def test_outgoing_url():
redirect_url = settings.REDIRECT_URL
secretkey = settings.REDIRECT_SECRET_KEY
exceptions = settings.REDIRECT_URL_WHITELIST
settings.REDIRECT_URL = 'http://example.net'
settings.REDIRECT_SECRET_KEY = 'sekrit'
settings.REDIRECT_URL_WHITELIST = ['nicedomain.com']
try:
myurl = 'http://example.com'
s = urlresolvers.get_outgoing_url(myurl)
# Regular URLs must be escaped.
eq_(
s,
'http://example.net/bc7d4bb262c9f0b0f6d3412ede7d3252c2e311bb1d55f6'
'2315f636cb8a70913b/'
'http%3A//example.com')
# No double-escaping of outgoing URLs.
s2 = urlresolvers.get_outgoing_url(s)
eq_(s, s2)
evil = settings.REDIRECT_URL.rstrip('/') + '.evildomain.com'
s = urlresolvers.get_outgoing_url(evil)
assert_not_equal(s, evil,
'No subdomain abuse of double-escaping protection.')
nice = 'http://nicedomain.com/lets/go/go/go'
eq_(nice, urlresolvers.get_outgoing_url(nice))
finally:
settings.REDIRECT_URL = redirect_url
settings.REDIRECT_SECRET_KEY = secretkey
settings.REDIRECT_URL_WHITELIST = exceptions
def test_outgoing_url():
redirect_url = settings.REDIRECT_URL
secretkey = settings.REDIRECT_SECRET_KEY
exceptions = settings.REDIRECT_URL_WHITELIST
settings.REDIRECT_URL = 'http://example.net'
settings.REDIRECT_SECRET_KEY = 'sekrit'
settings.REDIRECT_URL_WHITELIST = ['nicedomain.com']
try:
myurl = 'http://example.com'
s = urlresolvers.get_outgoing_url(myurl)
# Regular URLs must be escaped.
eq_(s,
'http://example.net/6119a8f8ce0e9f9a5ec803e7e0c120b2243ffcb6/'
'http%3A//example.com')
# No double-escaping of outgoing URLs.
s2 = urlresolvers.get_outgoing_url(s)
eq_(s, s2)
evil = settings.REDIRECT_URL.rstrip('/') + '.evildomain.com'
s = urlresolvers.get_outgoing_url(evil)
assert_not_equal(s, evil,
'No subdomain abuse of double-escaping protection.')
nice = 'http://nicedomain.com/lets/go/go/go'
eq_(nice, urlresolvers.get_outgoing_url(nice))
finally:
settings.REDIRECT_URL = redirect_url
settings.REDIRECT_SECRET_KEY = secretkey
settings.REDIRECT_URL_WHITELIST = exceptions
def test_outgoing_url():
redirect_url = settings.REDIRECT_URL
secretkey = settings.REDIRECT_SECRET_KEY
exceptions = settings.REDIRECT_URL_WHITELIST
settings.REDIRECT_URL = 'http://example.net'
settings.REDIRECT_SECRET_KEY = 'sekrit'
settings.REDIRECT_URL_WHITELIST = ['nicedomain.com']
try:
myurl = 'http://example.com'
s = urlresolvers.get_outgoing_url(myurl)
# Regular URLs must be escaped.
eq_(
s, 'http://example.net/6119a8f8ce0e9f9a5ec803e7e0c120b2243ffcb6/'
'http%3A//example.com')
# No double-escaping of outgoing URLs.
s2 = urlresolvers.get_outgoing_url(s)
eq_(s, s2)
evil = settings.REDIRECT_URL.rstrip('/') + '.evildomain.com'
s = urlresolvers.get_outgoing_url(evil)
assert_not_equal(s, evil,
'No subdomain abuse of double-escaping protection.')
nice = 'http://nicedomain.com/lets/go/go/go'
eq_(nice, urlresolvers.get_outgoing_url(nice))
finally:
settings.REDIRECT_URL = redirect_url
settings.REDIRECT_SECRET_KEY = secretkey
settings.REDIRECT_URL_WHITELIST = exceptions
def test_outgoing_url():
redirect_url = settings.REDIRECT_URL
secretkey = settings.REDIRECT_SECRET_KEY
exceptions = settings.REDIRECT_URL_WHITELIST
settings.REDIRECT_URL = 'http://example.net'
settings.REDIRECT_SECRET_KEY = 'sekrit'
settings.REDIRECT_URL_WHITELIST = ['nicedomain.com']
try:
myurl = 'http://example.com'
s = urlresolvers.get_outgoing_url(myurl)
# Regular URLs must be escaped.
eq_(s,
'http://example.net/bc7d4bb262c9f0b0f6d3412ede7d3252c2e311bb1d55f6'
'2315f636cb8a70913b/'
'http%3A//example.com')
# No double-escaping of outgoing URLs.
s2 = urlresolvers.get_outgoing_url(s)
eq_(s, s2)
evil = settings.REDIRECT_URL.rstrip('/') + '.evildomain.com'
s = urlresolvers.get_outgoing_url(evil)
assert_not_equal(s, evil,
'No subdomain abuse of double-escaping protection.')
nice = 'http://nicedomain.com/lets/go/go/go'
eq_(nice, urlresolvers.get_outgoing_url(nice))
finally:
settings.REDIRECT_URL = redirect_url
settings.REDIRECT_SECRET_KEY = secretkey
settings.REDIRECT_URL_WHITELIST = exceptions
def test_outgoing_url_query_params():
url = 'http://xx.com?q=1&v=2'
fixed = urlresolvers.get_outgoing_url(url)
assert fixed.endswith('http%3A//xx.com%3Fq=1&v=2'), fixed
url = 'http://xx.com?q=1&v=2'
fixed = urlresolvers.get_outgoing_url(url)
assert fixed.endswith('http%3A//xx.com%3Fq=1&v=2'), fixed
# Check XSS vectors.
url = 'http://xx.com?q=1&v=2" style="123"'
fixed = urlresolvers.get_outgoing_url(url)
assert fixed.endswith('%3A//xx.com%3Fq=1&v=2%22%20style=%22123%22'), fixed
def test_outgoing_url_query_params():
url = 'http://xx.com?q=1&v=2'
fixed = urlresolvers.get_outgoing_url(url)
assert fixed.endswith('http%3A//xx.com%3Fq=1&v=2'), fixed
url = 'http://xx.com?q=1&v=2'
fixed = urlresolvers.get_outgoing_url(url)
assert fixed.endswith('http%3A//xx.com%3Fq=1&v=2'), fixed
# Check XSS vectors.
url = 'http://xx.com?q=1&v=2" style="123"'
fixed = urlresolvers.get_outgoing_url(url)
assert fixed.endswith('%3A//xx.com%3Fq=1&v=2%22%20style=%22123%22'), fixed
def test_external_url():
redirect_url = settings.REDIRECT_URL
secretkey = settings.REDIRECT_SECRET_KEY
settings.REDIRECT_URL = 'http://example.net'
settings.REDIRECT_SECRET_KEY = 'sekrit'
try:
myurl = 'http://example.com'
s = render('{{ "%s"|external_url }}' % myurl)
eq_(s, urlresolvers.get_outgoing_url(myurl))
finally:
settings.REDIRECT_URL = redirect_url
settings.REDIRECT_SECRET_KEY = secretkey
def test_external_url():
redirect_url = settings.REDIRECT_URL
secretkey = settings.REDIRECT_SECRET_KEY
settings.REDIRECT_URL = 'http://example.net'
settings.REDIRECT_SECRET_KEY = 'sekrit'
try:
myurl = 'http://example.com'
s = render('{{ "%s"|external_url }}' % myurl)
eq_(s, urlresolvers.get_outgoing_url(myurl))
finally:
settings.REDIRECT_URL = redirect_url
settings.REDIRECT_SECRET_KEY = secretkey
def outgoing_url(self):
if self.pk == amo.FOUNDATION_ORG:
return self.url
return get_outgoing_url(unicode(self.url))
def external_url(url):
"""Bounce a URL off outgoing.mozilla.org."""
return urlresolvers.get_outgoing_url(unicode(url))
def external_url(url):
"""Bounce a URL off outgoing.mozilla.org."""
return urlresolvers.get_outgoing_url(unicode(url))
def external_href(url):
t = 'target="_blank" href="%s"' % get_outgoing_url(unicode(url))
return jinja2.Markup(t)
def external_href(url):
t = 'target="_blank" href="%s"' % get_outgoing_url(unicode(url))
return jinja2.Markup(t)
def test_outgoing_url_query_params():
url = 'http://xx.com?q=1&v=2'
fixed = urlresolvers.get_outgoing_url(url)
assert fixed.endswith('http%3A//xx.com%3Fq=1&v=2'), fixed
def test_outgoing_url_dirty_unicode():
bad = (u'http://chupakabr.ru/\u043f\u0440\u043e\u0435\u043a\u0442\u044b/'
u'\u043c\u0443\u0437\u044b\u043a\u0430-vkontakteru/')
urlresolvers.get_outgoing_url(bad) # bug 564057
def filter_url(self, url):
"""Pass auto-linked URLs through the redirector."""
return urlresolvers.get_outgoing_url(url)
def test_outgoing_url_dirty_unicode():
bad = (u'http://chupakabr.ru/\u043f\u0440\u043e\u0435\u043a\u0442\u044b/'
u'\u043c\u0443\u0437\u044b\u043a\u0430-vkontakteru/')
urlresolvers.get_outgoing_url(bad) # bug 564057
