commands: Disallow IRIs from 'url' and 'httpUrl' converters.

urllib doesn't support IRIs, and gives out a cryptic 'UnicodeEncodeError: 'ascii' codec can't encode character ...' if we don't validate it.
2024-11-05 18:49:23 +01:00 · 2021-08-25 21:53:05 +02:00 · 2021-08-25 21:53:05 +02:00 · be88530fa4
commit be88530fa4
parent 62db3a92fc
2 changed files with 13 additions and 0 deletions
--- a/plugins/Web/test.py
+++ b/plugins/Web/test.py
@ -176,5 +176,9 @@ class WebTestCase(ChannelPluginTestCase):
        finally:
            conf.supybot.plugins.Web.nonSnarfingRegexp.set('')

+    def testFetchIri(self):
+        self.assertRegexp('fetch http://café.example.org/',
+            'Error: .*is not a valid')
+

 # vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:
--- a/src/commands.py
+++ b/src/commands.py
@ -667,8 +667,15 @@ def getGlob(irc, msg, args, state):
        glob = '*%s*' % glob
    state.args.append(glob)

+def _checkUrl(url):
+    try:
+        args[0].encode('ascii')
+    except UnicodeEncodeError:
+        state.errorInvalid(_('url'), args[0])
+
 def getUrl(irc, msg, args, state):
    if utils.web.urlRe.match(args[0]):
+        _checkUrl(args[0])
        state.args.append(args.pop(0))
    else:
        state.errorInvalid(_('url'), args[0])
@ -681,8 +688,10 @@ def getEmail(irc, msg, args, state):

 def getHttpUrl(irc, msg, args, state):
    if utils.web.httpUrlRe.match(args[0]):
+        _checkUrl(args[0])
        state.args.append(args.pop(0))
    elif utils.web.httpUrlRe.match('http://' + args[0]):
+        _checkUrl('http://' + args[0])
        state.args.append('http://' + args.pop(0))
    else:
        state.errorInvalid(_('http url'), args[0])