launchpad-dev team mailing list archive

Thread
Date

Re: Handling of file:/// urls in the database

To: Stuart Bishop <stuart.bishop@xxxxxxxxxxxxx>
From: Michael Hudson <michael.hudson@xxxxxxxxxxxxx>
Date: Thu, 26 Nov 2009 19:30:02 +1300
Cc: Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <g2h33frtegk0m4iduUYAxe124vaj_firegpg@mail.gmail.com>
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

Stuart Bishop wrote:
> On Thu, Nov 26, 2009 at 11:08 AM, Michael Hudson
> <michael.hudson@xxxxxxxxxxxxx> wrote:
>> Something that turns out to a bit annoying when you try to test bzr-svn
>> with Launchpad is that bzr doesn't allow a netloc part in file:// urls
>> and the launchpad "valid_absolute_url" insists on a netloc in all URLs
>> (of course it's essentially always 'localhost' in file:// URLs).  This
>> is a bit stupid for bzr and I'll fix it to accept file://localhost/
>> URLs, but would it be possible to change this for Launchpad too?
> 
> I would think file: URLs are one of the things that valid_absolute_url
> is supposed to catch, as on the production system it would certainly
> indicate a mistake or an attack (the database constraint is our second
> layer of defense after the form validation).

Well, we more-or-less need it for testing bzr-svn (and other) imports.
I don't really want to spin up an apache with the mod_dav_svn installed
for the test...  We've also used file://localhost/ urls to do imports
from disk in the past, although I think there are probably better ways
of doing this.

> (I won't fix valid_absolute_url just now in case someone can point out
> sane use cases for allowing file: URLs to be accepted).

It will break some code import tests, I'm fairly sure.

Cheers,
mwh

Follow ups

Re: Handling of file:/// urls in the database
From: Jelmer Vernooij, 2009-12-01
Re: Handling of file:/// urls in the database
From: Stuart Bishop, 2009-11-26

References

Re: Handling of file:/// urls in the database
From: Stuart Bishop, 2009-11-26