-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #1276 Added a referer header when new issues are created #1466
Conversation
Ping @karlcow |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nj4710 Look at all my comments.
Your current pull request will not work.
webcompat/views.py
Outdated
flash(number, 'thanks') | ||
session.pop('show_thanks') | ||
if 'issues/new' in request.referrer: | ||
flash(number, 'thanks') |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
webcompat/views.py
Outdated
if session.get('show_thanks'): | ||
flash(number, 'thanks') | ||
session.pop('show_thanks') | ||
if 'issues/new' in request.referrer: |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
@nj4710 and sorry I had forgottent to actually submit the review (written two days ago). |
I did not understand this approach For url parsing, we will do something like this: from urlparse import urlparse
x = urlparse(request.referer)
if x.path == ('/issues/new'):
flash(number,'thanks') For string splitting, something like this: x = (request.referrer)
a = x.split("/")
if ('issues') in a and ('new') in a:
flash(number,'thanks')` How do we determine which method is best for security purposes? @karlcow |
@nj4710 to make code example readable on github, you need to use this syntax
(fixing your markup in your previous comment.) About
What I was saying is that we have 3 domains currently.
So the referer when it exists will be DOMAIN/issues/new where DOMAIN is one of the 3. For the proposal with urlparse. This is a good proposal but did you test it with all circumstances? >>> from urlparse import urlparse
>>> referer_url = 'https://webcompat.com/issues/new'
>>> url_path = urlparse(referer_url).path
>>> url_path.startswith('/issues/new')
True
>>> # Now let's see when request.referrer is None (most common case)
... referer_url = None
>>> url_path = urlparse(referer_url).path
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urlparse.py", line 143, in urlparse
tuple = urlsplit(url, scheme, allow_fragments)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urlparse.py", line 182, in urlsplit
i = url.find(':')
AttributeError: 'NoneType' object has no attribute 'find' What it says is that you can't parse an URL which is |
The To handle this case: if request.referrer is not None:
x = urlparse(request.referrer)
if x.path == ('/issues/new'):
flash(number, 'thanks') Please correct me if I am wrong |
The |
About your python code, we are getting closer. :) >>> if not None:
... print "here"
... else:
... print "not here"
...
here So to be more pythonic 😁
if not request.referrer:
url_path = urlparse(request.referrer).path
if url_path == '/issue/new':
flash(number, 'thanks') But once you did that, still run the tests before sending the commit. To make sure we do not break anything. Thanks @nj4710 |
Shouldn't it be I ran the |
@nj4710 sorry about this, but you were right about if request.referrer is not None:
url_path = urlparse(request.referrer).path
if url_path == '/issue/new':
flash(number, 'thanks') This is the correct way. Thanks. Could you commit the change, then rebase. |
…ted and redirect to issue page
I am still not sure about functional tests. r? @karlcow |
@nj4710 did you try to run them? Or did you have difficulties running them? |
@karlcow I ran them. Only 62 tests ran. |
so testing locally this branch. Creating an issue from the home page and I don't get the flash message. Ooops. Let's explore. The request headers to http://localhost:5000/issues/555 (the issue I just created) is GET /issues/555 HTTP/1.1
Host: localhost:5000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:5000/
Cookie: session=eyJjc3JmX3Rva2VuIjp7IiBiIjoiWm1SbVpqa3hNRGMzTm1ZeU5tRmxZamsyTVdReFpESTRObVppT0RkaE9Ua3pOVEF6T0dKbVpnPT0ifX0.C87ycQ.Spw9n6LxYC9fxa6JsZzUu4tIgtw
Connection: keep-alive
Upgrade-Insecure-Requests: 1 aka The previous request is our HTTP POST. The request is correct and has the correct referer POST /issues/new HTTP/1.1
Host: localhost:5000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:5000/
Content-Type: multipart/form-data; boundary=---------------------------8963752337807573261063294912
Content-Length: 1392
Cookie: session=eyJjc3JmX3Rva2VuIjp7IiBiIjoiWm1SbVpqa3hNRGMzTm1ZeU5tRmxZamsyTVdReFpESTRObVppT0RkaE9Ua3pOVEF6T0dKbVpnPT0ifX0.C87ycQ.Spw9n6LxYC9fxa6JsZzUu4tIgtw
Connection: keep-alive
Upgrade-Insecure-Requests: 1 but the interesting part is the response from the server which is: HTTP/1.0 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 229
Location: http://localhost:5000/issues/555
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Security-Policy-Report-Only: default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' https://www.google-analytics.com https://*.githubusercontent.com data:; manifest-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://api.github.com; style-src 'self' 'unsafe-inline'; report-uri /csp-report
Server: Werkzeug/0.10.4 Python/2.7.10
Date: Tue, 11 Apr 2017 23:05:18 GMT We get a weird So we could send a |
Let's explore a bit more. I modified the anonymous POST on elif form.get('submit-type') == PROXY_REPORT:
response = report_issue(form, proxy=True).json()
return ('Created', 201,
{'Location': url_for('show_issue',
number=response.get('number'))}) the HTTP Response is HTTP/1.0 201 CREATED
Location: http://localhost:5000/issues/556
Content-Type: text/html; charset=utf-8
Content-Length: 7
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Security-Policy-Report-Only: default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' https://www.google-analytics.com https://*.githubusercontent.com data:; manifest-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com https://api.github.com; style-src 'self' 'unsafe-inline'; report-uri /csp-report
Server: Werkzeug/0.10.4 Python/2.7.10
Date: Wed, 12 Apr 2017 00:24:37 GMT without redirection. It stays with the word |
So my initial idea in using referer was I guess flawed. @nj4710 I will close the PR. You did an amazing job, but there was an issue I had not foreseen. Sorry about that, but it's part of dev too. Discovering things when implementing. |
🔥 |
r? @karlcow