# HG changeset patch # User Nicolas Chauvat # Date 1292265984 -3600 # Node ID 63bf61e4e130f0669f00b19386a7d6bb4f0b37f2 # Parent b9ffecd0316af715b06e43457bd56203af13405e [security] fix access control problem diff -r b9ffecd0316a -r 63bf61e4e130 req.py --- a/req.py Thu Dec 09 18:06:48 2010 +0100 +++ b/req.py Mon Dec 13 19:46:24 2010 +0100 @@ -142,7 +142,7 @@ def ensure_ro_rql(self, rql): """raise an exception if the given rql is not a select query""" - first = rql.split(' ', 1)[0].lower() + first = rql.split(None, 1)[0].lower() if first in ('insert', 'set', 'delete'): raise Unauthorized(self._('only select queries are authorized')) diff -r b9ffecd0316a -r 63bf61e4e130 test/unittest_req.py --- a/test/unittest_req.py Thu Dec 09 18:06:48 2010 +0100 +++ b/test/unittest_req.py Mon Dec 13 19:46:24 2010 +0100 @@ -18,7 +18,7 @@ from logilab.common.testlib import TestCase, unittest_main from cubicweb.req import RequestSessionBase from cubicweb.devtools.testlib import CubicWebTC - +from cubicweb import Unauthorized class RebuildURLTC(TestCase): def test_rebuild_url(self): @@ -42,6 +42,12 @@ self.assertRaises(AssertionError, req.build_url, 'one', 'two not allowed') self.assertRaises(ValueError, req.build_url, 'view', test=None) + def test_ensure_no_rql(self): + req = RequestSessionBase(None) + self.assertEqual(req.ensure_ro_rql('Any X WHERE X is CWUser'), None) + self.assertEqual(req.ensure_ro_rql(' Any X WHERE X is CWUser '), None) + self.assertRaises(Unauthorized, req.ensure_ro_rql, 'SET X login "toto" WHERE X is CWUser') + self.assertRaises(Unauthorized, req.ensure_ro_rql, ' SET X login "toto" WHERE X is CWUser ') if __name__ == '__main__': unittest_main()