summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Callaghan <dcallagh@redhat.com>2017-09-19 16:54:54 +1000
committerDan Callaghan <dcallagh@redhat.com>2017-10-06 07:08:22 +0000
commita6a5fa71bf51cb3766694c09c6cb7c595e2634d5 (patch)
treec6154f9bfe51979f7b2312409f0bf4c515c42234
parent6fe36a3746c4131552700f2f024f1bfc2ac0ddc3 (diff)
fix missing URI encoding for login link
The Flask request.path attribute is URI-decoded and UTF8-decoded, which means we need to re-apply the encoding when we construct the forward_url parameter. Change-Id: I3d55b4184947913018f47f56a6d55640128f8fd5
-rw-r--r--IntegrationTests/src/bkr/inttest/server/selenium/test_login.py19
-rw-r--r--Server/bkr/server/stdvars.py3
2 files changed, 21 insertions, 1 deletions
diff --git a/IntegrationTests/src/bkr/inttest/server/selenium/test_login.py b/IntegrationTests/src/bkr/inttest/server/selenium/test_login.py
index 5fafe0b..b759106 100644
--- a/IntegrationTests/src/bkr/inttest/server/selenium/test_login.py
+++ b/IntegrationTests/src/bkr/inttest/server/selenium/test_login.py
@@ -9,6 +9,7 @@ import os
import turbogears.config
from turbogears.database import session
import xmlrpclib
+import urllib
from hashlib import sha1
from unittest2 import SkipTest
try:
@@ -78,6 +79,24 @@ class LoginTest(WebDriverTestCase):
# Did it work?
b.find_element_by_xpath('//title[text()="My Jobs"]')
+ def test_login_link_escapes_uri_characters(self):
+ bad_group_name = u'!@#$%^&*()_+{}|:><?'
+ with session.begin():
+ group = data_setup.create_group(group_name=bad_group_name)
+
+ # Go to the group page, whose URL contains URI-delimiting characters
+ b = self.browser
+ b.get(get_server_base() + '/groups/%s' % urllib.quote(bad_group_name))
+
+ # Click log in, and fill in details
+ b.find_element_by_link_text('Log in').click()
+ b.find_element_by_name('user_name').send_keys(self.user.user_name)
+ b.find_element_by_name('password').send_keys(self.password)
+ b.find_element_by_name('login').click()
+
+ # We should be back at the group page
+ b.find_element_by_xpath('//title[text()="%s"]' % bad_group_name)
+
# https://bugzilla.redhat.com/show_bug.cgi?id=674566
def test_message_when_not_logged_in(self):
diff --git a/Server/bkr/server/stdvars.py b/Server/bkr/server/stdvars.py
index be16628..22d2f85 100644
--- a/Server/bkr/server/stdvars.py
+++ b/Server/bkr/server/stdvars.py
@@ -4,6 +4,7 @@
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
+import urllib
import turbogears
from turbojson import jsonify
from flask import request
@@ -27,7 +28,7 @@ def beaker_version():
return 'devel-version'
def login_url():
- forward_url = request.path
+ forward_url = urllib.quote(request.path.encode('utf8'))
if request.query_string:
forward_url += '?%s' % request.query_string
return turbogears.url('/login', forward_url=forward_url)