Launchpad itself

Merge lp:~danilo/launchpad/revert-xss-workaround into lp:launchpad

  1. revert-xss-workaround
  2. Merge into devel
Proposed by Данило Шеган
Status: Merged
Approved by: Данило Шеган
Approved revision: no longer in the source branch.
Merged at revision: 12728
Proposed branch: lp:~danilo/launchpad/revert-xss-workaround
Merge into: lp:launchpad
Diff against target: 167 lines (+1/-98)
5 files modified
lib/lp/bugs/browser/tests/test_bugsubscriptionfilter.py (+0/-8)
lib/lp/bugs/model/bugsubscriptionfilter.py (+1/-17)
lib/lp/bugs/model/tests/test_bugsubscriptionfilter.py (+0/-21)
lib/lp/registry/javascript/structural-subscription.js (+0/-12)
lib/lp/registry/javascript/tests/test_structural_subscription.js (+0/-40)
To merge this branch: bzr merge lp:~danilo/launchpad/revert-xss-workaround
Reviewer Review Type Date Requested Status
Gavin Panella (community) Approve
Review via email: mp+55738@code.launchpad.net

Commit message

[r=allenap][no-qa] Revert workaround for 740640 that we don't need anymore.

Description of the change

= Revert XSS fix for 740640 =

Bug 740640 fix was unnecessary since in the meantime lazr.restful has been changed to provide the fix automatically.

== Proposed fix ==

Revert parts of that branch that we don't need anymore. We only leave tags-validation in the subscription overlay.

= Launchpad lint =

Checking for conflicts and issues in changed files.

Linting changed files:
  lib/lp/bugs/browser/tests/test_bugsubscriptionfilter.py
  lib/lp/bugs/model/bugsubscriptionfilter.py
  lib/lp/registry/javascript/tests/test_structural_subscription.js
  lib/lp/bugs/model/tests/test_bugsubscriptionfilter.py
  lib/lp/registry/javascript/structural-subscription.js

To post a comment you must log in.
Revision history for this message
Gavin Panella (allenap) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'lib/lp/bugs/browser/tests/test_bugsubscriptionfilter.py'
--- lib/lp/bugs/browser/tests/test_bugsubscriptionfilter.py 2011-03-29 10:52:55 +0000
+++ lib/lp/bugs/browser/tests/test_bugsubscriptionfilter.py 2011-03-31 11:57:30 +0000
@@ -183,14 +183,6 @@
183 self.assertEqual(183 self.assertEqual(
184 u"It's late.", self.subscription_filter.description)184 u"It's late.", self.subscription_filter.description)
185185
186 def test_modify_description_xss_safeguard(self):
187 # The description can be modified but raises an
188 # exception if you try potential XSS attack characters.
189 self.ws_subscription_filter.description = u"&gt; <>"
190 error = self.assertRaises(
191 BadRequest, self.ws_subscription_filter.lp_save)
192 self.assertEqual(400, error.response.status)
193
194 def test_modify_statuses(self):186 def test_modify_statuses(self):
195 # The statuses field can be modified.187 # The statuses field can be modified.
196 self.assertEqual(set(), self.subscription_filter.statuses)188 self.assertEqual(set(), self.subscription_filter.statuses)
197189
=== modified file 'lib/lp/bugs/model/bugsubscriptionfilter.py'
--- lib/lp/bugs/model/bugsubscriptionfilter.py 2011-03-29 10:52:55 +0000
+++ lib/lp/bugs/model/bugsubscriptionfilter.py 2011-03-31 11:57:30 +0000
@@ -22,7 +22,6 @@
22from canonical.database.sqlbase import sqlvalues22from canonical.database.sqlbase import sqlvalues
23from canonical.launchpad import searchbuilder23from canonical.launchpad import searchbuilder
24from canonical.launchpad.interfaces.lpstorm import IStore24from canonical.launchpad.interfaces.lpstorm import IStore
25from lazr.restful.error import expose
26from lp.bugs.enum import BugNotificationLevel25from lp.bugs.enum import BugNotificationLevel
27from lp.bugs.interfaces.bugsubscriptionfilter import IBugSubscriptionFilter26from lp.bugs.interfaces.bugsubscriptionfilter import IBugSubscriptionFilter
28from lp.bugs.interfaces.bugtask import (27from lp.bugs.interfaces.bugtask import (
@@ -63,22 +62,7 @@
6362
64 other_parameters = Unicode()63 other_parameters = Unicode()
6564
66 _description = Unicode('description')65 description = Unicode('description')
67
68 def _get_description(self):
69 return self._description
70
71 def _set_description(self, description):
72 has_html_chars = (
73 '<' in description or '>' in description or
74 '"' in description or '&' in description)
75 if has_html_chars:
76 raise expose(ValueError(
77 'BugSubscriptionFilter description cannot contain '
78 'any of <, >, " or &.'))
79 self._description = description
80
81 description = property(_get_description, _set_description)
8266
83 def _get_statuses(self):67 def _get_statuses(self):
84 """Return a frozenset of statuses to filter on."""68 """Return a frozenset of statuses to filter on."""
8569
=== modified file 'lib/lp/bugs/model/tests/test_bugsubscriptionfilter.py'
--- lib/lp/bugs/model/tests/test_bugsubscriptionfilter.py 2011-03-29 10:52:55 +0000
+++ lib/lp/bugs/model/tests/test_bugsubscriptionfilter.py 2011-03-31 11:57:30 +0000
@@ -76,27 +76,6 @@
76 bug_subscription_filter.description = u"foo"76 bug_subscription_filter.description = u"foo"
77 self.assertEqual(u"foo", bug_subscription_filter.description)77 self.assertEqual(u"foo", bug_subscription_filter.description)
7878
79 def test_description_xss_safeguard_tags(self):
80 """Test that description property disallows a HTML tags."""
81 bug_subscription_filter = BugSubscriptionFilter()
82 self.assertRaises(ValueError,
83 setattr, bug_subscription_filter, 'description',
84 u'<script>')
85
86 def test_description_xss_safeguard_ampersand(self):
87 """description property disallows a few HTML characters."""
88 bug_subscription_filter = BugSubscriptionFilter()
89 self.assertRaises(ValueError,
90 setattr, bug_subscription_filter, 'description',
91 u'test & blow up')
92
93 def test_description_xss_safeguard_quote(self):
94 """description property disallows a few HTML characters."""
95 bug_subscription_filter = BugSubscriptionFilter()
96 self.assertRaises(ValueError,
97 setattr, bug_subscription_filter, 'description',
98 u'test "double" quotes')
99
100 def test_defaults(self):79 def test_defaults(self):
101 """Test the default values of `BugSubscriptionFilter` objects."""80 """Test the default values of `BugSubscriptionFilter` objects."""
102 # Create.81 # Create.
10382
=== modified file 'lib/lp/registry/javascript/structural-subscription.js'
--- lib/lp/registry/javascript/structural-subscription.js 2011-03-30 11:36:37 +0000
+++ lib/lp/registry/javascript/structural-subscription.js 2011-03-31 11:57:30 +0000
@@ -268,7 +268,6 @@
268268
269function setup_overlay_validators(overlay, overlay_id) {269function setup_overlay_validators(overlay, overlay_id) {
270 overlay.field_validators = {270 overlay.field_validators = {
271 name: get_error_for_subscription_name,
272 tags: get_error_for_tags_list271 tags: get_error_for_tags_list
273 };272 };
274 overlay.field_errors = {};273 overlay.field_errors = {};
@@ -862,17 +861,6 @@
862 });861 });
863};862};
864863
865function get_error_for_subscription_name(value) {
866 if (value.search(/[\<\>\"\&]/) == -1) {
867 return null;
868 } else {
869 return ('Subscription name cannot contain any of the following ' +
870 'characters: &lt; &gt; &quot; &amp;');
871 }
872};
873// Export for testing
874namespace._get_error_for_subscription_name = get_error_for_subscription_name;
875
876function get_error_for_tags_list(value) {864function get_error_for_tags_list(value) {
877 // See database/schema/trusted.sql valid_name() function865 // See database/schema/trusted.sql valid_name() function
878 // which is used to validate a single tag.866 // which is used to validate a single tag.
879867
=== modified file 'lib/lp/registry/javascript/tests/test_structural_subscription.js'
--- lib/lp/registry/javascript/tests/test_structural_subscription.js 2011-03-30 11:36:37 +0000
+++ lib/lp/registry/javascript/tests/test_structural_subscription.js 2011-03-31 11:57:30 +0000
@@ -252,46 +252,6 @@
252252
253 },253 },
254254
255 test_get_error_for_subscription_name_valid: function() {
256 // Valid name makes get_error_for_subscription_name return null.
257 var name = 'Test + name!';
258 Assert.isNull(module._get_error_for_subscription_name(name));
259 },
260
261 assertHasErrorInSubscriptionName: function(subscription_name) {
262 var error_text = module._get_error_for_subscription_name(
263 subscription_name);
264 Assert.isNotNull(error_text);
265 Assert.areEqual(
266 'Subscription name cannot contain any of the following ' +
267 'characters: &lt; &gt; &quot; &amp;',
268 error_text);
269 },
270
271 test_get_error_for_subscription_name_left_angle_bracket: function() {
272 // For invalid names get_error_for_subscription_name returns
273 // an error message instead.
274 this.assertHasErrorInSubscriptionName('<Test');
275 },
276
277 test_get_error_for_subscription_name_right_angle_bracket: function() {
278 // For invalid names get_error_for_subscription_name returns
279 // an error message instead.
280 this.assertHasErrorInSubscriptionName('Test>');
281 },
282
283 test_get_error_for_subscription_name_ampersand: function() {
284 // For invalid names get_error_for_subscription_name returns
285 // an error message instead.
286 this.assertHasErrorInSubscriptionName('Test & fail');
287 },
288
289 test_get_error_for_subscription_name_quote: function() {
290 // For invalid names get_error_for_subscription_name returns
291 // an error message instead.
292 this.assertHasErrorInSubscriptionName('Test "failure"');
293 },
294
295 test_get_error_for_tags_list_valid: function() {255 test_get_error_for_tags_list_valid: function() {
296 // Valid tags list is a space-separated list of tags256 // Valid tags list is a space-separated list of tags
297 // consisting of all lowercase and digits and potentially257 // consisting of all lowercase and digits and potentially