Module: check_mk
Branch: master
Commit: 92cafff4781ed3dcc455375e67f2107e7ddeaaa1
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=92cafff4781ed3…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Oct 1 20:06:39 2018 +0200
Improved validation of urls retrieved from HTTP vars
Change-Id: Id82bb76e70c51bb5d326eb94b16cc7ae45cfb399
---
cmk/gui/dashboard.py | 8 ++++----
cmk/gui/notifications.py | 2 +-
cmk/gui/pagetypes.py | 2 +-
cmk/gui/plugins/views/icons/wato.py | 2 +-
cmk/gui/plugins/wato/background_job.py | 2 +-
cmk/gui/valuespec.py | 2 +-
cmk/gui/wato/__init__.py | 10 +++++-----
7 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/cmk/gui/dashboard.py b/cmk/gui/dashboard.py
index cce3321..e0e888f 100644
--- a/cmk/gui/dashboard.py
+++ b/cmk/gui/dashboard.py
@@ -1020,7 +1020,7 @@ def choose_view(name):
html.header(_('Create Dashlet from existing View'),
stylesheets=["pages"])
html.begin_context_buttons()
- back_url = html.var("back", "dashboard.py?edit=1&name=%s" %
html.urlencode(html.var('name')))
+ back_url = html.get_url_input("back",
"dashboard.py?edit=1&name=%s" % html.urlencode(html.var('name')))
html.context_button(_("Back"), back_url, "back")
html.end_context_buttons()
@@ -1129,8 +1129,8 @@ def page_edit_dashlet():
html.header(title, stylesheets=["pages","views"])
html.begin_context_buttons()
- back_url = html.var('back', 'dashboard.py?name=%s&edit=1' %
board)
- next_url = html.var('next', back_url)
+ back_url = html.get_url_input('back',
'dashboard.py?name=%s&edit=1' % board)
+ next_url = html.get_url_input('next', back_url)
html.context_button(_('Back'), back_url, 'back')
html.context_button(_('All Dashboards'), 'edit_dashboards.py',
'dashboard')
html.end_context_buttons()
@@ -1283,7 +1283,7 @@ def page_delete_dashlet():
html.header(_('Confirm Dashlet Deletion'),
stylesheets=["pages","views"])
html.begin_context_buttons()
- back_url = html.var('back', 'dashboard.py?name=%s&edit=1' %
board)
+ back_url = html.get_url_input('back',
'dashboard.py?name=%s&edit=1' % board)
html.context_button(_('Back'), back_url, 'back')
html.end_context_buttons()
diff --git a/cmk/gui/notifications.py b/cmk/gui/notifications.py
index dea72eb..9dca5b7 100644
--- a/cmk/gui/notifications.py
+++ b/cmk/gui/notifications.py
@@ -196,7 +196,7 @@ def page_clear():
else:
acktime = float(acktime)
- prev_url = html.var('prev_url')
+ prev_url = html.get_url_input('prev_url')
if html.var('_confirm'):
acknowledge_failed_notifications(acktime)
html.reload_sidebar()
diff --git a/cmk/gui/pagetypes.py b/cmk/gui/pagetypes.py
index daffe1d..2c6d75d 100644
--- a/cmk/gui/pagetypes.py
+++ b/cmk/gui/pagetypes.py
@@ -1043,7 +1043,7 @@ class Overridable(Base):
# Page for editing an existing page, or creating a new one
@classmethod
def page_edit(cls):
- back_url = html.var("back", cls.list_url())
+ back_url = html.get_url_input("back", cls.list_url())
cls.load()
cls.need_overriding_permission("edit")
diff --git a/cmk/gui/plugins/views/icons/wato.py b/cmk/gui/plugins/views/icons/wato.py
index e3e4ecb..62e7d9f 100644
--- a/cmk/gui/plugins/views/icons/wato.py
+++ b/cmk/gui/plugins/views/icons/wato.py
@@ -123,7 +123,7 @@ def paint_download_host_info(what, row, tags, host_custom_vars, ty):
# When the download icon is part of the host/service action menu, then
# the _back_url set in paint_action_menu() needs to be used. Otherwise
# html.makeuri([]) (not html.requested_uri()) is the right choice.
- back_url = html.var("_back_url", html.makeuri([]))
+ back_url = html.get_url_input("_back_url", html.makeuri([]))
if back_url:
params.append(("back_url", back_url))
diff --git a/cmk/gui/plugins/wato/background_job.py
b/cmk/gui/plugins/wato/background_job.py
index 1f9f4b7..6f68ec5 100644
--- a/cmk/gui/plugins/wato/background_job.py
+++ b/cmk/gui/plugins/wato/background_job.py
@@ -111,7 +111,7 @@ class ModeBackgroundJobDetails(WatoMode):
def _back_url(self):
- return html.var("back_url")
+ return html.get_url_input("back_url")
def page(self):
diff --git a/cmk/gui/valuespec.py b/cmk/gui/valuespec.py
index 434520c..cc1bd32 100644
--- a/cmk/gui/valuespec.py
+++ b/cmk/gui/valuespec.py
@@ -4349,7 +4349,7 @@ class IconSelector(ValueSpec):
import cmk.gui.config as config # FIXME: Clean this up. But how?
if config.user.may('wato.icons'):
- back_param = '&back='+html.urlencode(html.var('back')) if
html.has_var('back') else ''
+ back_param =
'&back='+html.urlencode(html.get_url_input('back')) if
html.has_var('back') else ''
html.buttonlink('wato.py?mode=icons' + back_param,
_('Manage'))
html.close_div()
diff --git a/cmk/gui/wato/__init__.py b/cmk/gui/wato/__init__.py
index fca9605..5044f4a 100644
--- a/cmk/gui/wato/__init__.py
+++ b/cmk/gui/wato/__init__.py
@@ -1230,7 +1230,7 @@ class ModeAjaxPopupMoveToFolder(WatoWebApiMode):
self._ident = html.var("ident")
- self._back_url = html.var("back_url")
+ self._back_url = html.get_url_input("back_url")
if not self._back_url or not self._back_url.startswith("wato.py"):
raise MKUserError("back_url", _("Invalid back URL
provided."))
@@ -12635,7 +12635,7 @@ class AgentOutputPage(object):
raise MKGeneralException(_("Invalid type specified."))
self._ty = ty
- self._back_url = html.var("back_url")
+ self._back_url = html.get_url_input("back_url")
init_wato_datastructures(with_wato_lock=True)
@@ -13505,8 +13505,8 @@ class ModeCheckManPage(WatoMode):
def buttons(self):
global_buttons()
- if html.var("back"):
- back_url = html.var("back")
+ if html.has_var("back"):
+ back_url = html.get_url_input("back")
html.context_button(_("Back"), back_url, "back")
html.context_button(_("All Check Plugins"),
html.makeuri_contextless([("mode", "check_plugins")]),
"check_plugins")
@@ -13621,7 +13621,7 @@ class ModeIcons(WatoMode):
def buttons(self):
- back_url = html.var("back")
+ back_url = html.get_url_input("back")
if back_url:
html.context_button(_("Back"), back_url, "back")
else: