merge fixes made in train-2012.03.28 into dev.

mozilla · Apr 11, 2012 · e4589a0 · e4589a0
2 parents 9b39d57 + 1d4d06b
commit e4589a0
Show file tree

Hide file tree

Showing 22 changed files with 113 additions and 42 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -8,6 +8,13 @@ train-2012.03.28:
   * new API: /wsapi/ping - used for server monitoring: #1324
   * support email providers (with BrowserID support) with digits in their hostnames: #1284
   * tools/build/dev env fixes: #1284
+  * (hotfix 2012.03.30) Fix regression where 304 responses to requests for IFrame HTML would have X-Frame-Options: deny, preventing loading of iframes #1353
+  * (hotfix 2012.03.30) ETag headers now vary by locale, fixes regression where switching between locales was broken #1364
+  * (hotfix 2012.04.10) more rigorous checking of email inputs to WSAPI
+  * (hotfix 2012.04.10) copy config/l10n-*.json to build directory
+  * (hotfix 2012.04.10) final 40 production locales merged: #1412
+  * (hotfix 2012.04.10) update l10n-all.json to have all locales (complete and in-progress) as well as en-US and db-LB
+  * (hotfix 2012.04.10) fix more rigorous checking of email inputs to WSAPI: domain checking of 'site' parameter was validating hostnames rather than domains.
 
 train-2012.03.14:
   * BrowserID now speaks Bulgarian

diff --git a/config/l10n-all.json b/config/l10n-all.json
@@ -1,9 +1,9 @@
 {
 "supported_languages": [
-    "af", "bg", "ca", "cs", "da", "db-LB", "de", "el", "en-US", "eo", "es",
-    "es-MX", "et", "eu", "fi", "fr", "fy", "ga", "gd", "gl", "he", "hr",
-    "hu", "it", "ja", "ko", "lij", "lt", "ml", "nl", "pa", "pl", "pt",
-    "pt-BR", "rm", "ro", "ru", "sk", "sl", "son", "sq", "sr", "sv", "tr",
-    "uk", "zh-CN", "zh-TW"
+    "af", "bg", "ca", "cs", "cy", "da", "db-LB", "de", "el", "en-US",
+    "eo", "es", "et", "eu", "fi", "fr", "fy", "ga", "gd", "gl",
+    "he", "hr", "hu", "id", "it", "ja", "ko", "lij", "lt", "ml",
+    "nb-NO", "nl", "pa", "pl", "pt", "pt-BR", "rm", "ro", "ru", "si",
+    "sk", "sl", "son", "sq", "sr", "sv", "tr", "uk", "zh-CN", "zh-TW"
   ]
 }
diff --git a/config/l10n-prod.json b/config/l10n-prod.json
@@ -1,7 +1,8 @@
 {
 "supported_languages": [
-    "ca", "cs", "de", "el", "en-US", "es", "et", "eu", "fr", "fy",
-    "ga", "gl", "he", "hr", "hu", "it", "ja", "lij", "lt", "nl", "pa", "pl", "pt-BR", "rm",
-    "ru", "sk", "sl", "sq", "sv", "tr", "zh-CN", "zh-TW"
+    "bg", "ca", "cs", "da", "de", "el", "en-US", "eo", "es", "et",
+    "eu", "fi", "fr", "fy", "ga", "gd", "gl", "he", "hr", "hu",
+    "id", "it", "ja", "ko", "lij", "lt", "nl", "pa", "pl", "pt-BR",
+    "rm", "ru", "sk", "sl", "sq", "sr", "sv", "tr", "zh-CN", "zh-TW"
   ]
 }
diff --git a/lib/sanitize.js b/lib/sanitize.js
@@ -0,0 +1,44 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// a teensy tinsy module to do parameter sanitization.  A good candiate for future
+// librification.
+//
+// usage:
+//
+//   const sanitize = require('sanitize');
+//
+//   sanitize(value).isEmail();
+//   sanitize(value).isDomain();
+
+// XXX - should review these simple regexps
+
+var logger = require('./logging.js').logger;
+
+module.exports = function (value) {
+  var isEmail = function() {
+
+    if (!value.toLowerCase().match(/^[\w.!#$%&'*+\-/=?\^`{|}~]+@[a-z\d-]+(\.[a-z\d-]+)+$/i))
+      throw "not a valid email";
+  };
+
+  var isDomain = function() {
+    if (!value.match(/^[a-z\d-]+(\.[a-z\d-]+)+$/i)) {
+      throw "not a valid domain";      
+    }
+  };
+
+  var isOrigin = function() {
+    // allow single hostnames, e.g. localhost
+    if (!value.match(/^https?:\/\/[a-z\d-]+(\.[a-z\d-]+)*(:\d+)?$/i)) {
+      throw "not a valid origin";      
+    }
+  };
+
+  return {
+    isEmail: isEmail,
+    isDomain: isDomain,
+    isOrigin: isOrigin
+  };
+};
diff --git a/lib/validate.js b/lib/validate.js
@@ -31,11 +31,14 @@ module.exports = function (params) {
           throw k;
         }
       });
-      next();
     } catch(e) {
       var msg = "missing '" + e + "' argument";
-      logger.warn("bad request recieved: " + msg);
+      logger.warn("bad request received: " + msg);
       return httputils.badRequest(resp, msg);
     }
+
+    // this is called outside the try/catch because errors
+    // in the handling of the request should be caught separately
+    next();
   };
 };
diff --git a/lib/wsapi/stage_email.js b/lib/wsapi/stage_email.js
@@ -7,7 +7,8 @@ db = require('../db.js'),
 wsapi = require('../wsapi.js'),
 httputils = require('../httputils'),
 logger = require('../logging.js').logger,
-email = require('../email.js');
+email = require('../email.js'),
+sanitize = require('../sanitize');
 
 /* First half of account creation.  Stages a user account for creation.
  * this involves creating a secret url that must be delivered to the
@@ -22,6 +23,11 @@ exports.args = ['email','site'];
 exports.i18n = true;
 
 exports.process = function(req, res) {
+  // validate
+  // should do this one but it's failing for some reason
+  sanitize(req.body.email).isEmail();
+  sanitize(req.body.site).isOrigin();
+
   db.lastStaged(req.body.email, function (err, last) {
     if (err) return wsapi.databaseDown(res, err);
 

diff --git a/lib/wsapi/stage_user.js b/lib/wsapi/stage_user.js
@@ -7,7 +7,8 @@ db = require('../db.js'),
 wsapi = require('../wsapi.js'),
 httputils = require('../httputils'),
 logger = require('../logging.js').logger,
-email = require('../email.js');
+email = require('../email.js'),
+sanitize = require('../sanitize');
 
 /* First half of account creation.  Stages a user account for creation.
  * this involves creating a secret url that must be delivered to the
@@ -27,6 +28,10 @@ exports.process = function(req, resp) {
   // staging a user logs you out.
   wsapi.clearAuthenticatedUser(req.session);
 
+  // validate
+  sanitize(req.body.email).isEmail();
+  sanitize(req.body.site).isOrigin();
+
   db.lastStaged(req.body.email, function (err, last) {
     if (err) return wsapi.databaseDown(resp, err);
 

diff --git a/scripts/browserid.spec b/scripts/browserid.spec
@@ -38,6 +38,7 @@ for f in bin lib locale node_modules resources scripts *.json; do
 done
 mkdir -p %{buildroot}%{_rootdir}/config
 cp -p config/l10n-all.json %{buildroot}%{_rootdir}/config
+cp -p config/l10n-prod.json %{buildroot}%{_rootdir}/config
 
 %clean
 rm -rf %{buildroot}

diff --git a/tests/add-email-with-assertion-test.js b/tests/add-email-with-assertion-test.js
@@ -31,7 +31,7 @@ start_stop.addStartupBatches(suite);
 const TEST_DOMAIN = 'example.domain',
       TEST_EMAIL = 'testuser@' + TEST_DOMAIN,
       TEST_ORIGIN = 'http://127.0.0.1:10002',
-      TEST_FIRST_ACCT = 'testuser@fake.domain';
+      TEST_FIRST_ACCT = 'test.user+folder@fake.domain';
 
 // This test will excercise the ability to add an email to an
 // account using an assertion from a primary
@@ -112,7 +112,7 @@ suite.addBatch({
   "stage an account": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: TEST_FIRST_ACCT,
-      site:'fakesite.com'
+      site:'http://fakesite.com:652'
     }),
     "works": function(err, r) {
       assert.strictEqual(r.code, 200);

diff --git a/tests/cache-header-tests.js b/tests/cache-header-tests.js
@@ -45,6 +45,14 @@ function doRequest(path, headers, cb) {
   req.end();
 }
 
+function hasProperFramingHeaders(r, path) {
+  if (['/communication_iframe', '/relay'].indexOf(path) !== -1) {
+    assert.strictEqual(r.headers['x-frame-options'], undefined);
+  } else {
+    assert.strictEqual(r.headers['x-frame-options'],"DENY");
+  }
+}
+
 function hasProperCacheHeaders(path) {
   return {
     topic: function() {
@@ -64,6 +72,8 @@ function hasProperCacheHeaders(path) {
     },
     "returns 200 with content": function(err, r) {
       assert.strictEqual(r.statusCode, 200);
+      // check X-Frame-Option headers
+      hasProperFramingHeaders(r, path);
       // ensure vary headers
       assert.strictEqual(r.headers['vary'], 'Accept-Encoding,Accept-Language');
       // ensure public, max-age=0
@@ -82,13 +92,7 @@ function hasProperCacheHeaders(path) {
         }, this.callback);
       },
       "returns a 304": function(err, r) {
-        if (! err) {
-          if (['/communication_iframe', '/relay'].indexOf(path) !== -1) {
-            assert.strictEqual(r.headers['x-frame-options'], undefined);
-          } else {
-            assert.strictEqual(r.headers['x-frame-options'],"DENY");
-          }
-        }
+        if (!err) hasProperFramingHeaders(r, path);
         assert.strictEqual(r.statusCode, 304);
       }
     },

diff --git a/tests/cert-emails-test.js b/tests/cert-emails-test.js
@@ -33,7 +33,7 @@ suite.addBatch({
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'syncer@somehost.com',
       pubkey: 'fakekey',
-      site:'fakesite.com'
+      site:'http://fakesite.com'
     }),
     "succeeds": function(err, r) {
       assert.strictEqual(r.code, 200);

diff --git a/tests/email-throttling-test.js b/tests/email-throttling-test.js
@@ -24,7 +24,7 @@ suite.addBatch({
   "staging a registration": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
-      site:'fakesite.com'
+      site:'https://fakesite.com:443'
     }),
     "returns 200": function(err, r) {
       assert.strictEqual(r.code, 200);
@@ -49,7 +49,7 @@ suite.addBatch({
   "immediately staging another": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
-      site:'fakesite.com'
+      site:'http://fakesite.com:80'
     }),
     "is throttled": function(err, r) {
       assert.strictEqual(r.code, 429);
@@ -74,7 +74,7 @@ suite.addBatch({
   "add a new email address to our account": {
     topic: wsapi.post('/wsapi/stage_email', {
       email: 'second@fakeemail.com',
-      site:'fakesite.com'
+      site:'https://fakesite.com'
     }),
     "works": function(err, r) {
       assert.strictEqual(r.code, 200);
@@ -99,7 +99,7 @@ suite.addBatch({
   "re-adding that same new email address a second time": {
     topic: wsapi.post('/wsapi/stage_email', {
       email: 'second@fakeemail.com',
-      site:'fakesite.com'
+      site:'http://fakesite.com'
     }),
     "is throttled with a 429": function(err, r) {
       assert.strictEqual(r.code, 429);

diff --git a/tests/forgotten-email-test.js b/tests/forgotten-email-test.js
@@ -25,7 +25,7 @@ suite.addBatch({
   "staging an account": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
-      site:'fakesite.com'
+      site:'http://localhost:123'
     }),
     "works": function(err, r) {
       assert.strictEqual(r.code, 200);
@@ -74,7 +74,7 @@ suite.addBatch({
   "add a new email address to our account": {
     topic: wsapi.post('/wsapi/stage_email', {
       email: 'second@fakeemail.com',
-      site:'fakesite.com'
+      site:'https://fakesite.foobar.bizbaz.uk'
     }),
     "works": function(err, r) {
       assert.strictEqual(r.code, 200);
@@ -137,7 +137,7 @@ suite.addBatch({
   "re-stage first account": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
-      site:'otherfakesite.com'
+      site:'https://otherfakesite.com'
     }),
     "works": function(err, r) {
       assert.strictEqual(r.code, 200);

diff --git a/tests/list-emails-wsapi-test.js b/tests/list-emails-wsapi-test.js
@@ -27,7 +27,7 @@ suite.addBatch({
   "stage an account": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'syncer@somehost.com',
-      site:'fakesite.com'
+      site:'https://foobar.fakesite.com'
     }),
     "works": function(err, r) {
       assert.strictEqual(r.code, 200);

diff --git a/tests/no-cookie-test.js b/tests/no-cookie-test.js
@@ -27,7 +27,7 @@ suite.addBatch({
   "start registration": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
-      site:'fakesite.com'
+      site:'http://fakesite.com:123'
     }),
     "returns 200": function(err, r) {
       assert.strictEqual(r.code, 200);

diff --git a/tests/password-bcrypt-update-test.js b/tests/password-bcrypt-update-test.js
@@ -46,7 +46,7 @@ suite.addBatch({
   "account staging": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: TEST_EMAIL,
-      site:'fakesite.com'
+      site:'https://fakesite.com'
     }),
     "works":     function(err, r) {
       assert.equal(r.code, 200);

diff --git a/tests/password-length-test.js b/tests/password-length-test.js
@@ -40,7 +40,7 @@ suite.addBatch({
   "account staging": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
-      site:'fakesite.com'
+      site:'https://fakesite.com:123'
     }),
     "works":     function(err, r) {
       assert.equal(r.code, 200);

diff --git a/tests/password-update-test.js b/tests/password-update-test.js
@@ -34,7 +34,7 @@ suite.addBatch({
   "account staging": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: TEST_EMAIL,
-      site: 'fakesite.com'
+      site: 'https://fakesite.com:123'
     }),
     "works":     function(err, r) {
       assert.equal(r.code, 200);

diff --git a/tests/primary-then-secondary-test.js b/tests/primary-then-secondary-test.js
@@ -81,7 +81,7 @@ suite.addBatch({
   "add a new email address to our account": {
     topic: wsapi.post('/wsapi/stage_email', {
       email: SECONDARY_EMAIL,
-      site:'fakesite.com'
+      site:'https://fakesite.com'
     }),
     "works": function(err, r) {
       assert.strictEqual(r.code, 200);
@@ -146,7 +146,7 @@ suite.addBatch({
   "add a new email address to our account": {
     topic: wsapi.post('/wsapi/stage_email', {
       email: SECOND_SECONDARY_EMAIL,
-      site:'fakesite.com'
+      site:'http://fakesite.com:123'
     }),
     "works": function(err, r) {
       assert.strictEqual(r.code, 200);

diff --git a/tests/registration-status-wsapi-test.js b/tests/registration-status-wsapi-test.js
@@ -51,7 +51,7 @@ suite.addBatch({
   "start registration": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
-      site:'fakesite.com'
+      site:'https://fakesite.com'
     }),
     "returns 200": function(err, r) {
       assert.strictEqual(r.code, 200);
@@ -170,7 +170,7 @@ suite.addBatch({
   "re-registering an existing email": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'first@fakeemail.com',
-      site:'secondfakesite.com'
+      site:'http://secondfakesite.com'
     }),
     "yields a HTTP 200": function (err, r) {
       assert.strictEqual(r.code, 200);

diff --git a/tests/stalled-mysql-test.js b/tests/stalled-mysql-test.js
@@ -147,7 +147,7 @@ suite.addBatch({
   "stage_user": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: 'bogus@bogus.edu',
-      site: 'whatev.er'
+      site: 'https://whatev.er'
     }),
     "fails with 503": function(err, r) {
       assert.strictEqual(r.code, 503);
@@ -176,7 +176,7 @@ suite.addBatch({
   "account staging": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: "stalltest@whatev.er",
-      site: 'fakesite.com'
+      site: 'http://fakesite.com'
     }),
     "works":     function(err, r) {
       assert.equal(r.code, 200);
@@ -266,7 +266,7 @@ suite.addBatch({
   "stage_email": {
     topic: wsapi.post('/wsapi/stage_email', {
       email: "test2@whatev.er",
-      site: "foo.com"
+      site: "https://foo.com"
     }),
     "fails with 503": function(err, r) {
       assert.strictEqual(r.code, 503);

diff --git a/tests/verifier-test.js b/tests/verifier-test.js
@@ -41,7 +41,7 @@ suite.addBatch({
   "account staging": {
     topic: wsapi.post('/wsapi/stage_user', {
       email: TEST_EMAIL,
-      site: TEST_DOMAIN
+      site: TEST_ORIGIN
     }),
     "works":     function(err, r) {
       assert.equal(r.code, 200);