From 9e672f94588b8eeecee745665162fc92f0158e27 Mon Sep 17 00:00:00 2001 From: Nate Coraor Date: Thu, 19 Oct 2017 09:29:00 -0400 Subject: [PATCH] [GX-2017-0003]: Fix for the reported issue, only allow http, https, and ftp schemes in the data_source tool. --- tools/data_source/data_source.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/data_source/data_source.py b/tools/data_source/data_source.py index 53121f1376c1..f513cec5495f 100644 --- a/tools/data_source/data_source.py +++ b/tools/data_source/data_source.py @@ -6,7 +6,7 @@ import sys from json import dumps, loads -from six.moves.urllib.parse import urlencode +from six.moves.urllib.parse import urlencode, urlparse from six.moves.urllib.request import urlopen from galaxy.datatypes import sniff @@ -80,7 +80,7 @@ def __main__(): for data_dict in job_params[ 'output_data' ]: cur_filename = data_dict.get( 'file_name', filename ) cur_URL = params.get( '%s|%s|URL' % ( GALAXY_PARAM_PREFIX, data_dict[ 'out_data_name' ] ), URL ) - if not cur_URL: + if not cur_URL or urlparse(cur_URL).scheme not in ('http', 'https', 'ftp'): open( cur_filename, 'w' ).write( "" ) stop_err( 'The remote data source application has not sent back a URL parameter in the request.' )