Merge pull request #877 from ix5/public-endpoint-trailing-slash

[server] Strip trailing slash from public-endpoint, disallow trailing slash
isso-comments · Jun 5, 2022 · cf9b1ad · cf9b1ad
2 parents 628246c + 091b069
commit cf9b1ad
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 10 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -31,6 +31,9 @@ Changelog for Isso
   - Add ``/config`` endpoint for fetching server configuration options that
     affect the client
   - Remove ``/count`` GET endpoint (use POST instead)
+- Strip trailing slash from public-endpoint, allow trailing slashes for routes.
+  A trailing slash in ``[server] public-endpoint`` is now discouraged and
+  throws a warning (#876, ix5)
 
 - Replace ``contenteditable`` ``div`` with ``textarea`` to fix issues when
   editing messages that contain indented code

diff --git a/docs/docs/reference/server-config.rst b/docs/docs/reference/server-config.rst
@@ -215,12 +215,18 @@ listen
 
 public-endpoint
     Public URL that Isso is accessed from by end users. Should always be
-    a http:// or https:// absolute address. If left blank, automatic
-    detection is attempted. Normally only needs to be specified if
-    different than the ``listen`` setting.
+    a ``http://`` or ``https://`` absolute address. If left blank, automatic
+    detection is attempted. Normally only needs to be specified if different
+    than the ``listen`` setting.
+
+    This URL must not end in a ``/`` slash, i.e. ``http://foo.bar:8080/`` is
+    forbidden but ``http://foo/bar:8080`` is fine.
 
     Default: (empty)
 
+    .. versionchanged:: 0.13
+        Trailing slash now forbidden.
+
 reload
     Reload application, when the source code has changed. Useful for
     development. Only works with the internal webserver.

diff --git a/isso/config.py b/isso/config.py
@@ -114,6 +114,9 @@ def getiter(self, section, key):
             if item:
                 yield item
 
+    def set(self, section, key, value):
+        super(IssoParser, self).set(section, key, value)
+
     def section(self, section):
         return Section(self, section)
 
@@ -171,4 +174,15 @@ def setify(cp):
         parser.set("smtp", "from",
                    formataddr(("Ich schrei sonst!", fromaddr)))
 
+    # Warn on trailing slash which can result in malformed double-slashed URLs
+    if parser.get("server", "public-endpoint").endswith("/"):
+        public_endpoint = parser.get("server", "public-endpoint")
+        logger.warn("In your config file, '[server] public-endpoint' has a slash at the end, "
+                    "please remove it: '%s' -> '%s'",
+                    public_endpoint, public_endpoint.rstrip("/"))
+        # XXX Actually fail here in a future version
+        logger.warn("A future version of Isso might quit with an error if 'public-endpoint' is set incorrectly")
+        # Remove trailing slash
+        parser.set("server", "public-endpoint", public_endpoint.rstrip("/"))
+
     return parser
diff --git a/isso/tests/test_guard.py b/isso/tests/test_guard.py
@@ -4,7 +4,6 @@
 import tempfile
 import unittest
 
-from werkzeug import __version__
 from werkzeug.test import Client
 from werkzeug.wrappers import Response
 
@@ -14,12 +13,6 @@
 from fixtures import curl, FakeIP
 http.curl = curl
 
-if __version__.startswith("0.8"):
-    class Response(Response):
-
-        def get_data(self, as_text=False):
-            return self.data.decode("utf-8")
-
 
 class TestGuard(unittest.TestCase):