From 91e991e9517fdeecf7b495957e90af7536486547 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Wed, 1 Jun 2016 19:27:09 +0000 Subject: [PATCH] Limits the schemes that custom field URL patterns can use (#22925). git-svn-id: http://svn.redmine.org/redmine/trunk@15435 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/custom_field.rb | 8 ++++++++ lib/redmine/field_format.rb | 17 +++++++++++++++-- .../redmine/field_format/field_format_test.rb | 15 +++++++++++++++ 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/app/models/custom_field.rb b/app/models/custom_field.rb index 511299523..370ce7090 100644 --- a/app/models/custom_field.rb +++ b/app/models/custom_field.rb @@ -262,6 +262,14 @@ class CustomField < ActiveRecord::Base args.include?(field_format) end + def self.human_attribute_name(attribute_key_name, *args) + attr_name = attribute_key_name.to_s + if attr_name == 'url_pattern' + attr_name = "url" + end + super(attr_name, *args) + end + protected # Removes multiple values for the custom field after setting the multiple attribute to false diff --git a/lib/redmine/field_format.rb b/lib/redmine/field_format.rb index dd94eeefd..77014579b 100644 --- a/lib/redmine/field_format.rb +++ b/lib/redmine/field_format.rb @@ -48,6 +48,7 @@ module Redmine class Base include Singleton include Redmine::I18n + include Redmine::Helpers::URL include ERB::Util class_attribute :format_name @@ -149,7 +150,12 @@ module Redmine # Returns the validation errors for custom_field # Should return an empty array if custom_field is valid def validate_custom_field(custom_field) - [] + errors = [] + pattern = custom_field.url_pattern + if pattern.present? && !uri_with_safe_scheme?(url_pattern_without_tokens(pattern)) + errors << [:url_pattern, :invalid] + end + errors end # Returns the validation error messages for custom_value @@ -178,7 +184,7 @@ module Redmine url = url_from_pattern(custom_field, single_value, customized) [text, url] end - links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to text, url} + links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to_if uri_with_safe_scheme?(url), text, url} links.join(', ').html_safe else casted @@ -210,6 +216,13 @@ module Redmine end protected :url_from_pattern + # Returns the URL pattern with substitution tokens removed, + # for validation purpose + def url_pattern_without_tokens(url_pattern) + url_pattern.to_s.gsub(/%(value|id|project_id|project_identifier|m\d+)%/, '') + end + protected :url_pattern_without_tokens + def edit_tag(view, tag_id, tag_name, custom_value, options={}) view.text_field_tag(tag_name, custom_value.value, options.merge(:id => tag_id)) end diff --git a/test/unit/lib/redmine/field_format/field_format_test.rb b/test/unit/lib/redmine/field_format/field_format_test.rb index 9864d0c41..1f3bc20ea 100644 --- a/test/unit/lib/redmine/field_format/field_format_test.rb +++ b/test/unit/lib/redmine/field_format/field_format_test.rb @@ -20,6 +20,10 @@ require File.expand_path('../../../../../test_helper', __FILE__) class Redmine::FieldFormatTest < ActionView::TestCase include ApplicationHelper + def setup + set_language_if_valid 'en' + end + def test_string_field_with_text_formatting_disabled_should_not_format_text field = IssueCustomField.new(:field_format => 'string') custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "*foo*") @@ -52,6 +56,17 @@ class Redmine::FieldFormatTest < ActionView::TestCase assert_include "foo", field.format.formatted_custom_value(self, custom_value, true) end + def test_should_validate_url_pattern_with_safe_scheme + field = IssueCustomField.new(:field_format => 'string', :name => 'URL', :url_pattern => 'http://foo/%value%') + assert_save field + end + + def test_should_not_validate_url_pattern_with_unsafe_scheme + field = IssueCustomField.new(:field_format => 'string', :name => 'URL', :url_pattern => 'foo://foo/%value%') + assert !field.save + assert_include "URL is invalid", field.errors.full_messages + end + def test_text_field_with_url_pattern_should_format_as_link field = IssueCustomField.new(:field_format => 'string', :url_pattern => 'http://foo/%value%') custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "bar") -- 2.39.5