Example #1
0
def valid_url(prop, value, report, generate_https_urls):
    """Validate a URL in the stylesheet.

    The only valid URLs for use in a stylesheet are the custom image format
    (%%example%%) which this function will translate to actual URLs.

    """
    try:
        url = value.getStringValue()
    except IndexError:
        g.log.error("Problem validating [%r]" % value)
        raise

    m = custom_img_urls.match(url)
    if m:
        name = m.group(1)

        # this relies on localcache to not be doing a lot of lookups
        images = ImagesByWikiPage.get_images(c.site, "config/stylesheet")

        if name in images:
            if not generate_https_urls:
                url = images[name]
            else:
                url = s3_direct_https(images[name])
            value._setCssText("url(%s)"%url)
        else:
            # unknown image label -> error
            report.append(ValidationError(msgs['broken_url']
                                          % dict(brokenurl = value.cssText),
                                          value))
    else:
        report.append(ValidationError(msgs["custom_images_only"], value))
Example #2
0
def valid_url(prop, value, report, generate_https_urls, enforce_custom_images_only):
    """
    checks url(...) arguments in CSS, ensuring that the contents are
    officially sanctioned.  Sanctioned urls include:
     * anything in /static/
     * image labels %%..%% for images uploaded on /about/stylesheet
     * urls with domains in g.allowed_css_linked_domains
    """
    try:
        url = value.getStringValue()
    except IndexError:
        g.log.error("Problem validating [%r]" % value)
        raise
    # local urls are allowed
    if local_urls.match(url):
        if enforce_custom_images_only:
            report.append(ValidationError(msgs["custom_images_only"], value))
            return

        t_url = None
        while url != t_url:
            t_url, url = url, filters.url_unescape(url)
        # disallow path trickery
        if "../" in url:
            report.append(ValidationError(msgs["broken_url"] % dict(brokenurl=value.cssText), value))
    # custom urls are allowed, but need to be transformed into a real path
    elif custom_img_urls.match(url):
        name = custom_img_urls.match(url).group(1)

        # this relies on localcache to not be doing a lot of lookups
        images = ImagesByWikiPage.get_images(c.site, "config/stylesheet")

        if name in images:
            if not generate_https_urls:
                url = images[name]
            else:
                url = s3_direct_https(images[name])
            value._setCssText("url(%s)" % url)
        else:
            # unknown image label -> error
            report.append(ValidationError(msgs["broken_url"] % dict(brokenurl=value.cssText), value))
    else:
        if enforce_custom_images_only:
            report.append(ValidationError(msgs["custom_images_only"], value))
            return

        try:
            u = urlparse(url)
            valid_scheme = u.scheme and u.scheme in valid_url_schemes
            valid_domain = u.netloc in g.allowed_css_linked_domains
        except ValueError:
            u = False

        # allowed domains are ok
        if not (u and valid_scheme and valid_domain):
            report.append(ValidationError(msgs["broken_url"] % dict(brokenurl=value.cssText), value))