misc: reject autocomplete requests to empty URL (#40378)
This commit is contained in:
parent
9e11f47074
commit
ec3370d6c7
|
@ -5746,6 +5746,26 @@ remote.example.net = 1234
|
|||
resp = resp.form.submit('submit') # -> submit
|
||||
assert formdef.data_class().select()[0].data['0'] is None
|
||||
|
||||
# check there's no crash if url is empty
|
||||
data_source.data_source = {'type': 'json', 'value': '{% if 0 %}http://remote.example.net/json{% endif %}'}
|
||||
data_source.store()
|
||||
|
||||
app = get_app(pub)
|
||||
with mock.patch('wcs.qommon.misc.urlopen') as urlopen:
|
||||
data = {'data': [{'id': '1', 'text': 'hello', 'extra': 'foo'},
|
||||
{'id': '2', 'text': 'world', 'extra': 'bar'}]}
|
||||
urlopen.side_effect = lambda *args: StringIO(json.dumps(data))
|
||||
resp = app.get('/test/')
|
||||
assert urlopen.call_count == 0
|
||||
pq = resp.pyquery.remove_namespaces()
|
||||
select2_url = pq('select').attr['data-select2-url']
|
||||
|
||||
with mock.patch('wcs.qommon.misc.urlopen') as urlopen:
|
||||
data = {'data': [{'id': '1', 'text': 'hello', 'extra': 'foo'}]}
|
||||
urlopen.side_effect = lambda *args: StringIO(json.dumps(data))
|
||||
resp2 = app.get(select2_url + '?q=hell', status=403)
|
||||
assert urlopen.call_count == 0
|
||||
|
||||
|
||||
def test_item_field_autocomplete_jsonp_source(http_requests, pub):
|
||||
user = create_user(pub)
|
||||
|
|
|
@ -340,6 +340,8 @@ class NamedDataSource(XmlStorableObject):
|
|||
if Template.is_template_string(url):
|
||||
vars = get_publisher().substitutions.get_context_variables(mode='lazy')
|
||||
url = get_variadic_url(url, vars)
|
||||
if not url:
|
||||
return ''
|
||||
if not '?' in url:
|
||||
url += '?' + self.query_parameter + '='
|
||||
else:
|
||||
|
|
Loading…
Reference in New Issue