From 391586ba01fc1a01443962d137e9df3fce707434 Mon Sep 17 00:00:00 2001 From: Nate Coraor Date: Thu, 19 Oct 2017 09:29:00 -0400 Subject: [PATCH] [GX-2017-0003]: Fix for the reported issue, only allow http, https, and ftp schemes in the data_source tool. --- tools/data_source/data_source.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/data_source/data_source.py b/tools/data_source/data_source.py index 0417be67477f..aa113ffa5e18 100644 --- a/tools/data_source/data_source.py +++ b/tools/data_source/data_source.py @@ -6,7 +6,7 @@ import sys from json import dumps, loads -from six.moves.urllib.parse import urlencode +from six.moves.urllib.parse import urlencode, urlparse from six.moves.urllib.request import urlopen from galaxy.datatypes import sniff @@ -80,7 +80,7 @@ def __main__(): for data_dict in job_params['output_data']: cur_filename = data_dict.get('file_name', filename) cur_URL = params.get('%s|%s|URL' % (GALAXY_PARAM_PREFIX, data_dict['out_data_name']), URL) - if not cur_URL: + if not cur_URL or urlparse(cur_URL).scheme not in ('http', 'https', 'ftp'): open(cur_filename, 'w').write("") stop_err('The remote data source application has not sent back a URL parameter in the request.')