diff --git a/ckanext/resourceproxy/controller.py b/ckanext/resourceproxy/controller.py index 81a8123e3b1..0e8fd9bfd11 100644 --- a/ckanext/resourceproxy/controller.py +++ b/ckanext/resourceproxy/controller.py @@ -1,4 +1,5 @@ from logging import getLogger +import urlparse import requests @@ -15,13 +16,17 @@ def proxy_resource(context, data_dict): ''' Chunked proxy for resources. To make sure that the file is not too large, first, we try to get the content length from the headers. If the headers to not contain a content length (if it is a chinked - response), we only transfer as long as the transfered data is less + response), we only transfer as long as the transferred data is less than the maximum file size. ''' resource_id = data_dict['resource_id'] log.info('Proxify resource {id}'.format(id=resource_id)) resource = logic.get_action('resource_show')(context, {'id': resource_id}) url = resource['url'] + parts = urlparse.urlsplit(url) + if not parts.scheme or not parts.netloc: + base.abort(409, detail='Invalid URL.') + try: # first we try a HEAD request which may not be supported did_get = False diff --git a/ckanext/resourceproxy/tests/test_proxy.py b/ckanext/resourceproxy/tests/test_proxy.py index 83aa033e7c4..419c75440d8 100644 --- a/ckanext/resourceproxy/tests/test_proxy.py +++ b/ckanext/resourceproxy/tests/test_proxy.py @@ -130,7 +130,17 @@ def test_large_file_streaming(self): assert result.status == 409, result.status assert 'too large' in result.body, result.body - def test_resource_proxy_non_existent(self): + @httpretty.activate + def test_invalid_url(self): + self.data_dict = set_resource_url('javascript:downloadFile(foo)') + + proxied_url = proxy.get_proxified_resource_url(self.data_dict) + result = self.app.get(proxied_url, status='*') + assert result.status == 409, result.status + assert 'Invalid URL' in result.body, result.body + + + def test_non_existent_url(self): self.data_dict = set_resource_url('http://foo.bar') def f1():