lazr.restful

Merge lp:~leonardr/lazr.restful/invalid-uri into lp:lazr.restful

invalid-uri
Merge into trunk

Proposed by Leonard Richardson on 2010-09-27

Status:	Merged
Approved by:	Aaron Bentley on 2010-09-27
Approved revision:	148
Merged at revision:	148
Proposed branch:	lp:~leonardr/lazr.restful/invalid-uri
Merge into:	lp:lazr.restful
Diff against target:	66 lines (+26/-4) 3 files modified src/lazr/restful/example/base/tests/redirect.txt (+8/-0) src/lazr/restful/example/base/traversal.py (+5/-0) src/lazr/restful/publisher.py (+13/-4)
To merge this branch:	bzr merge lp:~leonardr/lazr.restful/invalid-uri
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Aaron Bentley (community)		2010-09-27	Approve on 2010-09-27
Review via email: mp+36759@code.launchpad.net

Description of the change

This branch fixes bug 535078.

Let's say you access a web service page by making an Ajax call with your web browser. Let's say the underlying application redirects you to some other page. And let's say the Location header contains invalid characters like {} or [].

Without this branch, lazr.restful will try to parse the URL in that location header using lazr.uri, and lazr.uri will choke on the invalid characters. But it's really none of lazr.restful's business whether the Location header contains invalid characters. This branch changes lazr.restful to use urllib to parse the Location header instead of the more picky lazr.uri library.

Revision history for this message

Leonard Richardson (leonardr) wrote on 2010-09-27:

In most cases, a browser that follows the Location header will get a 404 error or some other error, because invalid characters in URLs usually mean something's wrong. But, again, it's not lazr.restful's job to raise an exception at this point. With this branch, the error is more likely to be comprehensible to the client.

Revision history for this message

Aaron Bentley (abentley) on 2010-09-27:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Gary Poster

Launchpad code reviewers from Canonical

Leonard Richardson

 === modified file 'src/lazr/restful/example/base/tests/redirect.txt'
 --- src/lazr/restful/example/base/tests/redirect.txt	2009-04-02 15:44:00 +0000
 +++ src/lazr/restful/example/base/tests/redirect.txt	2010-09-27 17:12:45 +0000
@@ -34,3 +34,11 @@
      Location: http://.../cookbooks/Mastering%20the%20Art%20of%20French%20Cooking?ws.accept=application/json
      ...
++The redirect works even if the redirect URI contains characters not
++valid in URIs. In this case, the redirect is to a URL that contains
++curly braces (see traversal.py for details).
++
++    >>> print ajax.get("/cookbooks/featured-invalid")
++    HTTP/1.1 301 Moved Permanently
++    ...
++    Location: http://.../Mastering%20the%20Art%20of%20French%20Cooking{invalid}?ws.accept=application/json
 === modified file 'src/lazr/restful/example/base/traversal.py'
 --- src/lazr/restful/example/base/traversal.py	2009-09-03 14:04:03 +0000
 +++ src/lazr/restful/example/base/traversal.py	2010-09-27 17:12:45 +0000
@@ -67,6 +67,11 @@
          if name == 'featured':
              url = absoluteURL(self.context.featured, request)
              return RedirectResource(url, request)
++        elif name == 'featured-invalid':
++            # This is to enable a test case in which the redirect URL
++            # contains characters not valid in URLs.
++            url = absoluteURL(self.context.featured, request) + "{invalid}"
++            return RedirectResource(url, request)
          else:
              return super(CookbookSetTraverse, self).publishTraverse(
                  request, name)
 === modified file 'src/lazr/restful/publisher.py'
 --- src/lazr/restful/publisher.py	2010-03-03 13:08:12 +0000
 +++ src/lazr/restful/publisher.py	2010-09-27 17:12:45 +0000
@@ -17,6 +17,7 @@
  import traceback
  import urllib
++import urlparse
  from zope.component import (
      adapter, getMultiAdapter, getUtility, queryAdapter, queryMultiAdapter)
@@ -189,11 +190,19 @@
                      accept = request.response.getHeader(
                          "Accept", "application/json")
                      qs_append = "ws.accept=" + urllib.quote(accept)
--                    uri = URI(location)
--                    if uri.query is None:
--                        uri.query = qs_append
++                    # We don't use the URI class because it will raise
++                    # an exception if the Location contains invalid
++                    # characters. Invalid characters may indeed be a
++                    # problem, but let the problem be handled
++                    # somewhere else.
++                    (scheme, netloc, path, query, fragment) = (
++                        urlparse.urlsplit(location))
++                    if query == '':
++                       query = qs_append
                      else:
--                        uri.query += '&' + qs_append
++                       query += '&' + qs_append
++                    uri = urlparse.urlunsplit(
++                        (scheme, netloc, path, query, fragment))
                      request.response.setHeader("Location", str(uri))
          return value

lazr.restful

Merge lp:~leonardr/lazr.restful/invalid-uri into lp:lazr.restful

Commit message

Description of the change

Preview Diff

Subscribers