On Thu, Nov 26, 2009 at 1:30 PM, Michael Hudson <[email protected]> wrote:
Stuart Bishop wrote:On Thu, Nov 26, 2009 at 11:08 AM, Michael Hudson <[email protected]> wrote:Something that turns out to a bit annoying when you try to test bzr-svn with Launchpad is that bzr doesn't allow a netloc part in file:// urls and the launchpad "valid_absolute_url" insists on a netloc in all URLs (of course it's essentially always 'localhost' in file:// URLs). This is a bit stupid for bzr and I'll fix it to accept file://localhost/ URLs, but would it be possible to change this for Launchpad too?I would think file: URLs are one of the things that valid_absolute_url is supposed to catch, as on the production system it would certainly indicate a mistake or an attack (the database constraint is our second layer of defense after the form validation).Well, we more-or-less need it for testing bzr-svn (and other) imports. I don't really want to spin up an apache with the mod_dav_svn installed for the test... We've also used file://localhost/ urls to do imports from disk in the past, although I think there are probably better ways of doing this.(I won't fix valid_absolute_url just now in case someone can point out sane use cases for allowing file: URLs to be accepted).It will break some code import tests, I'm fairly sure.
We should have a customized validator that allows file: then for those cases we know it is safe and can't be used for, say, accessing arbitrary files on the server. I can't think of any places where this is actually a problem, but I might be wrong and can't speak for the future either. (Just confirmed I can't mirror a bzr branch using a file:// URL, at least using the web UI to set it up). -- Stuart Bishop <[email protected]> http://www.stuartbishop.net/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
