Merge pull request #226 from zopefoundation/plone-hotfix20171128-redi…

…rect-213 Make Redirect unavailable as url [2.13]
zopefoundation · Dec 1, 2017 · 70b9014 · 70b9014
2 parents d23aecf + 9c3c3a9
commit 70b9014
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 1 deletion.
diff --git a/doc/CHANGES.rst b/doc/CHANGES.rst
@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
 2.13.27 (unreleased)
 --------------------
 
+- Made Redirect unavailable as url.  Part of PloneHotfix20171128.
+
 - Skip IPv6 tests on Travis, as it is not supported.
 
 - add ``tox`` test configuration

diff --git a/src/OFS/Application.py b/src/OFS/Application.py
@@ -117,7 +117,9 @@ def __class_init__(self):
         InitializeClass(self)
 
     def PrincipiaRedirect(self, destination, URL1):
-        """Utility function to allow user-controlled redirects"""
+        # Utility function to allow user-controlled redirects.
+        # No docstring please, we do not want an open redirect
+        # available as url.
         if destination.find('//') >= 0:
             raise RedirectException, destination
         raise RedirectException, ("%s/%s" % (URL1, destination))

diff --git a/src/OFS/tests/testApplication.py b/src/OFS/tests/testApplication.py
@@ -1,3 +1,4 @@
+from Testing.ZopeTestCase import FunctionalTestCase
 import unittest
 
 
@@ -103,10 +104,45 @@ def test___bobo_traverse__attribute_key_miss_R_M_not_GET_POST(self):
         self.assertTrue(isinstance(result, NullResource))
         self.assertTrue(aq_parent(aq_inner(result)) is app)
 
+    def test_redirect_regression(self):
+        """From code you should still be able to call the Redirect method.
+
+        And its aliases too.
+        This is part of PloneHotfix20171128:
+        Redirect should not be callable as url, but from code it is fine.
+        """
+        from zExceptions import Redirect as RedirectException
+        app = self._makeOne()
+        for name in ('Redirect', 'ZopeRedirect', 'PrincipiaRedirect'):
+            method = getattr(app, name, None)
+            if method is None:
+                continue
+            self.assertRaises(
+                RedirectException,
+                method, 'http://google.nl', 'http://other.url')
+
+
+class ApplicationPublishTests(FunctionalTestCase):
+
+    def test_redirect_not_found(self):
+        """Accessing Redirect as url should give a 404.
+
+        This is part of PloneHotfix20171128.
+        """
+        # These are all aliases.
+        # PrincipiaRedirect is no longer there in Zope 4.
+        for name in ('Redirect', 'ZopeRedirect', 'PrincipiaRedirect'):
+            response = self.publish(
+                '/{0}?destination=http://google.nl'.format(name))
+            # This should *not* return a 302 Redirect.
+            self.assertEqual(response.status, 404)
+
+
 def _noWay(self, key, default=None):
     raise KeyError(key)
 
 def test_suite():
     return unittest.TestSuite((
         unittest.makeSuite(ApplicationTests),
+        unittest.makeSuite(ApplicationPublishTests),
         ))