Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tighten down the ZMI frame source logic to only allow site-local sources #1151

Merged
merged 3 commits into from
Sep 11, 2023
Merged

Tighten down the ZMI frame source logic to only allow site-local sources #1151

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
94b341b
- Tighten down the ZMI frame source logic to only allow site-local so…
dataflake Sep 9, 2023
e5f28fd
- lint fixes
dataflake Sep 9, 2023
1651703
Merge branch 'master' into dataflake/zmi_came_from
dataflake Sep 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions CHANGES.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,10 @@ The change log for the previous version, Zope 4, is at
https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst


5.9 (unreleased)
----------------
5.8.5 (unreleased)
------------------

- Tighten down the ZMI frame source logic to only allow site-local sources.

- Update to newest compatible versions of dependencies.

Expand Down
2 changes: 1 addition & 1 deletion setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ def _read_file(filename):
README = _read_file('README.rst')
CHANGES = _read_file('CHANGES.rst')

version = '5.9.dev0'
version = '5.8.5.dev0'

setup(
name='Zope',
Expand Down
2 changes: 1 addition & 1 deletion src/App/dtml/manage.dtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
name="manage_menu"
marginwidth="2" marginheight="2"
/>
<frame src="<dtml-var "REQUEST.get('came_from',None)!=None and REQUEST.get('came_from',None) or '%s/manage_workspace'%(REQUEST.URL1)" html_quote>"
<frame src="<dtml-var "getZMIMainFrameTarget(REQUEST)" html_quote>"
name="manage_main"
marginwidth="2" marginheight="2"
/>
Expand Down
29 changes: 29 additions & 0 deletions src/OFS/Application.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
import os
import sys
from logging import getLogger
from urllib.parse import urlparse

import Products
import transaction
Expand Down Expand Up @@ -105,6 +106,34 @@ def Redirect(self, destination, URL1):

ZopeRedirect = Redirect

@security.protected(view_management_screens)
def getZMIMainFrameTarget(self, REQUEST):
"""Utility method to get the right hand side ZMI frame source URL

For cases where JavaScript is disabled the ZMI uses a simple REQUEST
variable ``came_from`` to set the source URL for the right hand side
ZMI frame. Since this value can be manipulated by the user it must be
sanity-checked first.
"""
parent_url = REQUEST['URL1']
default = f'{parent_url}/manage_workspace'
came_from = REQUEST.get('came_from', None)

if not came_from:
return default

parsed_parent_url = urlparse(parent_url)
parsed_came_from = urlparse(came_from)

# Only allow a passed-in ``came_from`` URL if it is local (just a path)
# or if the URL scheme and hostname are the same as our own
if (not parsed_came_from.scheme and not parsed_came_from.netloc) or \
(parsed_parent_url.scheme == parsed_came_from.scheme
and parsed_parent_url.netloc == parsed_came_from.netloc):
return came_from

return default

def __bobo_traverse__(self, REQUEST, name=None):
if name is None:
# Make this more explicit, otherwise getattr(self, name)
Expand Down
38 changes: 38 additions & 0 deletions src/OFS/tests/testApplication.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,44 @@ def test_ZopeVersion(self):
self.assertEqual(app.ZopeVersion(major=True),
int(pkg_version.split('.')[0]))

def test_getZMIMainFrameTarget(self):
app = self._makeOne()

for URL1 in ('http://nohost', 'https://nohost/some/path'):
request = {'URL1': URL1}

# No came_from at all
self.assertEqual(app.getZMIMainFrameTarget(request),
f'{URL1}/manage_workspace')

# Empty came_from
request['came_from'] = ''
self.assertEqual(app.getZMIMainFrameTarget(request),
f'{URL1}/manage_workspace')
request['came_from'] = None
self.assertEqual(app.getZMIMainFrameTarget(request),
f'{URL1}/manage_workspace')

# Local (path only) came_from
request['came_from'] = '/new/path'
self.assertEqual(app.getZMIMainFrameTarget(request),
'/new/path')

# came_from URL outside our own server
request['came_from'] = 'https://www.zope.dev/index.html'
self.assertEqual(app.getZMIMainFrameTarget(request),
f'{URL1}/manage_workspace')

# came_from with wrong scheme
request['came_from'] = URL1.replace('http', 'ftp')
self.assertEqual(app.getZMIMainFrameTarget(request),
f'{URL1}/manage_workspace')

# acceptable came_from
request['came_from'] = f'{URL1}/added/path'
self.assertEqual(app.getZMIMainFrameTarget(request),
f'{URL1}/added/path')


class ApplicationPublishTests(FunctionalTestCase):

Expand Down
Loading