Permalink
Browse files

A slightly different fix for issue #514. Filters input before passing…

… on to the OStatus gem and throws an exception if it doesn't look like an email address or a URL.

I discovered by typing 'test' into the remote follow form that `open` will still happily look for a local file if you give it something that isn't a URL. So now ConvertsSubscriberToFeedData will just raise an exception if what it gets is neither an email address looking thing nor a URL looking thing, and the subscriptions controller will catch that to show the nice error message.
  • Loading branch information...
1 parent 7ea6c99 commit 1ecfee9e6c1b185875f5dd2814b8b58daffb62b5 @carols10cents carols10cents committed Apr 21, 2012
@@ -63,15 +63,14 @@ def create
# Find or create the Feed
begin
subscribe_to_feed = Feed.find_or_create(params[:subscribe_to])
- rescue Errno::ENOENT => e
+ rescue RstatUs::InvalidSubscribeTo => e
# This means the user's entry was neither a webfinger identifier
# nor a feed URL, and calling `open` on it did not return anything.
flash[:notice] = "There was a problem following #{params[:subscribe_to]}. Please specify the whole ID for the person you would like to follow, including both their username and the domain of the site they're on. It should look like an email address-- for example, username@status.net"
redirect_to request.referrer
return
end
-
# Stop and return a nice message if already following this feed
if current_user.following_feed? subscribe_to_feed
flash[:notice] = "You're already following #{subscribe_to_feed.author.username}."
View
@@ -64,4 +64,7 @@ class Application < Rails::Application
end
end
+
+ # Custom RstatUs exceptions
+ class InvalidSubscribeTo < StandardError; end
end
@@ -14,8 +14,10 @@ def self.get_feed_data(subscriber_url)
finger_data = QueriesWebFinger.query(subscriber_url)
feed_data.url = finger_data.url
feed_data.finger_data = finger_data
- else
+ when /^https?:\/\//
feed_data.url = subscriber_url
+ else
+ raise RstatUs::InvalidSubscribeTo
end
feed_data
@@ -56,7 +56,7 @@
end
describe "failure" do
- it "doesn't look up something that doesn't look like a webfinger id" do
+ it "doesn't look up something that doesn't look like either a webfinger id or a URL" do
log_in_as_some_user
visit "/"
click_link "Follow Remote User"
@@ -73,5 +73,23 @@
assert has_content?("There was a problem following justinbieber. Please specify the whole ID for the person you would like to follow, including both their username and the domain of the site they're on. It should look like an email address-- for example, username@status.net")
end
end
+
+ it "especially doesn't look up something that looks like a local file" do
+ log_in_as_some_user
+ visit "/"
+ click_link "Follow Remote User"
+
+ follow_remote_page = page.current_url
+
+ fill_in 'subscribe_to', :with => "Gemfile"
+ click_button "Follow"
+
+ # Should still be on this page
+ page.current_url.must_equal(follow_remote_page)
+
+ within flash do
+ assert has_content?("There was a problem following Gemfile.")
+ end
+ end
end
end
@@ -5,16 +5,20 @@
FakeFingerData = Struct.new(:url)
+module RstatUs
+ class InvalidSubscribeTo < StandardError; end
+end
+
describe "converting subscriber to feed data" do
- describe "when the subscriber url has feed in it" do
+ describe "when the subscriber info has feed in it" do
it "should replace the feed with http" do
feed_data = ConvertsSubscriberToFeedData.get_feed_data("feed://stuff")
assert_equal "http://stuff", feed_data.url
end
end
- describe "when the subscriber info is an email address " do
+ describe "when the subscriber info is an email address" do
it "should finger the user" do
email = "somebody@somewhere.com"
finger_data = FakeFingerData.new("url")
@@ -26,14 +30,32 @@
assert_equal finger_data, new_feed_data.finger_data
end
end
-
- describe "when the subscriber is an http url " do
+
+ describe "when the subscriber info is an http url" do
it "should use the subscriber url as the feed url" do
feed_url = "http://feed.me"
feed_data = ConvertsSubscriberToFeedData.get_feed_data(feed_url)
assert_equal feed_url, feed_data.url
end
+
+ it "should use an https subscriber url as the feed url" do
+ feed_url = "https://feed.me"
+
+ feed_data = ConvertsSubscriberToFeedData.get_feed_data(feed_url)
+
+ assert_equal feed_url, feed_data.url
+ end
+ end
+
+ describe "when the subscriber info is neither an email address nor an http url" do
+ it "should raise an exception so that we dont try and look it up as a file" do
+ feed_url = "Gemfile.lock"
+
+ lambda {
+ ConvertsSubscriberToFeedData.get_feed_data(feed_url)
+ }.must_raise(RstatUs::InvalidSubscribeTo)
+ end
end
end

0 comments on commit 1ecfee9

Please sign in to comment.