From fce24c0645684a9941163333197337c679261437 Mon Sep 17 00:00:00 2001 From: Ryan Barrett Date: Tue, 27 Feb 2024 11:17:07 -0800 Subject: [PATCH] /web-site: don't allow URLs with paths for #882 --- tests/test_web.py | 7 +++++++ web.py | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/tests/test_web.py b/tests/test_web.py index 953a6fe..910503e 100644 --- a/tests/test_web.py +++ b/tests/test_web.py @@ -2422,6 +2422,13 @@ http://this/404s get_flashed_messages()) self.assertEqual(1, Web.query().count()) + def test_check_web_site_url_with_path(self, _, __): + got = self.post('/web-site', data={'url': 'https://si.te/foo/bar'}) + self.assert_equals(400, got.status_code) + self.assertEqual(['Only top-level web sites and domains are supported.'], + get_flashed_messages()) + self.assertEqual(1, Web.query().count()) + def test_check_web_site_bridgy_fed_domain(self, _, __): got = self.post('/web-site', data={'url': 'https://web.brid.gy/foo'}) self.assert_equals(400, got.status_code) diff --git a/web.py b/web.py index 8e79afd..d9c8753 100644 --- a/web.py +++ b/web.py @@ -555,12 +555,17 @@ def check_web_site(): logger.info(f'Params: {list(request.form.items())}') url = request.values['url'] + # this normalizes and lower cases domain domain = util.domain_from_link(url, minimize=False) if not domain or not is_valid_domain(domain): flash(f'{url} is not a valid or supported web site') return render_template('enter_web_site.html'), 400 + if util.is_web(url) and urlparse(url).path.strip('/'): + flash('Only top-level web sites and domains are supported.') + return render_template('enter_web_site.html'), 400 + try: user = Web.get_or_create(domain, direct=True) if not user: # opted out