Exclude URLs of some domains from outgoing URL rewrite.

Bug 598826
2011-10-17 00:06:31 -07:00 · 2011-10-17 00:06:31 -07:00 · b520b3a860
--- a/apps/amo/tests/test_url_prefix.py
+++ b/apps/amo/tests/test_url_prefix.py
@ -170,8 +170,10 @@ def test_redirect():
 def test_outgoing_url():
    redirect_url = settings.REDIRECT_URL
    secretkey = settings.REDIRECT_SECRET_KEY
+    exceptions = settings.REDIRECT_URL_WHITELIST
    settings.REDIRECT_URL = 'http://example.net'
    settings.REDIRECT_SECRET_KEY = 'sekrit'
+    settings.REDIRECT_URL_WHITELIST = ['nicedomain.com']

    try:
        myurl = 'http://example.com'
@ -191,9 +193,13 @@ def test_outgoing_url():
        assert_not_equal(s, evil,
                         'No subdomain abuse of double-escaping protection.')

+        nice = 'http://nicedomain.com/lets/go/go/go'
+        eq_(nice, urlresolvers.get_outgoing_url(nice))
+
    finally:
        settings.REDIRECT_URL = redirect_url
        settings.REDIRECT_SECRET_KEY = secretkey
+        settings.REDIRECT_URL_WHITELIST = exceptions


 def test_outgoing_url_dirty_unicode():
--- a/apps/amo/urlresolvers.py
+++ b/apps/amo/urlresolvers.py
@ -149,8 +149,11 @@ def get_outgoing_url(url):
    if not settings.REDIRECT_URL:
        return url

-    # no double-escaping
-    if urlparse(url).netloc == urlparse(settings.REDIRECT_URL).netloc:
+    url_netloc = urlparse(url).netloc
+
+    # No double-escaping, and some domain names are excluded.
+    if (url_netloc == urlparse(settings.REDIRECT_URL).netloc
+        or url_netloc in settings.REDIRECT_URL_WHITELIST):
        return url

    url = encoding.smart_str(jinja2.utils.Markup(url).unescape())
--- a/settings.py
+++ b/settings.py
@ -856,6 +856,8 @@ PERSONAS_UPDATE_URL = 'https://www.getpersonas.com/update_check/%d'
 # Outgoing URL bouncer
 REDIRECT_URL = 'http://outgoing.mozilla.org/v1/'
 REDIRECT_SECRET_KEY = ''
+# Allow URLs from these servers. Use full domain names.
+REDIRECT_URL_WHITELIST = ['addons.mozilla.org']

 # Default to short expiration; check "remember me" to override
 SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'