issue: 6934 - Adds overwrite_url validation and related test (#7064)

django-cms · May 28, 2021 · 0afbe9e · 0afbe9e
1 parent f4043cd
commit 0afbe9e
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 1 deletion.
diff --git a/cms/admin/forms.py b/cms/admin/forms.py
@@ -17,7 +17,8 @@
 from cms.exceptions import PluginLimitReached
 from cms.extensions import extension_pool
 from cms.constants import PAGE_TYPES_ID, PUBLISHER_STATE_DIRTY, ROOT_USER_LEVEL
-from cms.forms.validators import validate_relative_url, validate_url_uniqueness
+from cms.forms.validators import (validate_relative_url, validate_url_uniqueness,
+                                  validate_overwrite_url)
 from cms.forms.widgets import UserSelectAdminWidget, AppHookSelect, ApplicationConfigSelect
 from cms.models import (CMSPlugin, Page, PageType, PagePermission, PageUser, PageUserGroup, Title,
                         Placeholder, GlobalPagePermission, TreeNode)
@@ -617,6 +618,14 @@ def _check_unique_namespace_instance(self, namespace):
 
     def clean(self):
         cleaned_data = super().clean()
+        if cleaned_data.get("overwrite_url"):
+            # Assuming that the user enters a full URL in the overwrite_url input.
+            # Here we validate it before publishing the page and if it contains
+            # reserved characters (e.g. $?:#), we add error in the form.
+            # issue 6934
+            url = cleaned_data.get("overwrite_url")
+            if url and not validate_overwrite_url(value=url):
+                self._errors['overwrite_url'] = self.error_class([_('You entered an invalid URL.')])
 
         if self._errors:
             # Fail fast if there's errors in the form

diff --git a/cms/constants.py b/cms/constants.py
@@ -26,6 +26,7 @@
 PAGE_USERNAME_MAX_LENGTH = 255
 
 SLUG_REGEXP = '[0-9A-Za-z-_.//]+'
+NEGATE_SLUG_REGEXP = '[^0-9A-Za-z-_.//]+'
 
 EXPIRE_NOW = 0
 # HTTP Specification says max caching should only be up to one year.

diff --git a/cms/forms/validators.py b/cms/forms/validators.py
@@ -4,6 +4,7 @@
 from django.utils.safestring import mark_safe
 from django.utils.translation import gettext
 
+from cms.constants import NEGATE_SLUG_REGEXP
 from cms.utils.page import get_all_pages_from_path
 from cms.utils.urlutils import admin_reverse, relative_url_regex
 
@@ -21,6 +22,14 @@ def validate_url(value):
         URLValidator()(value)
 
 
+def validate_overwrite_url(value):
+    try:
+        RegexValidator(regex=NEGATE_SLUG_REGEXP)(value)
+    except:
+        return True
+    return False
+
+
 def validate_url_uniqueness(site, path, language, exclude_page=None):
     """ Checks for conflicting urls
     """

diff --git a/cms/tests/test_page_admin.py b/cms/tests/test_page_admin.py
@@ -1340,6 +1340,25 @@ def test_get_page_from_request_cached(self):
         page = get_page_from_request(request)
         self.assertEqual(page, mock_page)
 
+
+    @override_settings(CMS_PERMISSION=False)
+    def test_set_overwrite_url_with_invalid_value(self):
+        # User cannot add reserved characters in the "overwrite_url" input.
+        superuser = self.get_superuser()
+        cms_page = create_page('page', 'nav_playground.html', 'en', published=True)
+        expected_error_message = "You entered an invalid URL"
+
+        endpoint = self.get_admin_url(Page, 'advanced', cms_page.pk)
+
+        with self.login_user_context(superuser):
+            page_data = {
+                'overwrite_url': 'https://django-cms.org',
+                'template': cms_page.template,
+            }
+            response = self.client.post(endpoint, page_data)
+            self.assertContains(response, expected_error_message)
+
+
     @override_settings(CMS_PERMISSION=False)
     def test_set_overwrite_url(self):
         superuser = self.get_superuser()