[ckan-changes] [ckan/ckan] 9b9dbb: [#1532] url_for_static shouldn't work with externa...

GitHub noreply at github.com
Wed Apr 2 21:58:35 UTC 2014 

  Branch: refs/heads/1532-bug-where-url-for-static-adds-leading-slash-for-absolute-urls
  Home:   https://github.com/ckan/ckan
  Commit: 9b9dbb8149f6b469278f32dcbfec9da0aef348e6
      https://github.com/ckan/ckan/commit/9b9dbb8149f6b469278f32dcbfec9da0aef348e6
  Author: Vitor Baptista <vitor at vitorbaptista.com>
  Date:   2014-04-02 (Wed, 02 Apr 2014)

  Changed paths:
    M ckan/lib/helpers.py
    M ckan/new_tests/lib/test_helpers.py

  Log Message:
  -----------
  [#1532] url_for_static shouldn't work with external URLs. Revert f50a3b.

url_for_static shouldn't allow urls that aren't served in CKAN's static folder,
as this might lead to CSRF vulnerabilities if used with non-escaped user input.


  Commit: 4d18dde8aacc4f7ef80c880811f583c0d1a36e1a
      https://github.com/ckan/ckan/commit/4d18dde8aacc4f7ef80c880811f583c0d1a36e1a
  Author: Vitor Baptista <vitor at vitorbaptista.com>
  Date:   2014-04-02 (Wed, 02 Apr 2014)

  Changed paths:
    M ckan/config/environment.py
    M ckan/lib/extract.py
    M ckan/lib/helpers.py
    M ckan/lib/jinja_extensions.py
    M ckan/new_tests/lib/test_helpers.py
    M ckan/templates/header.html
    M ckan/templates_legacy/layout_base.html
    M ckan/templates_legacy/snippets/data-viewer-embed-branded-link.html
    M doc/contributing/frontend/templating.rst

  Log Message:
  -----------
  [#1532] url_for_static doesn't accept external URLs and create url_for_static_or_external

The intent of the developer when using url_for_static() is to get the URL for
something that's served in the static folder inside CKAN. It should fail if
called with an external URL. This avoids a possible CSRF vulnerability, if we
allow user-provided input into url_for_static().

For the case when we want to either accept a static object's URL or an external
URL, for example when setting up the g.site_logo, I wrote the
url_for_static_or_external method. This makes it clearer what the user accepts.


Compare: https://github.com/ckan/ckan/compare/f50a3b2ee569...4d18dde8aacc

More information about the ckan-changes mailing list