Merge pull request #226 from zopefoundation/plone-hotfix20171128-redirect-213

Make Redirect unavailable as url [2.13]

Merge pull request #226 from zopefoundation/plone-hotfix20171128-redirect-213
Make Redirect unavailable as url [2.13]
70b90147 · Jens Vagelpohl · GitHub · d23aecf4 · 9c3c3a9d · 70b90147
Commit 70b90147 authored Dec 01, 2017 by Jens Vagelpohl Committed by GitHub Dec 01, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 1 deletion

doc/CHANGES.rst doc/CHANGES.rst +2 -0

src/OFS/Application.py src/OFS/Application.py +3 -1

src/OFS/tests/testApplication.py src/OFS/tests/testApplication.py +36 -0

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
 2.13.27 (unreleased)
 --------------------

+- Made Redirect unavailable as url.  Part of PloneHotfix20171128.
+
 - Skip IPv6 tests on Travis, as it is not supported.

 - add ``tox`` test configuration

--- a/src/OFS/Application.py
+++ b/src/OFS/Application.py
@@ -117,7 +117,9 @@ class Application(ApplicationDefaultPermissions,
        InitializeClass(self)

    def PrincipiaRedirect(self, destination, URL1):
-        """Utility function to allow user-controlled redirects"""
+        # Utility function to allow user-controlled redirects.
+        # No docstring please, we do not want an open redirect
+        # available as url.
        if destination.find('//') >= 0:
            raise RedirectException, destination
        raise RedirectException, ("%s/%s" % (URL1, destination))

--- a/src/OFS/tests/testApplication.py
+++ b/src/OFS/tests/testApplication.py
+from Testing.ZopeTestCase import FunctionalTestCase
 import unittest


@@ -103,10 +104,45 @@ class ApplicationTests(unittest.TestCase):
        self.assertTrue(isinstance(result, NullResource))
        self.assertTrue(aq_parent(aq_inner(result)) is app)

+    def test_redirect_regression(self):
+        """From code you should still be able to call the Redirect method.
+
+        And its aliases too.
+        This is part of PloneHotfix20171128:
+        Redirect should not be callable as url, but from code it is fine.
+        """
+        from zExceptions import Redirect as RedirectException
+        app = self._makeOne()
+        for name in ('Redirect', 'ZopeRedirect', 'PrincipiaRedirect'):
+            method = getattr(app, name, None)
+            if method is None:
+                continue
+            self.assertRaises(
+                RedirectException,
+                method, 'http://google.nl', 'http://other.url')
+
+
+class ApplicationPublishTests(FunctionalTestCase):
+
+    def test_redirect_not_found(self):
+        """Accessing Redirect as url should give a 404.
+
+        This is part of PloneHotfix20171128.
+        """
+        # These are all aliases.
+        # PrincipiaRedirect is no longer there in Zope 4.
+        for name in ('Redirect', 'ZopeRedirect', 'PrincipiaRedirect'):
+            response = self.publish(
+                '/{0}?destination=http://google.nl'.format(name))
+            # This should *not* return a 302 Redirect.
+            self.assertEqual(response.status, 404)
+
+
 def _noWay(self, key, default=None):
    raise KeyError(key)

 def test_suite():
    return unittest.TestSuite((
        unittest.makeSuite(ApplicationTests),
+        unittest.makeSuite(ApplicationPublishTests),
        ))