def valid_url(prop, value, report, generate_https_urls):
"""Validate a URL in the stylesheet.
The only valid URLs for use in a stylesheet are the custom image format
(%%example%%) which this function will translate to actual URLs.
"""
try:
url = value.getStringValue()
except IndexError:
g.log.error("Problem validating [%r]" % value)
raise
m = custom_img_urls.match(url)
if m:
name = m.group(1)
# this relies on localcache to not be doing a lot of lookups
images = ImagesByWikiPage.get_images(c.site, "config/stylesheet")
if name in images:
if not generate_https_urls:
url = images[name]
else:
url = s3_direct_https(images[name])
value._setCssText("url(%s)"%url)
else:
# unknown image label -> error
report.append(ValidationError(msgs['broken_url']
% dict(brokenurl = value.cssText),
value))
else:
report.append(ValidationError(msgs["custom_images_only"], value))
def valid_url(prop, value, report, generate_https_urls, enforce_custom_images_only):
"""
checks url(...) arguments in CSS, ensuring that the contents are
officially sanctioned. Sanctioned urls include:
* anything in /static/
* image labels %%..%% for images uploaded on /about/stylesheet
* urls with domains in g.allowed_css_linked_domains
"""
try:
url = value.getStringValue()
except IndexError:
g.log.error("Problem validating [%r]" % value)
raise
# local urls are allowed
if local_urls.match(url):
if enforce_custom_images_only:
report.append(ValidationError(msgs["custom_images_only"], value))
return
t_url = None
while url != t_url:
t_url, url = url, filters.url_unescape(url)
# disallow path trickery
if "../" in url:
report.append(ValidationError(msgs["broken_url"] % dict(brokenurl=value.cssText), value))
# custom urls are allowed, but need to be transformed into a real path
elif custom_img_urls.match(url):
name = custom_img_urls.match(url).group(1)
# this relies on localcache to not be doing a lot of lookups
images = ImagesByWikiPage.get_images(c.site, "config/stylesheet")
if name in images:
if not generate_https_urls:
url = images[name]
else:
url = s3_direct_https(images[name])
value._setCssText("url(%s)" % url)
else:
# unknown image label -> error
report.append(ValidationError(msgs["broken_url"] % dict(brokenurl=value.cssText), value))
else:
if enforce_custom_images_only:
report.append(ValidationError(msgs["custom_images_only"], value))
return
try:
u = urlparse(url)
valid_scheme = u.scheme and u.scheme in valid_url_schemes
valid_domain = u.netloc in g.allowed_css_linked_domains
except ValueError:
u = False
# allowed domains are ok
if not (u and valid_scheme and valid_domain):
report.append(ValidationError(msgs["broken_url"] % dict(brokenurl=value.cssText), value))
def valid_url(prop, value, report, generate_https_urls,
enforce_custom_images_only):
"""
checks url(...) arguments in CSS, ensuring that the contents are
officially sanctioned. Sanctioned urls include:
* anything in /static/
* image labels %%..%% for images uploaded on /about/stylesheet
* urls with domains in g.allowed_css_linked_domains
"""
try:
url = value.getStringValue()
except IndexError:
g.log.error("Problem validating [%r]" % value)
raise
# local urls are allowed
if local_urls.match(url):
if enforce_custom_images_only:
report.append(ValidationError(msgs["custom_images_only"], value))
return
t_url = None
while url != t_url:
t_url, url = url, filters.url_unescape(url)
# disallow path trickery
if "../" in url:
report.append(
ValidationError(
msgs['broken_url'] % dict(brokenurl=value.cssText), value))
# custom urls are allowed, but need to be transformed into a real path
elif custom_img_urls.match(url):
name = custom_img_urls.match(url).group(1)
# this relies on localcache to not be doing a lot of lookups
images = ImagesByWikiPage.get_images(c.site, "config/stylesheet")
if name in images:
if not generate_https_urls:
url = images[name]
else:
url = s3_direct_https(images[name])
value._setCssText("url(%s)" % url)
else:
# unknown image label -> error
report.append(
ValidationError(
msgs['broken_url'] % dict(brokenurl=value.cssText), value))
else:
if enforce_custom_images_only:
report.append(ValidationError(msgs["custom_images_only"], value))
return
try:
u = urlparse(url)
valid_scheme = u.scheme and u.scheme in valid_url_schemes
valid_domain = u.netloc in g.allowed_css_linked_domains
except ValueError:
u = False
# allowed domains are ok
if not (u and valid_scheme and valid_domain):
report.append(
ValidationError(
msgs['broken_url'] % dict(brokenurl=value.cssText), value))