[checkmk-commits] Fixed processing of HTTP vars with equal sign in name

Module: check_mk Branch: master Commit: a9bd04fa333a16e3f48cac42b22b0d7cd1d0da30 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a9bd04fa333a16… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Oct 22 08:10:43 2019 +0200 Fixed processing of HTTP vars with equal sign in name This issue was introduced during some internal cleanups where the valid characters for variable names have been made stricter. This disallowed base64 encoded parts in the names which is now possible again. This is used at least on the user edit dialog and the service discovery page. Change-Id: Ia896b7f9a88f91bce806ff178d9a13744339b6a9 --- cmk/gui/http.py | 2 +- tests/unit/cmk/gui/test_http.py | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/cmk/gui/http.py b/cmk/gui/http.py index 9d98f90..cd30716 100644 --- a/cmk/gui/http.py +++ b/cmk/gui/http.py @@ -83,7 +83,7 @@ class Request(object): # alphanumeric characters plus any character from set('%*+-._'), which is probably still a # bit too broad. We should really figure out what we need and make sure that we only use # that restricted set. - varname_regex = re.compile(r'^[\w.%*+-]+$') + varname_regex = re.compile(r'^[\w.%*+=-]+$') for field in fields.list: varname = field.name diff --git a/tests/unit/cmk/gui/test_http.py b/tests/unit/cmk/gui/test_http.py index 196175d..bcf03d0 100644 --- a/tests/unit/cmk/gui/test_http.py +++ b/tests/unit/cmk/gui/test_http.py @@ -2,11 +2,27 @@ # encoding: utf-8 import time +import io import cmk.gui.http as http from cmk.gui.globals import html +def test_http_request_allowed_vars(): + wsgi_environ = { + # Please note: This is no complete WSGI environment + "REQUEST_METHOD" : "POST", + # Contains a variable that has a base64 coded value in it's name. This + # is done for example on the service discovery page or on the user + # editing page. + "wsgi.input" : io.BytesIO("asd=x&_Y21rYWRtaW4%3D=aaa"), + "SCRIPT_NAME" : "", + "REQUEST_URI" : "", + } + req = http.Request(wsgi_environ) + assert req.var("asd") == "x" + assert req.var("_Y21rYWRtaW4=") == "aaa" + def test_cookie_handling(register_builtin_html, monkeypatch): monkeypatch.setattr(html.request, "cookies", {"cookie1": {"key": "1a"}}) assert html.request.get_cookie_names() == ["cookie1"]