From 0180b4b6b53b65ddca282c5be262329340d3d02f Mon Sep 17 00:00:00 2001 From: Ozzie Isaacs Date: Mon, 12 Feb 2024 20:58:26 +0100 Subject: [PATCH] Better error handling on next parameter --- cps/redirect.py | 17 +- cps/web.py | 2 +- test/Calibre-Web TestSummary_Linux.html | 1305 ++++++++++------------- 3 files changed, 583 insertions(+), 741 deletions(-) mode change 100644 => 100755 cps/redirect.py diff --git a/cps/redirect.py b/cps/redirect.py old mode 100644 new mode 100755 index 09b3101f..337bb77b --- a/cps/redirect.py +++ b/cps/redirect.py @@ -29,7 +29,7 @@ from urllib.parse import urlparse, urljoin -from flask import request, url_for, redirect +from flask import request, url_for, redirect, current_app def is_safe_url(target): @@ -38,16 +38,15 @@ def is_safe_url(target): return test_url.scheme in ('http', 'https') and ref_url.netloc == test_url.netloc -def get_redirect_target(): - for target in request.values.get('next'), request.referrer: - if not target: - continue - if is_safe_url(target): - return target +def remove_prefix(text, prefix): + if text.startswith(prefix): + return text[len(prefix):] + return "" def redirect_back(endpoint, **values): - target = request.form['next'] - if not target or not is_safe_url(target): + target = request.form.get('next', None) or url_for(endpoint, **values) + adapter = current_app.url_map.bind(urlparse(request.host_url).netloc) + if not len(adapter.allowed_methods(remove_prefix(target, request.environ.get('HTTP_X_SCRIPT_NAME',"")))): target = url_for(endpoint, **values) return redirect(target) diff --git a/cps/web.py b/cps/web.py index 705627e7..4a95a21d 100644 --- a/cps/web.py +++ b/cps/web.py @@ -1322,7 +1322,7 @@ def handle_login_user(user, remember, message, category): ub.store_user_session() flash(message, category=category) [limiter.limiter.storage.clear(k.key) for k in limiter.current_limits] - return redirect_back(url_for("web.index")) + return redirect_back("web.index") def render_login(username="", password=""): diff --git a/test/Calibre-Web TestSummary_Linux.html b/test/Calibre-Web TestSummary_Linux.html index 031ba52c..49fa93ef 100644 --- a/test/Calibre-Web TestSummary_Linux.html +++ b/test/Calibre-Web TestSummary_Linux.html @@ -37,20 +37,20 @@
-

Start Time: 2024-02-10 19:51:08

+

Start Time: 2024-02-11 21:14:02

-

Stop Time: 2024-02-11 02:37:31

+

Stop Time: 2024-02-12 04:05:52

-

Duration: 5h 36 min

+

Duration: 5h 42 min

@@ -234,12 +234,12 @@ - + TestBackupMetadata 21 - 16 + 20 + 1 0 - 5 0 Detail @@ -383,233 +383,76 @@ - +
TestBackupMetadata - test_backup_change_custom_date
+ +
+ FAIL +
+ + + + + + + + + + +
TestBackupMetadata - test_backup_change_custom_float
+ PASS - - -
TestBackupMetadata - test_backup_change_custom_float
- - -
- ERROR -
- - - - - - - - - +
TestBackupMetadata - test_backup_change_custom_int
- -
- ERROR -
- - - - + PASS - +
TestBackupMetadata - test_backup_change_custom_rating
- -
- ERROR -
- - - - + PASS - +
TestBackupMetadata - test_backup_change_custom_text
- -
- ERROR -
- - - - + PASS - +
TestBackupMetadata - test_upload_book
- -
- ERROR -
- - - - - - - - - - - _ErrorHolder - 1 - 0 - 0 - 1 - 0 - - Detail - - - - - - - -
tearDownClass (test_backup_metadata)
- - -
- ERROR -
- - - - + PASS @@ -623,13 +466,13 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. 0 0 - Detail + Detail - +
TestBackupMetadataGdrive - test_backup_gdrive
@@ -647,13 +490,13 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. 0 0 - Detail + Detail - +
TestCli - test_already_started
@@ -662,7 +505,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_bind_to_single_interface
@@ -671,7 +514,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_change_password
@@ -680,7 +523,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_cli_SSL_files
@@ -689,7 +532,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_cli_different_folder
@@ -698,7 +541,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_cli_different_settings_database
@@ -707,7 +550,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_dryrun_update
@@ -716,7 +559,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_enable_reconnect
@@ -725,7 +568,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_environ_port_setting
@@ -734,7 +577,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_logfile
@@ -743,7 +586,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_no_database
@@ -752,7 +595,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_settingsdb_not_writeable
@@ -761,7 +604,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCli - test_writeonly_static_files
@@ -779,13 +622,13 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. 0 0 - Detail + Detail - +
TestCliGdrivedb - test_cli_gdrive_folder
@@ -794,7 +637,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCliGdrivedb - test_cli_gdrive_location
@@ -803,7 +646,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCliGdrivedb - test_gdrive_db_nonwrite
@@ -812,7 +655,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCliGdrivedb - test_no_database
@@ -830,13 +673,13 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. 0 0 - Detail + Detail - +
TestCoverEditBooks - test_invalid_jpg_hdd
@@ -845,7 +688,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestCoverEditBooks - test_upload_jpg
@@ -863,13 +706,13 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. 0 0 - Detail + Detail - +
TestDeleteDatabase - test_delete_books_in_database
@@ -887,13 +730,13 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. 0 0 - Detail + Detail - +
TestEbookConvertCalibre - test_calibre_log
@@ -902,7 +745,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_convert_deactivate
@@ -911,7 +754,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_convert_email
@@ -920,7 +763,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_convert_failed_and_email
@@ -929,7 +772,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_convert_only
@@ -938,7 +781,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_convert_options
@@ -947,7 +790,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_convert_parameter
@@ -956,7 +799,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_convert_wrong_excecutable
@@ -965,7 +808,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_convert_xss
@@ -974,7 +817,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_email_failed
@@ -983,7 +826,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_email_only
@@ -992,7 +835,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_kindle_send_not_configured
@@ -1001,7 +844,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_ssl_smtp_setup_error
@@ -1010,7 +853,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_starttls_smtp_setup_error
@@ -1019,7 +862,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibre - test_user_convert_xss
@@ -1037,13 +880,13 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. 0 0 - Detail + Detail - +
TestEbookConvertCalibreGDrive - test_convert_email
@@ -1052,7 +895,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibreGDrive - test_convert_failed_and_email
@@ -1061,7 +904,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibreGDrive - test_convert_only
@@ -1070,7 +913,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibreGDrive - test_convert_parameter
@@ -1079,7 +922,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibreGDrive - test_email_failed
@@ -1088,7 +931,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertCalibreGDrive - test_email_only
@@ -1106,13 +949,13 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. 0 0 - Detail + Detail - +
TestEbookConvertKepubify - test_convert_deactivate
@@ -1121,7 +964,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertKepubify - test_convert_only
@@ -1130,7 +973,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertKepubify - test_convert_wrong_excecutable
@@ -1148,13 +991,13 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. 0 0 - Detail + Detail - +
TestEbookConvertGDriveKepubify - test_convert_deactivate
@@ -1163,7 +1006,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertGDriveKepubify - test_convert_only
@@ -1172,7 +1015,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEbookConvertGDriveKepubify - test_convert_wrong_excecutable
@@ -1190,13 +1033,13 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. 0 2 - Detail + Detail - +
TestEditAdditionalBooks - test_cbz_comicinfo
@@ -1205,7 +1048,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_change_upload_formats
@@ -1214,7 +1057,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_delete_book
@@ -1223,7 +1066,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_delete_role
@@ -1232,7 +1075,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_details_popup
@@ -1241,7 +1084,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_edit_book_identifier
@@ -1250,7 +1093,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_edit_book_identifier_capital
@@ -1259,7 +1102,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_edit_book_identifier_standard
@@ -1268,7 +1111,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_edit_special_book_identifier
@@ -1277,7 +1120,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_title_sort
@@ -1286,7 +1129,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_upload_cbz_coverformats
@@ -1295,7 +1138,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_upload_edit_role
@@ -1304,7 +1147,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_upload_metadata_cb7
@@ -1313,7 +1156,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_upload_metadata_cbr
@@ -1322,7 +1165,7 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_upload_metadata_cbt
@@ -1331,19 +1174,19 @@ receiveMessage@chrome://remote/content/marionette/actors/MarionetteEventsParent. - +
TestEditAdditionalBooks - test_writeonly_calibre_database
- SKIP + SKIP
-