Apply security hotfix 20160830 for redirects.

This commit is contained in:
Maurits van Rees 2016-09-19 17:06:17 +02:00
parent fe138c6b93
commit 358ec89c03
3 changed files with 57 additions and 3 deletions

View File

@ -14,7 +14,7 @@ New features:
Bug fixes:
- *add item here*
- Apply security hotfix 20160830 for redirects. [maurits]
- Update Traditional Chinese translation.
[l34marr]

View File

@ -105,7 +105,9 @@ class DeleteComment(BrowserView):
type='info')
came_from = self.context.REQUEST.HTTP_REFERER
# if the referrer already has a came_from in it, don't redirect back
if len(came_from) == 0 or 'came_from=' in came_from:
if (len(came_from) == 0 or 'came_from=' in came_from or
not getToolByName(
content_object, 'portal_url').isURLInPortal(came_from)):
came_from = content_object.absolute_url()
return self.context.REQUEST.RESPONSE.redirect(came_from)
@ -186,7 +188,9 @@ class PublishComment(BrowserView):
type='info')
came_from = self.context.REQUEST.HTTP_REFERER
# if the referrer already has a came_from in it, don't redirect back
if len(came_from) == 0 or 'came_from=' in came_from:
if (len(came_from) == 0 or 'came_from=' in came_from or
not getToolByName(
content_object, 'portal_url').isURLInPortal(came_from)):
came_from = content_object.absolute_url()
return self.context.REQUEST.RESPONSE.redirect(came_from)

View File

@ -1,12 +1,17 @@
# -*- coding: utf-8 -*-
from plone.app.discussion.browser.moderation import BulkActionsView
from plone.app.discussion.browser.moderation import DeleteComment
from plone.app.discussion.browser.moderation import PublishComment
from plone.app.discussion.browser.moderation import View
from plone.app.discussion.interfaces import IConversation
from plone.app.discussion.interfaces import IDiscussionSettings
from plone.app.discussion.testing import PLONE_APP_DISCUSSION_INTEGRATION_TESTING # noqa
from plone.app.testing import setRoles
from plone.app.testing import TEST_USER_ID
from plone.registry.interfaces import IRegistry
from Products.CMFCore.utils import getToolByName
from zope.component import createObject
from zope.component import queryUtility
import unittest
@ -155,3 +160,48 @@ class ModerationBulkActionsViewTest(unittest.TestCase):
comment = self.conversation.getComments().next()
self.assertTrue(comment)
self.assertEqual(comment, self.comment2)
class RedirectionTest(unittest.TestCase):
layer = PLONE_APP_DISCUSSION_INTEGRATION_TESTING
def setUp(self):
# Update settings.
self.portal = self.layer['portal']
self.request = self.layer['request']
setRoles(self.portal, TEST_USER_ID, ['Manager'])
# applyProfile(self.portal, 'plone.app.discussion:default')
registry = queryUtility(IRegistry)
settings = registry.forInterface(IDiscussionSettings)
settings.globally_enabled = True
self.portal.portal_workflow.setChainForPortalTypes(
('Discussion Item',),
('comment_review_workflow',))
# Create page plus comment.
self.portal.invokeFactory(
id='page',
title='Page 1',
type_name='Document'
)
self.page = self.portal.page
self.conversation = IConversation(self.page)
comment = createObject('plone.Comment')
comment.text = 'Comment text'
self.comment_id = self.conversation.addComment(comment)
self.comment = list(self.conversation.getComments())[0]
def test_regression(self):
page_url = self.page.absolute_url()
self.request['HTTP_REFERER'] = page_url
for Klass in (DeleteComment, PublishComment):
view = Klass(self.comment, self.request)
view.__parent__ = self.comment
self.assertEqual(page_url, view())
def test_valid_next_url(self):
self.request['HTTP_REFERER'] = 'http://attacker.com'
for Klass in (DeleteComment, PublishComment):
view = Klass(self.comment, self.request)
view.__parent__ = self.comment
self.assertNotEqual('http://attacker.com', view())