Commit ff6a42e4 authored by Grady Moran's avatar Grady Moran
Browse files

Added logic which will (I think) prohibit links that lead to infinite loops or...

Added logic which will (I think) prohibit links that lead to infinite loops or otherwise cause urllib.request.urlopen to throw an error.

Note this is a slight change from the original specs. Instead of prohibiting links which link to go at any stage of redirection (e.g. consider a go link to a bit.ly link to another go link to the final page), we prohibit links which loop infinitely (regardless of whether it's through go or not) AND links which have go at the first or last redirect stage.

The urllib.request.urlopen is potentially a costly operation. In particular, if the user enters a link that times out, I think it will hang for that entire period of time. Since we now have rate limiting and have always had to manually approve users in the first place, I think the risk of this inefficiency being exploited isn't prohibitively high.

Not final; I intend to fix up the comments, make the import look like it belongs there, and get feedback on how the error should be handled.
parent b6ce94c5
Pipeline #938 failed with stage
in 8 minutes and 37 seconds
......@@ -17,6 +17,8 @@ from crispy_forms.bootstrap import StrictButton, PrependedText, Accordion, Accor
from bootstrap3_datetime.widgets import DateTimePicker
from datetime import date, datetime, timedelta
import urllib.request # this probably isn't supposed to be formatted like this
"""
The form that is used in URL creation.
"""
......@@ -26,8 +28,14 @@ class URLForm(forms.ModelForm):
def clean_target(self):
# get the entered target link
target = self.cleaned_data.get('target')
# if the entered target link leads to an infinite loop or just has some issue
# note it WILL permit links that have go in an intermediary stage... such as bit.ly -> go -> not go.
try:
final_url = urllib.request.urlopen(target).geturl()
except:
raise ValidationError("Invalid link") # right now you get a 500 error... intended?
# if the host (go.gmu.edu) is in the entered target link
if self.host in target:
if self.host in final_url or self.host in target: # not sure both logic checks necessary
raise ValidationError("You can't make a Go link to Go silly!")
else:
return target
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment