[RPC] require valid URL scheme on budget commands #950
Conversation
|
I originally thought that regex failure in the zerocoin test was something unrelated; or related to the zerocoin changes. But now that I look at it.... @Warrows , do you happen to know why that test uses gcc 4.8? regex should be stable in 4.9, and most of the builds appear to be using 7.4. Are we restricted to supporting 4.8? |
|
That's a question better suited for @Fuzzbawls |
CaveSpectre11
force-pushed
the
budget-url
branch
from
de41d81
to
312a333
Compare
|
I should be able to conditionalize it so that It'll take a little toying to get it right |
|
Concept ACK, but would need to do this without relying on maybe have a look at using |
It wouldn't be as robust; but yes, searching for "://" would at least solve the inadvertent and common omission. |
CaveSpectre11
force-pushed
the
budget-url
branch
2 times, most recently
from
32d43ae
to
8768556
Compare
|
Quick test log of the rpc restrictions. logically, "h://" and "H://" pass, but we at least force [hH]+:// which should make it better. |
CaveSpectre11
changed the title
CaveSpectre11
force-pushed
the
budget-url
branch
from
def3dc5
to
d92b438
Compare
Fuzzbawls
changed the title
Fuzzbawls
added
the
Needs Release Notes
|
I don't particularly like this solution. Anyway, would code the logic in a separate utility function and call that from |
The original design had a utility function for adding the scheme; but the code check in the rpc code was less complicated. I think I agree that a utility function is the way to go; especially given the premise of the last round of changes (adding more URL scheme) validation. Pulling it together into a utility function centralizes where future code can go, if the need to have further validation of the URL is desired later.
I will go ahead and pull the logic into a function; and you and @Fuzzbawls can hash out the pros and cons of |
CaveSpectre11
force-pushed
the
budget-url
branch
from
d92b438
to
2c87d35
Compare
CaveSpectre11
force-pushed
the
budget-url
branch
from
66cb6c6
to
ea79cad
Compare
|
@Fuzzbawls @random-zebra; I have submitted a much broader PR (#964 ) that encompasses this PR, with modifications to the logic to hopefully account for both your concerns. That PR does supersede this one, and if that solution is preferred, this one should be closed. |
CaveSpectre11
force-pushed
the
budget-url
branch
from
e53f352
to
c5089fb
Compare
|
Ok; I just totally jacked this one up trying to merge in #965. I'll try to figure it out tomorrow. |
CaveSpectre11
force-pushed
the
budget-url
branch
from
4517646
to
35d521c
Compare
983d97a [Refactor] Combine parameter checking of budget commands (Cave Spectre) Pull request description: ### **Release notes** - [Refactor] Move common budget parameter checking code into a function ### **Details** The code in both `preparebudget` and `submitbudget` used the same parameter checking. This pulls that parameter checking and loading into a common routine used by both; for ease of improvements and adjustments to the parameter checking... so the risk of not adjusting them consistently in both routines is removed. ### **Note** The early discussion below is based on a combined PR that addressed this, plus #950 and a PR to be named later. The decision was made to split and focus; so the discussions can be independent of each other and refactor as needed. ACKs for top commit: Fuzzbawls: ACK 983d97a random-zebra: ACK 983d97a Tree-SHA512: a88eb41e06d1936db77f1cd9c4f04360b446c48d27652d57dfd6e4b119140d56e24b24e00e0ac48890cc78d4130f8f688a711f74899f9c9301d1aba22dff5315
|
Just some random thoughts:
|
#964 was meant as a replacement to this one originally when I submitted it. But it was decided they should be separate. This one to deal with the scheme check, 964 for the refactor only; and 965 for the fixes on the existing code. The refactoring was what combined the common code in the prepare and submit into Then to make it more confusing; 964's change was cherry picked into 965; and both were picked into this one... presuming the merge order to mainline would be 964 first; then 965, then this one... and thus the rebasing legwork was already done. |
CaveSpectre11
force-pushed
the
budget-url
branch
from
35d521c
to
39d52a6
Compare
|
rebased due to conflict from on budget.cpp |
|
Needs rebase after #965 merge. |
Merged through github; will squash that commit when I get home. |
CaveSpectre11
force-pushed
the
budget-url
branch
from
a4bdfe6
to
aec8ec4
Compare
CaveSpectre11
force-pushed
the
budget-url
branch
from
aec8ec4
to
009bd63
Compare
009bd63 [RPC] require valid URL scheme on budget commands (Cave Spectre) Pull request description: ### **Release Notes** [RPC] Require valid URL schemes (URLs starting with "http" or "https") on preparebudget and submitbudget. ### **Details** The budget proposal system did not have any checks on the URL aside of string length. This allowed for the scheme to be left off the URL; which on some browsers, resulted in the link to fail when clicked:  ``` gio: file:///home/CaveSpectre/forum.pivx.org/index.php%3Fthreads/bizdev-proposal-john-m.285: Error when getting information for file “/home/CaveSpectre/forum.pivx.org/index.php? threads/bizdev-proposal-john-m.285”: No such file or directory ``` The included PR changes the `submitbudget` and `preparebudget` rpc commands to prevent inadvertent omissions of the URL scheme (http:// or https://). Qt changes to fixup the existing & historical budget URLs will be submitted as a separate PR after the merging of #954 .  _(This PR originally included the Qt changes, and as a result some of the below discussion relates to that, before the decision was made to back out the Qt changes until a later date)_ ACKs for top commit: Fuzzbawls: ACK 009bd63 random-zebra: utACK 009bd63 and merging... Tree-SHA512: c08538af442ce1177cae8684bc71e7a6148a3cdb462c1e442e21e2bd5aa91b0ee8417a1692073d9db2a356f86785ab85b2c2cbcf6c681c24c2cd4921094c8ff3
Fuzzbawls
removed
the
Needs Release Notes
13735da [QA] Add unit test for validateURL() (random-zebra) a62f88a [Util] Use C++11 std::regex for validateURL() function (random-zebra) Pull request description: We validate (user side) the URL of budget proposals before their submission via RPC, and [#soon](#2406) via the GUI. As noted by @NoobieDev12 in [this comment](#2406 (comment)), this URL validation is too limited. Essentially we are only checking that the string begins with the protocol. This PR changes the implementation of the function `validateURL()` , using C++11 `std::regex` (which was the original intention of #950, but discarded to avoid bumping the minimum supported ABI at the time). I've used the following pattern to match `^(https?)://[^\s/$.?#][^\s]*[^\s/.]\.[^\s/.][^\s]*[^\s.]$`, which is far from a complete validation, but it should cover the basic cases. We can refine it in the future if need be. Unit tests included. ACKs for top commit: furszy: nice 👌 , utACK 13735da Tree-SHA512: 436bd7eeacd80e528f8cabf4b87ad7435369801cd4050a136715bc982258ab7cecd2c32d0dd430d7e7b43e41729dc2660fbb8e8f4f9a796867ce5ad206df3e66
Release Notes
[RPC] Require valid URL schemes (URLs starting with "http" or "https") on preparebudget and submitbudget.
Details
The budget proposal system did not have any checks on the URL aside of string length. This allowed for the scheme to be left off the URL; which on some browsers, resulted in the link to fail when clicked:
The included PR changes the
submitbudgetandpreparebudgetrpc commands to prevent inadvertent omissions of the URL scheme (http:// or https://).Qt changes to fixup the existing & historical budget URLs will be submitted as a separate PR after the merging of #954 .
(This PR originally included the Qt changes, and as a result some of the below discussion relates to that, before the decision was made to back out the Qt changes until a later date)