description_1': 'description1', |
|
629 | 'new_pattern_description_1': 'description1', | |
| 630 | 'csrf_token': csrf_token |
|
630 | 'csrf_token': csrf_token | |
| @@ -663,7 +663,7 b' class TestAdminSettingsIssueTracker(obje' | |||||
| 663 | post_url = route_path('admin_settings_issuetracker_update') |
|
663 | post_url = route_path('admin_settings_issuetracker_update') | |
| 664 | post_data = { |
|
664 | post_data = { | |
| 665 | 'new_pattern_pattern_0': pattern, |
|
665 | 'new_pattern_pattern_0': pattern, | |
| 666 | 'new_pattern_url_0': 'url', |
|
666 | 'new_pattern_url_0': 'https://url', | |
| 667 | 'new_pattern_prefix_0': 'prefix', |
|
667 | 'new_pattern_prefix_0': 'prefix', | |
| 668 | 'new_pattern_description_0': 'description', |
|
668 | 'new_pattern_description_0': 'description', | |
| 669 | 'uid': old_uid, |
|
669 | 'uid': old_uid, | |
| @@ -697,7 +697,7 b' class TestAdminSettingsIssueTracker(obje' | |||||
| 697 | post_url = route_path('admin_settings_issuetracker_update') |
|
697 | post_url = route_path('admin_settings_issuetracker_update') | |
| 698 | post_data = { |
|
698 | post_data = { | |
| 699 | 'new_pattern_pattern_0': pattern, |
|
699 | 'new_pattern_pattern_0': pattern, | |
| 700 | 'new_pattern_url_0': 'url', |
|
700 | 'new_pattern_url_0': 'https://url', | |
| 701 | 'new_pattern_prefix_0': 'prefix', |
|
701 | 'new_pattern_prefix_0': 'prefix', | |
| 702 | 'new_pattern_description_0': new_description, |
|
702 | 'new_pattern_description_0': new_description, | |
| 703 | 'uid': self.uid, |
|
703 | 'uid': self.uid, | |
| @@ -481,7 +481,15 b' class AdminSettingsView(BaseAppView):' | |||||
| 481 | self.load_default_context() |
|
481 | self.load_default_context() | |
| 482 | settings_model = IssueTrackerSettingsModel() |
|
482 | settings_model = IssueTrackerSettingsModel() | |
| 483 |
|
483 | |||
|
|
484 | try: | |||
| 484 | form = IssueTrackerPatternsForm()().to_python(self.request.POST) |
|
485 | form = IssueTrackerPatternsForm()().to_python(self.request.POST) | |
|
|
486 | except formencode.Invalid as errors: | |||
|
|
487 | log.exception('Failed to add new pattern') | |||
|
|
488 | error = errors | |||
|
|
489 | h.flash(_('Invalid issue tracker pattern: {}'.format(error)), | |||
|
|
490 | category='error') | |||
|
|
491 | raise HTTPFound(h.route_path('admin_settings_issuetracker')) | |||
|
|
492 | ||||
| 485 | if form: |
|
493 | if form: | |
| 486 | for uid in form.get('delete_patterns', []): |
|
494 | for uid in form.get('delete_patterns', []): | |
| 487 | settings_model.delete_entries(uid) |
|
495 | settings_model.delete_entries(uid) | |
| @@ -58,11 +58,11 b' class TestRepoIssueTracker(object):' | |||||
| 58 | 'edit_repo_issuetracker_update', repo_name=backend.repo.repo_name) |
|
58 | 'edit_repo_issuetracker_update', repo_name=backend.repo.repo_name) | |
| 59 | post_data = { |
|
59 | post_data = { | |
| 60 | 'new_pattern_pattern_0': pattern, |
|
60 | 'new_pattern_pattern_0': pattern, | |
| 61 | 'new_pattern_url_0': 'url', |
|
61 | 'new_pattern_url_0': 'http://url', | |
| 62 | 'new_pattern_prefix_0': 'prefix', |
|
62 | 'new_pattern_prefix_0': 'prefix', | |
| 63 | 'new_pattern_description_0': 'description', |
|
63 | 'new_pattern_description_0': 'description', | |
| 64 | 'new_pattern_pattern_1': another_pattern, |
|
64 | 'new_pattern_pattern_1': another_pattern, | |
| 65 | 'new_pattern_url_1': 'url1', |
|
65 | 'new_pattern_url_1': '/url1', | |
| 66 | 'new_pattern_prefix_1': 'prefix1', |
|
66 | 'new_pattern_prefix_1': 'prefix1', | |
| 67 | 'new_pattern_description_1': 'description1', |
|
67 | 'new_pattern_description_1': 'description1', | |
| 68 | 'csrf_token': csrf_token |
|
68 | 'csrf_token': csrf_token | |
| @@ -84,7 +84,7 b' class TestRepoIssueTracker(object):' | |||||
| 84 | extra_environ=xhr_header, params=data) |
|
84 | extra_environ=xhr_header, params=data) | |
| 85 |
|
85 | |||
| 86 | assert response.body == \ |
|
86 | assert response.body == \ | |
| 87 | 'example of <a class="issue-tracker-link" href="url">prefix</a> replacement' |
|
87 | 'example of <a class="issue-tracker-link" href="http://url">prefix</a> replacement' | |
| 88 |
|
88 | |||
| 89 | @request.addfinalizer |
|
89 | @request.addfinalizer | |
| 90 | def cleanup(): |
|
90 | def cleanup(): | |
| @@ -106,7 +106,7 b' class TestRepoIssueTracker(object):' | |||||
| 106 | 'edit_repo_issuetracker_update', repo_name=backend.repo.repo_name) |
|
106 | 'edit_repo_issuetracker_update', repo_name=backend.repo.repo_name) | |
| 107 | post_data = { |
|
107 | post_data = { | |
| 108 | 'new_pattern_pattern_0': pattern, |
|
108 | 'new_pattern_pattern_0': pattern, | |
| 109 | 'new_pattern_url_0': 'url', |
|
109 | 'new_pattern_url_0': '/url', | |
| 110 | 'new_pattern_prefix_0': 'prefix', |
|
110 | 'new_pattern_prefix_0': 'prefix', | |
| 111 | 'new_pattern_description_0': 'description', |
|
111 | 'new_pattern_description_0': 'description', | |
| 112 | 'uid': old_uid, |
|
112 | 'uid': old_uid, | |
| @@ -22,6 +22,7 b' import logging' | |||||
| 22 |
|
22 | |||
| 23 | from pyramid.httpexceptions import HTTPFound |
|
23 | from pyramid.httpexceptions import HTTPFound | |
| 24 | from pyramid.view import view_config |
|
24 | from pyramid.view import view_config | |
|
|
25 | import formencode | |||
| 25 |
|
26 | |||
| 26 | from rhodecode.apps._base import RepoAppView |
|
27 | from rhodecode.apps._base import RepoAppView | |
| 27 | from rhodecode.lib import audit_logger |
|
28 | from rhodecode.lib import audit_logger | |
| @@ -116,7 +117,17 b' class RepoSettingsIssueTrackersView(Repo' | |||||
| 116 | repo_settings.inherit_global_settings = inherited |
|
117 | repo_settings.inherit_global_settings = inherited | |
| 117 | Session().commit() |
|
118 | Session().commit() | |
| 118 |
|
119 | |||
|
|
120 | try: | |||
| 119 | form = IssueTrackerPatternsForm()().to_python(self.request.POST) |
|
121 | form = IssueTrackerPatternsForm()().to_python(self.request.POST) | |
|
|
122 | except formencode.Invalid as errors: | |||
|
|
123 | log.exception('Failed to add new pattern') | |||
|
|
124 | error = errors | |||
|
|
125 | h.flash(_('Invalid issue tracker pattern: {}'.format(error)), | |||
|
|
126 | category='error') | |||
|
|
127 | raise HTTPFound( | |||
|
|
128 | h.route_path('edit_repo_issuetracker', | |||
|
|
129 | repo_name=self.db_repo_name)) | |||
|
|
130 | ||||
| 120 | if form: |
|
131 | if form: | |
| 121 | self._update_patterns(form, repo_settings) |
|
132 | self._update_patterns(form, repo_settings) | |
| 122 |
|
133 | |||
| @@ -1081,6 +1081,9 b' def ValidAuthPlugins():' | |||||
| 1081 | def ValidPattern(): |
|
1081 | def ValidPattern(): | |
| 1082 |
|
1082 | |||
| 1083 | class _Validator(formencode.validators.FancyValidator): |
|
1083 | class _Validator(formencode.validators.FancyValidator): | |
|
|
1084 | messages = { | |||
|
|
1085 | 'bad_format': _(u'Url must start with http or /'), | |||
|
|
1086 | } | |||
| 1084 |
|
1087 | |||
| 1085 | def _to_python(self, value, state): |
|
1088 | def _to_python(self, value, state): | |
| 1086 | patterns = [] |
|
1089 | patterns = [] | |
| @@ -1096,7 +1099,6 b' def ValidPattern():' | |||||
| 1096 |
|
1099 | |||
| 1097 | values = { |
|
1100 | values = { | |
| 1098 | 'issuetracker_pat': value.get(_field('pattern')), |
|
1101 | 'issuetracker_pat': value.get(_field('pattern')), | |
| 1099 | 'issuetracker_pat': value.get(_field('pattern')), |
|
|||
| 1100 | 'issuetracker_url': value.get(_field('url')), |
|
1102 | 'issuetracker_url': value.get(_field('url')), | |
| 1101 | 'issuetracker_pref': value.get(_field('prefix')), |
|
1103 | 'issuetracker_pref': value.get(_field('prefix')), | |
| 1102 | 'issuetracker_desc': value.get(_field('description')) |
|
1104 | 'issuetracker_desc': value.get(_field('description')) | |
| @@ -1108,6 +1110,14 b' def ValidPattern():' | |||||
| 1108 | and values['issuetracker_url']) |
|
1110 | and values['issuetracker_url']) | |
| 1109 |
|
1111 | |||
| 1110 | if has_required_fields: |
|
1112 | if has_required_fields: | |
|
|
1113 | # validate url that it starts with http or / | |||
|
|
1114 | # otherwise it can lead to JS injections | |||
|
|
1115 | # e.g specifig javascript:<malicios code> | |||
|
|
1116 | if not values['issuetracker_url'].startswith(('http', '/')): | |||
|
|
1117 | raise formencode.Invalid( | |||
|
|
1118 | self.message('bad_format', state), | |||
|
|
1119 | value, state) | |||
|
|
1120 | ||||
| 1111 | settings = [ |
|
1121 | settings = [ | |
| 1112 | ('_'.join((key, new_uid)), values[key], 'unicode') |
|
1122 | ('_'.join((key, new_uid)), values[key], 'unicode') | |
| 1113 | for key in values] |
|
1123 | for key in values] | |
General Comments 0
You need to be logged in to leave comments.
Login now