/web-site: don't allow URLs with paths

for #882
2024-02-27 11:17:07 -08:00 · 2024-02-27 11:17:07 -08:00 · fce24c0645
commit fce24c0645
--- a/tests/test_web.py
+++ b/tests/test_web.py
@ -2422,6 +2422,13 @@ http://this/404s
                         get_flashed_messages())
        self.assertEqual(1, Web.query().count())

+    def test_check_web_site_url_with_path(self, _, __):
+        got = self.post('/web-site', data={'url': 'https://si.te/foo/bar'})
+        self.assert_equals(400, got.status_code)
+        self.assertEqual(['Only top-level web sites and domains are supported.'],
+                         get_flashed_messages())
+        self.assertEqual(1, Web.query().count())
+
    def test_check_web_site_bridgy_fed_domain(self, _, __):
        got = self.post('/web-site', data={'url': 'https://web.brid.gy/foo'})
        self.assert_equals(400, got.status_code)
--- a/web.py
+++ b/web.py
@ -555,12 +555,17 @@ def check_web_site():
    logger.info(f'Params: {list(request.form.items())}')

    url = request.values['url']
+
    # this normalizes and lower cases domain
    domain = util.domain_from_link(url, minimize=False)
    if not domain or not is_valid_domain(domain):
        flash(f'{url} is not a valid or supported web site')
        return render_template('enter_web_site.html'), 400

+    if util.is_web(url) and urlparse(url).path.strip('/'):
+        flash('Only top-level web sites and domains are supported.')
+        return render_template('enter_web_site.html'), 400
+
    try:
        user = Web.get_or_create(domain, direct=True)
        if not user:  # opted out