libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-01-31 19:02:59 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2302 from Gared/create_pad_special_characters

Browse source 
Add check for special url characters to createPad API function
This commit is contained in:
John McLear 2015-04-11 14:56:26 +01:00
commit 5ef22e649b
3 changed files with 36 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/api/http_api.md
View file

@ -388,10 +388,12 @@ Group pads are normal pads, but with the name schema GROUPID$PADNAME. A security
* API >= 1 * API >= 1
creates a new (non-group) pad. Note that if you need to create a group Pad, you should call **createGroupPad**. creates a new (non-group) pad. Note that if you need to create a group Pad, you should call **createGroupPad**.
You get an error message if you use one of the following characters in the padID: "/", "?", "&" or "#".
*Example returns:* *Example returns:*
* `{code: 0, message:"ok", data: null}` * `{code: 0, message:"ok", data: null}`
* `{code: 1, message:"pad does already exist", data: null}` * `{code: 1, message:"padID does already exist", data: null}`
* `{code: 1, message:"malformed padID: Remove special characters", data: null}`
#### getRevisionsCount(padID) #### getRevisionsCount(padID)
* API >= 1 * API >= 1

17
src/node/db/API.js
View file

@ -687,12 +687,21 @@ Example returns:
exports.createPad = function(padID, text, callback) exports.createPad = function(padID, text, callback)
{ {
//ensure there is no $ in the padID //ensure there is no $ in the padID
if(padID && padID.indexOf("$") != -1) if(padID)
{ {
callback(new customError("createPad can't create group pads","apierror")); if(padID.indexOf("$") != -1)
return; {
callback(new customError("createPad can't create group pads","apierror"));
return;
}
//check for url special characters
else if(padID.match(/(\/|\?|&|#)/))
{
callback(new customError("malformed padID: Remove special characters","apierror"));
return;
}
} }
//create pad //create pad
getPadSafe(padID, false, text, function(err) getPadSafe(padID, false, text, function(err)
{ {

21
tests/backend/specs/api/pad.js
View file

@ -2,7 +2,8 @@ var assert = require('assert')
supertest = require(__dirname+'/../../../../src/node_modules/supertest'), supertest = require(__dirname+'/../../../../src/node_modules/supertest'),
fs = require('fs'), fs = require('fs'),
api = supertest('http://localhost:9001'); api = supertest('http://localhost:9001');
path = require('path'); path = require('path'),
async = require(__dirname+'/../../../../src/node_modules/async');
var filePath = path.join(__dirname, '../../../../APIKEY.txt'); var filePath = path.join(__dirname, '../../../../APIKEY.txt');
@ -80,6 +81,7 @@ describe('Permission', function(){
-> setHTML(padID) -- Should fail on invalid HTML -> setHTML(padID) -- Should fail on invalid HTML
-> setHTML(padID) *3 -- Should fail on invalid HTML -> setHTML(padID) *3 -- Should fail on invalid HTML
-> getHTML(padID) -- Should return HTML close to posted HTML -> getHTML(padID) -- Should return HTML close to posted HTML
-> createPad -- Tries to create pads with bad url characters
*/ */
@ -494,6 +496,23 @@ describe('getHTML', function(){
}); });
}) })
describe('createPad', function(){
it('errors if pad can be created', function(done) {
var badUrlChars = ["/", "%23", "%3F", "%26"];
async.map(
badUrlChars,
function (badUrlChar, cb) {
api.get(endPoint('createPad')+"&padID="+badUrlChar)
.expect(function(res){
if(res.body.code !== 1) throw new Error("Pad with bad characters was created");
})
.expect('Content-Type', /json/)
.end(cb);
},
done);
});
})
/* /*
-> movePadForce Test -> movePadForce Test