From b520b3a86008bd5820357223601bcc4a45cb814a Mon Sep 17 00:00:00 2001
From: chenba <chenba@gmail.com>
Date: Mon, 17 Oct 2011 00:06:31 -0700
Subject: [PATCH] Exclude URLs of some domains from outgoing URL rewrite.

Bug 598826
---
 apps/amo/tests/test_url_prefix.py | 6 ++++++
 apps/amo/urlresolvers.py          | 7 +++++--
 settings.py                       | 2 ++
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/apps/amo/tests/test_url_prefix.py b/apps/amo/tests/test_url_prefix.py
index de9f4c35c0..8cf314d543 100644
--- a/apps/amo/tests/test_url_prefix.py
+++ b/apps/amo/tests/test_url_prefix.py
@@ -170,8 +170,10 @@ def test_redirect():
 def test_outgoing_url():
     redirect_url = settings.REDIRECT_URL
     secretkey = settings.REDIRECT_SECRET_KEY
+    exceptions = settings.REDIRECT_URL_WHITELIST
     settings.REDIRECT_URL = 'http://example.net'
     settings.REDIRECT_SECRET_KEY = 'sekrit'
+    settings.REDIRECT_URL_WHITELIST = ['nicedomain.com']
 
     try:
         myurl = 'http://example.com'
@@ -191,9 +193,13 @@ def test_outgoing_url():
         assert_not_equal(s, evil,
                          'No subdomain abuse of double-escaping protection.')
 
+        nice = 'http://nicedomain.com/lets/go/go/go'
+        eq_(nice, urlresolvers.get_outgoing_url(nice))
+
     finally:
         settings.REDIRECT_URL = redirect_url
         settings.REDIRECT_SECRET_KEY = secretkey
+        settings.REDIRECT_URL_WHITELIST = exceptions
 
 
 def test_outgoing_url_dirty_unicode():
diff --git a/apps/amo/urlresolvers.py b/apps/amo/urlresolvers.py
index ba9a0aef9c..da409ff925 100644
--- a/apps/amo/urlresolvers.py
+++ b/apps/amo/urlresolvers.py
@@ -149,8 +149,11 @@ def get_outgoing_url(url):
     if not settings.REDIRECT_URL:
         return url
 
-    # no double-escaping
-    if urlparse(url).netloc == urlparse(settings.REDIRECT_URL).netloc:
+    url_netloc = urlparse(url).netloc
+
+    # No double-escaping, and some domain names are excluded.
+    if (url_netloc == urlparse(settings.REDIRECT_URL).netloc
+        or url_netloc in settings.REDIRECT_URL_WHITELIST):
         return url
 
     url = encoding.smart_str(jinja2.utils.Markup(url).unescape())
diff --git a/settings.py b/settings.py
index aa8c7e8d7d..05c79da99b 100644
--- a/settings.py
+++ b/settings.py
@@ -856,6 +856,8 @@ PERSONAS_UPDATE_URL = 'https://www.getpersonas.com/update_check/%d'
 # Outgoing URL bouncer
 REDIRECT_URL = 'http://outgoing.mozilla.org/v1/'
 REDIRECT_SECRET_KEY = ''
+# Allow URLs from these servers. Use full domain names.
+REDIRECT_URL_WHITELIST = ['addons.mozilla.org']
 
 # Default to short expiration; check "remember me" to override
 SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'