[security] fix access control problem oldstable
authorNicolas Chauvat <nicolas.chauvat@logilab.fr>
Mon, 13 Dec 2010 19:46:24 +0100
brancholdstable
changeset 6747 63bf61e4e130
parent 6741 b9ffecd0316a
child 6748 52226299c352
[security] fix access control problem
req.py
test/unittest_req.py
--- a/req.py	Thu Dec 09 18:06:48 2010 +0100
+++ b/req.py	Mon Dec 13 19:46:24 2010 +0100
@@ -142,7 +142,7 @@
 
     def ensure_ro_rql(self, rql):
         """raise an exception if the given rql is not a select query"""
-        first = rql.split(' ', 1)[0].lower()
+        first = rql.split(None, 1)[0].lower()
         if first in ('insert', 'set', 'delete'):
             raise Unauthorized(self._('only select queries are authorized'))
 
--- a/test/unittest_req.py	Thu Dec 09 18:06:48 2010 +0100
+++ b/test/unittest_req.py	Mon Dec 13 19:46:24 2010 +0100
@@ -18,7 +18,7 @@
 from logilab.common.testlib import TestCase, unittest_main
 from cubicweb.req import RequestSessionBase
 from cubicweb.devtools.testlib import CubicWebTC
-
+from cubicweb import Unauthorized
 
 class RebuildURLTC(TestCase):
     def test_rebuild_url(self):
@@ -42,6 +42,12 @@
         self.assertRaises(AssertionError, req.build_url, 'one', 'two not allowed')
         self.assertRaises(ValueError, req.build_url, 'view', test=None)
 
+    def test_ensure_no_rql(self):
+        req = RequestSessionBase(None)
+        self.assertEqual(req.ensure_ro_rql('Any X WHERE X is CWUser'), None)
+        self.assertEqual(req.ensure_ro_rql('  Any X WHERE X is CWUser  '), None)
+        self.assertRaises(Unauthorized, req.ensure_ro_rql, 'SET X login "toto" WHERE X is CWUser')
+        self.assertRaises(Unauthorized, req.ensure_ro_rql, '   SET X login "toto" WHERE X is CWUser   ')
 
 if __name__ == '__main__':
     unittest_main()