[checkmk-commits] Improved validation of urls retrieved from HTTP vars

Module: check_mk Branch: master Commit: 92cafff4781ed3dcc455375e67f2107e7ddeaaa1 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=92cafff4781ed3… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Mon Oct 1 20:06:39 2018 +0200 Improved validation of urls retrieved from HTTP vars Change-Id: Id82bb76e70c51bb5d326eb94b16cc7ae45cfb399 --- cmk/gui/dashboard.py | 8 ++++---- cmk/gui/notifications.py | 2 +- cmk/gui/pagetypes.py | 2 +- cmk/gui/plugins/views/icons/wato.py | 2 +- cmk/gui/plugins/wato/background_job.py | 2 +- cmk/gui/valuespec.py | 2 +- cmk/gui/wato/__init__.py | 10 +++++----- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/cmk/gui/dashboard.py b/cmk/gui/dashboard.py index cce3321..e0e888f 100644 --- a/cmk/gui/dashboard.py +++ b/cmk/gui/dashboard.py @@ -1020,7 +1020,7 @@ def choose_view(name): html.header(_('Create Dashlet from existing View'), stylesheets=["pages"]) html.begin_context_buttons() - back_url = html.var("back", "dashboard.py?edit=1&name=%s" % html.urlencode(html.var('name'))) + back_url = html.get_url_input("back", "dashboard.py?edit=1&name=%s" % html.urlencode(html.var('name'))) html.context_button(_("Back"), back_url, "back") html.end_context_buttons() @@ -1129,8 +1129,8 @@ def page_edit_dashlet(): html.header(title, stylesheets=["pages","views"]) html.begin_context_buttons() - back_url = html.var('back', 'dashboard.py?name=%s&edit=1' % board) - next_url = html.var('next', back_url) + back_url = html.get_url_input('back', 'dashboard.py?name=%s&edit=1' % board) + next_url = html.get_url_input('next', back_url) html.context_button(_('Back'), back_url, 'back') html.context_button(_('All Dashboards'), 'edit_dashboards.py', 'dashboard') html.end_context_buttons() @@ -1283,7 +1283,7 @@ def page_delete_dashlet(): html.header(_('Confirm Dashlet Deletion'), stylesheets=["pages","views"]) html.begin_context_buttons() - back_url = html.var('back', 'dashboard.py?name=%s&edit=1' % board) + back_url = html.get_url_input('back', 'dashboard.py?name=%s&edit=1' % board) html.context_button(_('Back'), back_url, 'back') html.end_context_buttons() diff --git a/cmk/gui/notifications.py b/cmk/gui/notifications.py index dea72eb..9dca5b7 100644 --- a/cmk/gui/notifications.py +++ b/cmk/gui/notifications.py @@ -196,7 +196,7 @@ def page_clear(): else: acktime = float(acktime) - prev_url = html.var('prev_url') + prev_url = html.get_url_input('prev_url') if html.var('_confirm'): acknowledge_failed_notifications(acktime) html.reload_sidebar() diff --git a/cmk/gui/pagetypes.py b/cmk/gui/pagetypes.py index daffe1d..2c6d75d 100644 --- a/cmk/gui/pagetypes.py +++ b/cmk/gui/pagetypes.py @@ -1043,7 +1043,7 @@ class Overridable(Base): # Page for editing an existing page, or creating a new one @classmethod def page_edit(cls): - back_url = html.var("back", cls.list_url()) + back_url = html.get_url_input("back", cls.list_url()) cls.load() cls.need_overriding_permission("edit") diff --git a/cmk/gui/plugins/views/icons/wato.py b/cmk/gui/plugins/views/icons/wato.py index e3e4ecb..62e7d9f 100644 --- a/cmk/gui/plugins/views/icons/wato.py +++ b/cmk/gui/plugins/views/icons/wato.py @@ -123,7 +123,7 @@ def paint_download_host_info(what, row, tags, host_custom_vars, ty): # When the download icon is part of the host/service action menu, then # the _back_url set in paint_action_menu() needs to be used. Otherwise # html.makeuri([]) (not html.requested_uri()) is the right choice. - back_url = html.var("_back_url", html.makeuri([])) + back_url = html.get_url_input("_back_url", html.makeuri([])) if back_url: params.append(("back_url", back_url)) diff --git a/cmk/gui/plugins/wato/background_job.py b/cmk/gui/plugins/wato/background_job.py index 1f9f4b7..6f68ec5 100644 --- a/cmk/gui/plugins/wato/background_job.py +++ b/cmk/gui/plugins/wato/background_job.py @@ -111,7 +111,7 @@ class ModeBackgroundJobDetails(WatoMode): def _back_url(self): - return html.var("back_url") + return html.get_url_input("back_url") def page(self): diff --git a/cmk/gui/valuespec.py b/cmk/gui/valuespec.py index 434520c..cc1bd32 100644 --- a/cmk/gui/valuespec.py +++ b/cmk/gui/valuespec.py @@ -4349,7 +4349,7 @@ class IconSelector(ValueSpec): import cmk.gui.config as config # FIXME: Clean this up. But how? if config.user.may('wato.icons'): - back_param = '&back='+html.urlencode(html.var('back')) if html.has_var('back') else '' + back_param = '&back='+html.urlencode(html.get_url_input('back')) if html.has_var('back') else '' html.buttonlink('wato.py?mode=icons' + back_param, _('Manage')) html.close_div() diff --git a/cmk/gui/wato/__init__.py b/cmk/gui/wato/__init__.py index fca9605..5044f4a 100644 --- a/cmk/gui/wato/__init__.py +++ b/cmk/gui/wato/__init__.py @@ -1230,7 +1230,7 @@ class ModeAjaxPopupMoveToFolder(WatoWebApiMode): self._ident = html.var("ident") - self._back_url = html.var("back_url") + self._back_url = html.get_url_input("back_url") if not self._back_url or not self._back_url.startswith("wato.py"): raise MKUserError("back_url", _("Invalid back URL provided.")) @@ -12635,7 +12635,7 @@ class AgentOutputPage(object): raise MKGeneralException(_("Invalid type specified.")) self._ty = ty - self._back_url = html.var("back_url") + self._back_url = html.get_url_input("back_url") init_wato_datastructures(with_wato_lock=True) @@ -13505,8 +13505,8 @@ class ModeCheckManPage(WatoMode): def buttons(self): global_buttons() - if html.var("back"): - back_url = html.var("back") + if html.has_var("back"): + back_url = html.get_url_input("back") html.context_button(_("Back"), back_url, "back") html.context_button(_("All Check Plugins"), html.makeuri_contextless([("mode", "check_plugins")]), "check_plugins") @@ -13621,7 +13621,7 @@ class ModeIcons(WatoMode): def buttons(self): - back_url = html.var("back") + back_url = html.get_url_input("back") if back_url: html.context_button(_("Back"), back_url, "back") else: