Merge pull request #256 from mozilla-services/256_remove_warning

Empty response to OPTIONS request
Cornices · Jan 28, 2015 · bbf18f9 · bbf18f9
2 parents 6b57fa9 + 5732a0a
commit bbf18f9
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 49 deletions.
diff --git a/cornice/tests/test_validation.py b/cornice/tests/test_validation.py
@@ -10,7 +10,6 @@
 from cornice.errors import Errors
 from cornice.tests.validationapp import main, includeme, dummy_deserializer
 from cornice.tests.support import LoggingCatcher, TestCase, CatchErrors
-from cornice.validators import filter_json_xsrf
 
 
 class TestServiceDefinition(LoggingCatcher, TestCase):
@@ -160,35 +159,6 @@ def test_filters(self):
         self.assertTrue(b"filtered response" in app.get('/filtered').body)
         self.assertTrue(b"unfiltered" in app.post('/filtered').body)
 
-    def test_json_xsrf_vulnerable_values_warning(self):
-        vulnerable_values = [
-            '["value1", "value2"]',  # json array
-            '  \n ["value1", "value2"] ',  # may include whitespace
-            '"value"',  # strings may contain nasty characters in UTF-7
-        ]
-        # a view returning a vulnerable json response should issue a warning
-        for value in vulnerable_values:
-            response = Response(value)
-            response.status = 200
-            response.content_type = 'application/json'
-            filter_json_xsrf(response)
-            assert len(self.get_logs()) == 1, "Expected warning: %s" % value
-
-    def test_json_xsrf_safe_values_no_warning(self):
-        safe_values = [
-            '{"value1": "value2"}',  # json object
-            '  \n {"value1": "value2"} ',  # may include whitespace
-            'true', 'false', 'null',  # primitives
-            '123', '-123', '0.123',  # numbers
-        ]
-        # a view returning safe json response should not issue a warning
-        for value in safe_values:
-            response = Response(value)
-            response.status = 200
-            response.content_type = 'application/json'
-            filter_json_xsrf(response)
-            assert len(self.get_logs()) == 0, "Unexpected warning: %s" % value
-
     def test_multiple_querystrings(self):
         app = TestApp(main({}))
 

diff --git a/cornice/validators.py b/cornice/validators.py
@@ -1,22 +1,5 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this file,
 # You can obtain one at http://mozilla.org/MPL/2.0/.
-import re
-
-# Strings and arrays are potentially exploitable
-safe_json_re = re.compile(r'\s*[\{tfn\-0-9]'.encode('ascii'), re.MULTILINE)
-
-
-def filter_json_xsrf(response):
-    """drops a warning if a service returns potentially exploitable json
-    """
-    if hasattr(response, 'content_type') and response.content_type in ('application/json', 'text/json'):
-        if safe_json_re.match(response.body) is None:
-            from cornice import logger
-            logger.warn("returning a json string or array is a potential "
-                "security hole, please ensure you really want to do this.")
-    return response
-
-
 DEFAULT_VALIDATORS = []
-DEFAULT_FILTERS = [filter_json_xsrf, ]
+DEFAULT_FILTERS = []
diff --git a/tox.ini b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = py26,py27,py33
+envlist = py26,py27,py34
 
 [testenv]
 commands =