From 9426570b6e2bc0968accd05620164d3102bff12d Mon Sep 17 00:00:00 2001 From: David Larlet Date: Mon, 12 Feb 2024 15:42:49 -0500 Subject: [PATCH 1/2] fix: encode the whole url parameter for OEmbed See https://github.com/umap-project/umap/pull/1526#issuecomment-1937040472 --- umap/templates/umap/map_detail.html | 2 +- umap/tests/test_map_views.py | 2 +- umap/views.py | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/umap/templates/umap/map_detail.html b/umap/templates/umap/map_detail.html index 22f272c5..fd57fc8b 100644 --- a/umap/templates/umap/map_detail.html +++ b/umap/templates/umap/map_detail.html @@ -17,7 +17,7 @@ {% umap_js locale=locale %} {% if object.share_status != object.PUBLIC %}{% endif %} {% endblock extra_head %} {% block content %} diff --git a/umap/tests/test_map_views.py b/umap/tests/test_map_views.py index 2670cecf..8f0ccae3 100644 --- a/umap/tests/test_map_views.py +++ b/umap/tests/test_map_views.py @@ -815,6 +815,6 @@ def test_oembed_link(client, map, datalayer): ) assert ( 'href="http://testserver/map/oembed/' - f'?url=http%3A//testserver/en/map/test-map_{map.id}&format=json"' + f'?url=http%3A%2F%2Ftestserver%2Fen%2Fmap%2Ftest-map_{map.id}&format=json"' ) in response.content.decode() assert 'title="test map oEmbed URL" />' in response.content.decode() diff --git a/umap/views.py b/umap/views.py index cfdeee87..467cb36c 100644 --- a/umap/views.py +++ b/umap/views.py @@ -10,7 +10,7 @@ from http.client import InvalidURL from io import BytesIO from pathlib import Path from urllib.error import HTTPError, URLError -from urllib.parse import quote, urlparse +from urllib.parse import quote, quote_plus, urlparse from urllib.request import Request, build_opener from django.conf import settings @@ -595,8 +595,8 @@ class MapView(MapDetailMixin, PermissionsMixin, DetailView): context["oembed_absolute_uri"] = self.request.build_absolute_uri( reverse("map_oembed") ) - context["absolute_uri"] = self.request.build_absolute_uri( - self.object.get_absolute_url() + context["quoted_absolute_uri"] = quote_plus( + self.request.build_absolute_uri(self.object.get_absolute_url()) ) return context From cf319ca53ebccc8103fed7af4bce7f7affd18b80 Mon Sep 17 00:00:00 2001 From: David Larlet Date: Mon, 12 Feb 2024 21:14:21 -0500 Subject: [PATCH 2/2] fix: only query OEmbed map on id and fallback to 404 --- umap/tests/test_map_views.py | 9 +++++++++ umap/views.py | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/umap/tests/test_map_views.py b/umap/tests/test_map_views.py index 8f0ccae3..c99183b8 100644 --- a/umap/tests/test_map_views.py +++ b/umap/tests/test_map_views.py @@ -775,6 +775,15 @@ def test_oembed_no_url_map(client, map, datalayer): assert response.status_code == 404 +def test_oembed_unknown_url_map(client, map, datalayer): + map_url = f"http://testserver{map.get_absolute_url()}" + # We change to an unknown id prefix to keep URL structure. + map_url = map_url.replace("map_", "_111") + url = f"{reverse('map_oembed')}?url={map_url}" + response = client.get(url) + assert response.status_code == 404 + + def test_oembed_wrong_format_map(client, map, datalayer): url = ( f"{reverse('map_oembed')}" diff --git a/umap/views.py b/umap/views.py index 467cb36c..dc2e16bc 100644 --- a/umap/views.py +++ b/umap/views.py @@ -695,7 +695,7 @@ class MapOEmbed(View): if "slug" not in kwargs or "map_id" not in kwargs: raise Http404("Invalid URL path.") - map_ = Map.objects.get(id=kwargs["map_id"], slug=kwargs["slug"]) + map_ = get_object_or_404(Map, id=kwargs["map_id"]) if map_.share_status != Map.PUBLIC: raise PermissionDenied("This map is not public.")