-
-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[fc] Repository: plone.app.discussion
Branch: refs/heads/master Date: 2016-09-19T17:10:10+02:00 Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> Commit: plone/plone.app.discussion@358ec89 Apply security hotfix 20160830 for redirects. Files changed: M CHANGES.rst M plone/app/discussion/browser/moderation.py M plone/app/discussion/tests/test_moderation_view.py Repository: plone.app.discussion Branch: refs/heads/master Date: 2016-09-20T10:52:21+02:00 Author: Jens W. Klein (jensens) <jk@kleinundpartner.at> Commit: plone/plone.app.discussion@6082876 Merge pull request #112 from plone/apply-hotfix-20160830-master Apply security hotfix 20160830 for redirects. [master] Files changed: M CHANGES.rst M plone/app/discussion/browser/moderation.py M plone/app/discussion/tests/test_moderation_view.py
- Loading branch information
Showing
1 changed file
with
187 additions
and
123 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,192 +1,256 @@ | ||
Repository: plone.app.content | ||
Repository: plone.app.discussion | ||
|
||
|
||
Branch: refs/heads/master | ||
Date: 2016-09-19T11:17:31+02:00 | ||
Date: 2016-09-19T17:10:10+02:00 | ||
Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> | ||
Commit: https://github.com/plone/plone.app.content/commit/ab6f71df4fb5d76d001cfe6c685a6344a2446133 | ||
Commit: https://github.com/plone/plone.app.discussion/commit/358ec89c03c3068993a1b73499d2e59f9d977088 | ||
|
||
Apply security hotfix 20160830 for folder factories redirection. | ||
Apply security hotfix 20160830 for redirects. | ||
|
||
Files changed: | ||
M CHANGES.rst | ||
M plone/app/content/browser/folderfactories.py | ||
M plone/app/content/tests/test_folder.py | ||
M plone/app/discussion/browser/moderation.py | ||
M plone/app/discussion/tests/test_moderation_view.py | ||
|
||
diff --git a/CHANGES.rst b/CHANGES.rst | ||
index 52eb8e0..2efff9b 100644 | ||
index 9a0748d..894e27f 100644 | ||
--- a/CHANGES.rst | ||
+++ b/CHANGES.rst | ||
@@ -14,7 +14,7 @@ New features: | ||
|
||
Bug fixes: | ||
|
||
-- *add item here* | ||
+- Apply security hotfix 20160830 for folder factories redirection. [maurits] | ||
+- Apply security hotfix 20160830 for redirects. [maurits] | ||
|
||
- Update Traditional Chinese translation. | ||
[l34marr] | ||
diff --git a/plone/app/discussion/browser/moderation.py b/plone/app/discussion/browser/moderation.py | ||
index 722386d..f1623ea 100644 | ||
--- a/plone/app/discussion/browser/moderation.py | ||
+++ b/plone/app/discussion/browser/moderation.py | ||
@@ -105,7 +105,9 @@ def __call__(self): | ||
type='info') | ||
came_from = self.context.REQUEST.HTTP_REFERER | ||
# if the referrer already has a came_from in it, don't redirect back | ||
- if len(came_from) == 0 or 'came_from=' in came_from: | ||
+ if (len(came_from) == 0 or 'came_from=' in came_from or | ||
+ not getToolByName( | ||
+ content_object, 'portal_url').isURLInPortal(came_from)): | ||
came_from = content_object.absolute_url() | ||
return self.context.REQUEST.RESPONSE.redirect(came_from) | ||
|
||
3.3 (2016-09-14) | ||
diff --git a/plone/app/content/browser/folderfactories.py b/plone/app/content/browser/folderfactories.py | ||
index 7d505ad..523939d 100644 | ||
--- a/plone/app/content/browser/folderfactories.py | ||
+++ b/plone/app/content/browser/folderfactories.py | ||
@@ -27,7 +27,10 @@ class FolderFactoriesView(BrowserView): | ||
@@ -186,7 +188,9 @@ def __call__(self): | ||
type='info') | ||
came_from = self.context.REQUEST.HTTP_REFERER | ||
# if the referrer already has a came_from in it, don't redirect back | ||
- if len(came_from) == 0 or 'came_from=' in came_from: | ||
+ if (len(came_from) == 0 or 'came_from=' in came_from or | ||
+ not getToolByName( | ||
+ content_object, 'portal_url').isURLInPortal(came_from)): | ||
came_from = content_object.absolute_url() | ||
return self.context.REQUEST.RESPONSE.redirect(came_from) | ||
|
||
def __call__(self): | ||
if 'form.button.Add' in self.request.form: | ||
+ urltool = getToolByName(self.context, 'portal_url') | ||
url = self.request.form.get('url') | ||
+ if not urltool.isURLInPortal(url): | ||
+ url = self.context.absolute_url() | ||
self.request.response.redirect(url) | ||
return '' | ||
else: | ||
diff --git a/plone/app/content/tests/test_folder.py b/plone/app/content/tests/test_folder.py | ||
index 058b17b..6e3b816 100644 | ||
--- a/plone/app/content/tests/test_folder.py | ||
+++ b/plone/app/content/tests/test_folder.py | ||
@@ -2,6 +2,7 @@ | ||
from DateTime import DateTime | ||
from plone.app.content.testing import PLONE_APP_CONTENT_AT_INTEGRATION_TESTING | ||
from plone.app.content.testing import PLONE_APP_CONTENT_DX_INTEGRATION_TESTING | ||
+from plone.app.content.testing import PLONE_APP_CONTENT_DX_FUNCTIONAL_TESTING | ||
from plone.app.testing import login | ||
diff --git a/plone/app/discussion/tests/test_moderation_view.py b/plone/app/discussion/tests/test_moderation_view.py | ||
index 9233a8c..849a0d0 100644 | ||
--- a/plone/app/discussion/tests/test_moderation_view.py | ||
+++ b/plone/app/discussion/tests/test_moderation_view.py | ||
@@ -1,12 +1,17 @@ | ||
# -*- coding: utf-8 -*- | ||
from plone.app.discussion.browser.moderation import BulkActionsView | ||
+from plone.app.discussion.browser.moderation import DeleteComment | ||
+from plone.app.discussion.browser.moderation import PublishComment | ||
from plone.app.discussion.browser.moderation import View | ||
from plone.app.discussion.interfaces import IConversation | ||
+from plone.app.discussion.interfaces import IDiscussionSettings | ||
from plone.app.discussion.testing import PLONE_APP_DISCUSSION_INTEGRATION_TESTING # noqa | ||
from plone.app.testing import setRoles | ||
from plone.app.testing import TEST_USER_ID | ||
@@ -473,3 +474,37 @@ def test_item_order_move_by_delta(self): | ||
class RearrangeATTest(RearrangeDXTest): | ||
+from plone.registry.interfaces import IRegistry | ||
from Products.CMFCore.utils import getToolByName | ||
from zope.component import createObject | ||
+from zope.component import queryUtility | ||
|
||
layer = PLONE_APP_CONTENT_AT_INTEGRATION_TESTING | ||
import unittest | ||
|
||
@@ -155,3 +160,48 @@ def test_delete(self): | ||
comment = self.conversation.getComments().next() | ||
self.assertTrue(comment) | ||
self.assertEqual(comment, self.comment2) | ||
+ | ||
+ | ||
+class RedirectionTest(unittest.TestCase): | ||
+ | ||
+class FolderFactoriesTest(unittest.TestCase): | ||
+ layer = PLONE_APP_CONTENT_DX_FUNCTIONAL_TESTING | ||
+ layer = PLONE_APP_DISCUSSION_INTEGRATION_TESTING | ||
+ | ||
+ def setUp(self): | ||
+ # Update settings. | ||
+ self.portal = self.layer['portal'] | ||
+ self.request = self.layer['request'] | ||
+ login(self.portal, TEST_USER_NAME) | ||
+ setRoles(self.portal, TEST_USER_ID, ['Manager']) | ||
+ # applyProfile(self.portal, 'plone.app.discussion:default') | ||
+ registry = queryUtility(IRegistry) | ||
+ settings = registry.forInterface(IDiscussionSettings) | ||
+ settings.globally_enabled = True | ||
+ self.portal.portal_workflow.setChainForPortalTypes( | ||
+ ('Discussion Item',), | ||
+ ('comment_review_workflow',)) | ||
+ # Create page plus comment. | ||
+ self.portal.invokeFactory( | ||
+ id='page', | ||
+ title='Page 1', | ||
+ type_name='Document' | ||
+ ) | ||
+ self.page = self.portal.page | ||
+ self.conversation = IConversation(self.page) | ||
+ comment = createObject('plone.Comment') | ||
+ comment.text = 'Comment text' | ||
+ self.comment_id = self.conversation.addComment(comment) | ||
+ self.comment = list(self.conversation.getComments())[0] | ||
+ | ||
+ def test_folder_factories_regression(self): | ||
+ from plone.app.content.browser.folderfactories import ( | ||
+ FolderFactoriesView as FFV) | ||
+ view = FFV(self.portal, self.request) | ||
+ self.request.form.update({ | ||
+ 'form.button.Add': 'yes', | ||
+ 'url': self.portal.absolute_url() | ||
+ }) | ||
+ view() | ||
+ self.assertEqual(self.request.response.headers.get('location'), | ||
+ self.portal.absolute_url()) | ||
+ def test_regression(self): | ||
+ page_url = self.page.absolute_url() | ||
+ self.request['HTTP_REFERER'] = page_url | ||
+ for Klass in (DeleteComment, PublishComment): | ||
+ view = Klass(self.comment, self.request) | ||
+ view.__parent__ = self.comment | ||
+ self.assertEqual(page_url, view()) | ||
+ | ||
+ def test_folder_factories(self): | ||
+ from plone.app.content.browser.folderfactories import ( | ||
+ FolderFactoriesView as FFV) | ||
+ view = FFV(self.portal, self.request) | ||
+ self.request.form.update({ | ||
+ 'form.button.Add': 'yes', | ||
+ 'url': 'http://www.foobar.com' | ||
+ }) | ||
+ view() | ||
+ self.assertNotEqual(self.request.response.headers.get('location'), | ||
+ 'http://www.foobar.com') | ||
+ def test_valid_next_url(self): | ||
+ self.request['HTTP_REFERER'] = 'http://attacker.com' | ||
+ for Klass in (DeleteComment, PublishComment): | ||
+ view = Klass(self.comment, self.request) | ||
+ view.__parent__ = self.comment | ||
+ self.assertNotEqual('http://attacker.com', view()) | ||
|
||
|
||
Repository: plone.app.content | ||
Repository: plone.app.discussion | ||
|
||
|
||
Branch: refs/heads/master | ||
Date: 2016-09-19T12:43:14+02:00 | ||
Date: 2016-09-20T10:52:21+02:00 | ||
Author: Jens W. Klein (jensens) <jk@kleinundpartner.at> | ||
Commit: https://github.com/plone/plone.app.content/commit/7e72ab71ddd41c8bd8bbc0572c48279cdc1dd0a3 | ||
Commit: https://github.com/plone/plone.app.discussion/commit/608287692ce4399771387da6a651ade27a97e835 | ||
|
||
Merge pull request #108 from plone/apply-hotfix-20160830-master | ||
Merge pull request #112 from plone/apply-hotfix-20160830-master | ||
|
||
Apply security hotfix 20160830 for folder factories redirection. [master] | ||
Apply security hotfix 20160830 for redirects. [master] | ||
|
||
Files changed: | ||
M CHANGES.rst | ||
M plone/app/content/browser/folderfactories.py | ||
M plone/app/content/tests/test_folder.py | ||
M plone/app/discussion/browser/moderation.py | ||
M plone/app/discussion/tests/test_moderation_view.py | ||
|
||
diff --git a/CHANGES.rst b/CHANGES.rst | ||
index 52eb8e0..2efff9b 100644 | ||
index 9a0748d..894e27f 100644 | ||
--- a/CHANGES.rst | ||
+++ b/CHANGES.rst | ||
@@ -14,7 +14,7 @@ New features: | ||
|
||
Bug fixes: | ||
|
||
-- *add item here* | ||
+- Apply security hotfix 20160830 for folder factories redirection. [maurits] | ||
+- Apply security hotfix 20160830 for redirects. [maurits] | ||
|
||
- Update Traditional Chinese translation. | ||
[l34marr] | ||
diff --git a/plone/app/discussion/browser/moderation.py b/plone/app/discussion/browser/moderation.py | ||
index 722386d..f1623ea 100644 | ||
--- a/plone/app/discussion/browser/moderation.py | ||
+++ b/plone/app/discussion/browser/moderation.py | ||
@@ -105,7 +105,9 @@ def __call__(self): | ||
type='info') | ||
came_from = self.context.REQUEST.HTTP_REFERER | ||
# if the referrer already has a came_from in it, don't redirect back | ||
- if len(came_from) == 0 or 'came_from=' in came_from: | ||
+ if (len(came_from) == 0 or 'came_from=' in came_from or | ||
+ not getToolByName( | ||
+ content_object, 'portal_url').isURLInPortal(came_from)): | ||
came_from = content_object.absolute_url() | ||
return self.context.REQUEST.RESPONSE.redirect(came_from) | ||
|
||
3.3 (2016-09-14) | ||
diff --git a/plone/app/content/browser/folderfactories.py b/plone/app/content/browser/folderfactories.py | ||
index 7d505ad..523939d 100644 | ||
--- a/plone/app/content/browser/folderfactories.py | ||
+++ b/plone/app/content/browser/folderfactories.py | ||
@@ -27,7 +27,10 @@ class FolderFactoriesView(BrowserView): | ||
@@ -186,7 +188,9 @@ def __call__(self): | ||
type='info') | ||
came_from = self.context.REQUEST.HTTP_REFERER | ||
# if the referrer already has a came_from in it, don't redirect back | ||
- if len(came_from) == 0 or 'came_from=' in came_from: | ||
+ if (len(came_from) == 0 or 'came_from=' in came_from or | ||
+ not getToolByName( | ||
+ content_object, 'portal_url').isURLInPortal(came_from)): | ||
came_from = content_object.absolute_url() | ||
return self.context.REQUEST.RESPONSE.redirect(came_from) | ||
|
||
def __call__(self): | ||
if 'form.button.Add' in self.request.form: | ||
+ urltool = getToolByName(self.context, 'portal_url') | ||
url = self.request.form.get('url') | ||
+ if not urltool.isURLInPortal(url): | ||
+ url = self.context.absolute_url() | ||
self.request.response.redirect(url) | ||
return '' | ||
else: | ||
diff --git a/plone/app/content/tests/test_folder.py b/plone/app/content/tests/test_folder.py | ||
index 058b17b..6e3b816 100644 | ||
--- a/plone/app/content/tests/test_folder.py | ||
+++ b/plone/app/content/tests/test_folder.py | ||
@@ -2,6 +2,7 @@ | ||
from DateTime import DateTime | ||
from plone.app.content.testing import PLONE_APP_CONTENT_AT_INTEGRATION_TESTING | ||
from plone.app.content.testing import PLONE_APP_CONTENT_DX_INTEGRATION_TESTING | ||
+from plone.app.content.testing import PLONE_APP_CONTENT_DX_FUNCTIONAL_TESTING | ||
from plone.app.testing import login | ||
diff --git a/plone/app/discussion/tests/test_moderation_view.py b/plone/app/discussion/tests/test_moderation_view.py | ||
index 9233a8c..849a0d0 100644 | ||
--- a/plone/app/discussion/tests/test_moderation_view.py | ||
+++ b/plone/app/discussion/tests/test_moderation_view.py | ||
@@ -1,12 +1,17 @@ | ||
# -*- coding: utf-8 -*- | ||
from plone.app.discussion.browser.moderation import BulkActionsView | ||
+from plone.app.discussion.browser.moderation import DeleteComment | ||
+from plone.app.discussion.browser.moderation import PublishComment | ||
from plone.app.discussion.browser.moderation import View | ||
from plone.app.discussion.interfaces import IConversation | ||
+from plone.app.discussion.interfaces import IDiscussionSettings | ||
from plone.app.discussion.testing import PLONE_APP_DISCUSSION_INTEGRATION_TESTING # noqa | ||
from plone.app.testing import setRoles | ||
from plone.app.testing import TEST_USER_ID | ||
@@ -473,3 +474,37 @@ def test_item_order_move_by_delta(self): | ||
class RearrangeATTest(RearrangeDXTest): | ||
+from plone.registry.interfaces import IRegistry | ||
from Products.CMFCore.utils import getToolByName | ||
from zope.component import createObject | ||
+from zope.component import queryUtility | ||
|
||
layer = PLONE_APP_CONTENT_AT_INTEGRATION_TESTING | ||
import unittest | ||
|
||
@@ -155,3 +160,48 @@ def test_delete(self): | ||
comment = self.conversation.getComments().next() | ||
self.assertTrue(comment) | ||
self.assertEqual(comment, self.comment2) | ||
+ | ||
+ | ||
+class RedirectionTest(unittest.TestCase): | ||
+ | ||
+class FolderFactoriesTest(unittest.TestCase): | ||
+ layer = PLONE_APP_CONTENT_DX_FUNCTIONAL_TESTING | ||
+ layer = PLONE_APP_DISCUSSION_INTEGRATION_TESTING | ||
+ | ||
+ def setUp(self): | ||
+ # Update settings. | ||
+ self.portal = self.layer['portal'] | ||
+ self.request = self.layer['request'] | ||
+ login(self.portal, TEST_USER_NAME) | ||
+ setRoles(self.portal, TEST_USER_ID, ['Manager']) | ||
+ # applyProfile(self.portal, 'plone.app.discussion:default') | ||
+ registry = queryUtility(IRegistry) | ||
+ settings = registry.forInterface(IDiscussionSettings) | ||
+ settings.globally_enabled = True | ||
+ self.portal.portal_workflow.setChainForPortalTypes( | ||
+ ('Discussion Item',), | ||
+ ('comment_review_workflow',)) | ||
+ # Create page plus comment. | ||
+ self.portal.invokeFactory( | ||
+ id='page', | ||
+ title='Page 1', | ||
+ type_name='Document' | ||
+ ) | ||
+ self.page = self.portal.page | ||
+ self.conversation = IConversation(self.page) | ||
+ comment = createObject('plone.Comment') | ||
+ comment.text = 'Comment text' | ||
+ self.comment_id = self.conversation.addComment(comment) | ||
+ self.comment = list(self.conversation.getComments())[0] | ||
+ | ||
+ def test_folder_factories_regression(self): | ||
+ from plone.app.content.browser.folderfactories import ( | ||
+ FolderFactoriesView as FFV) | ||
+ view = FFV(self.portal, self.request) | ||
+ self.request.form.update({ | ||
+ 'form.button.Add': 'yes', | ||
+ 'url': self.portal.absolute_url() | ||
+ }) | ||
+ view() | ||
+ self.assertEqual(self.request.response.headers.get('location'), | ||
+ self.portal.absolute_url()) | ||
+ def test_regression(self): | ||
+ page_url = self.page.absolute_url() | ||
+ self.request['HTTP_REFERER'] = page_url | ||
+ for Klass in (DeleteComment, PublishComment): | ||
+ view = Klass(self.comment, self.request) | ||
+ view.__parent__ = self.comment | ||
+ self.assertEqual(page_url, view()) | ||
+ | ||
+ def test_folder_factories(self): | ||
+ from plone.app.content.browser.folderfactories import ( | ||
+ FolderFactoriesView as FFV) | ||
+ view = FFV(self.portal, self.request) | ||
+ self.request.form.update({ | ||
+ 'form.button.Add': 'yes', | ||
+ 'url': 'http://www.foobar.com' | ||
+ }) | ||
+ view() | ||
+ self.assertNotEqual(self.request.response.headers.get('location'), | ||
+ 'http://www.foobar.com') | ||
+ def test_valid_next_url(self): | ||
+ self.request['HTTP_REFERER'] = 'http://attacker.com' | ||
+ for Klass in (DeleteComment, PublishComment): | ||
+ view = Klass(self.comment, self.request) | ||
+ view.__parent__ = self.comment | ||
+ self.assertNotEqual('http://attacker.com', view()) | ||
|
||
|