A slightly different fix for issue #514. Filters input before passing…

… on to the OStatus gem and throws an exception if it doesn't look like an email address or a URL. I discovered by typing 'test' into the remote follow form that `open` will still happily look for a local file if you give it something that isn't a URL. So now ConvertsSubscriberToFeedData will just raise an exception if what it gets is neither an email address looking thing nor a URL looking thing, and the subscriptions controller will catch that to show the nice error message.
hotsh · Apr 21, 2012 · 1ecfee9 · 1ecfee9
1 parent 7ea6c99
commit 1ecfee9
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 8 deletions.
diff --git a/app/controllers/subscriptions_controller.rb b/app/controllers/subscriptions_controller.rb
@@ -63,15 +63,14 @@ def create
     # Find or create the Feed
     begin
       subscribe_to_feed = Feed.find_or_create(params[:subscribe_to])
-    rescue Errno::ENOENT => e
+    rescue RstatUs::InvalidSubscribeTo => e
       # This means the user's entry was neither a webfinger identifier
       # nor a feed URL, and calling `open` on it did not return anything.
       flash[:notice] = "There was a problem following #{params[:subscribe_to]}. Please specify the whole ID for the person you would like to follow, including both their username and the domain of the site they're on. It should look like an email address-- for example, username@status.net"
       redirect_to request.referrer
       return
     end
 
-
     # Stop and return a nice message if already following this feed
     if current_user.following_feed? subscribe_to_feed
       flash[:notice] = "You're already following #{subscribe_to_feed.author.username}."

diff --git a/config/application.rb b/config/application.rb
@@ -64,4 +64,7 @@ class Application < Rails::Application
     end
 
   end
+
+  # Custom RstatUs exceptions
+  class InvalidSubscribeTo < StandardError; end
 end
diff --git a/lib/converts_subscriber_to_feed_data.rb b/lib/converts_subscriber_to_feed_data.rb
@@ -14,8 +14,10 @@ def self.get_feed_data(subscriber_url)
       finger_data = QueriesWebFinger.query(subscriber_url)
       feed_data.url = finger_data.url
       feed_data.finger_data = finger_data
-    else
+    when /^https?:\/\//
       feed_data.url = subscriber_url
+    else
+      raise RstatUs::InvalidSubscribeTo
     end
 
     feed_data

diff --git a/test/acceptance/following_remote_users_test.rb b/test/acceptance/following_remote_users_test.rb
@@ -56,7 +56,7 @@
   end
 
   describe "failure" do
-    it "doesn't look up something that doesn't look like a webfinger id" do
+    it "doesn't look up something that doesn't look like either a webfinger id or a URL" do
       log_in_as_some_user
       visit "/"
       click_link "Follow Remote User"
@@ -73,5 +73,23 @@
         assert has_content?("There was a problem following justinbieber. Please specify the whole ID for the person you would like to follow, including both their username and the domain of the site they're on. It should look like an email address-- for example, username@status.net")
       end
     end
+
+    it "especially doesn't look up something that looks like a local file" do
+      log_in_as_some_user
+      visit "/"
+      click_link "Follow Remote User"
+
+      follow_remote_page = page.current_url
+
+      fill_in 'subscribe_to', :with => "Gemfile"
+      click_button "Follow"
+
+      # Should still be on this page
+      page.current_url.must_equal(follow_remote_page)
+
+      within flash do
+        assert has_content?("There was a problem following Gemfile.")
+      end
+    end
   end
 end
diff --git a/test/lib/converts_subscriber_to_feed_data_test.rb b/test/lib/converts_subscriber_to_feed_data_test.rb
@@ -5,16 +5,20 @@
 
 FakeFingerData = Struct.new(:url)
 
+module RstatUs
+  class InvalidSubscribeTo < StandardError; end
+end
+
 describe "converting subscriber to feed data" do
-  describe "when the subscriber url has feed in it" do
+  describe "when the subscriber info has feed in it" do
     it "should replace the feed with http" do
       feed_data = ConvertsSubscriberToFeedData.get_feed_data("feed://stuff")
 
       assert_equal "http://stuff", feed_data.url
     end
   end
 
-  describe "when the subscriber info is an email address " do
+  describe "when the subscriber info is an email address" do
     it "should finger the user" do
       email = "somebody@somewhere.com"
       finger_data = FakeFingerData.new("url")
@@ -26,14 +30,32 @@
       assert_equal finger_data, new_feed_data.finger_data
     end
   end
-  
-  describe "when the subscriber is an http url " do
+
+  describe "when the subscriber info is an http url" do
     it "should use the subscriber url as the feed url" do
       feed_url  = "http://feed.me"
 
       feed_data = ConvertsSubscriberToFeedData.get_feed_data(feed_url)
 
       assert_equal feed_url, feed_data.url
     end
+
+    it "should use an https subscriber url as the feed url" do
+      feed_url  = "https://feed.me"
+
+      feed_data = ConvertsSubscriberToFeedData.get_feed_data(feed_url)
+
+      assert_equal feed_url, feed_data.url
+    end
+  end
+
+  describe "when the subscriber info is neither an email address nor an http url" do
+    it "should raise an exception so that we dont try and look it up as a file" do
+      feed_url  = "Gemfile.lock"
+
+      lambda {
+        ConvertsSubscriberToFeedData.get_feed_data(feed_url)
+      }.must_raise(RstatUs::InvalidSubscribeTo)
+    end
   end
 end