From 0ba0ba7adeb195c10985f2c48ce7c97f2eb0e714 Mon Sep 17 00:00:00 2001 From: Ant Zucaro Date: Sat, 23 Jan 2016 10:08:41 -0500 Subject: [PATCH] Whitelist rank game types in the view. Fixes #162. The game types where you could view ranks were previously controlled by a regular expression check within the route. This was completely NOT obvious to troubleshoot. This moves them to within the view, which is much easier to control. Additionally, a 404-check is added for malformed values. --- xonstat/__init__.py | 4 ++-- xonstat/views/game.py | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/xonstat/__init__.py b/xonstat/__init__.py index 403b645..1609f4d 100644 --- a/xonstat/__init__.py +++ b/xonstat/__init__.py @@ -117,10 +117,10 @@ def main(global_config, **settings): config.add_route("game_info_json", "/game/{id:\d+}.json") config.add_view(game_info_json, route_name="game_info_json", renderer="jsonp") - config.add_route("rank_index", "/ranks/{game_type_cd:ctf|dm|tdm|duel|ca|ft}") + config.add_route("rank_index", "/ranks/{game_type_cd}") config.add_view(rank_index, route_name="rank_index", renderer="rank_index.mako") - config.add_route("rank_index_json", "/ranks/{game_type_cd:ctf|dm|tdm|duel|ca|ft}.json") + config.add_route("rank_index_json", "/ranks/{game_type_cd}.json") config.add_view(rank_index_json, route_name="rank_index_json", renderer="jsonp") config.add_route("game_index", "/games") diff --git a/xonstat/views/game.py b/xonstat/views/game.py index 629b8ec..b8b739c 100644 --- a/xonstat/views/game.py +++ b/xonstat/views/game.py @@ -121,7 +121,12 @@ def _rank_index_data(request): else: current_page = 1 + # game type whitelist + game_types_allowed = ["ca", "ctf", "dm", "duel", "ft", "ka", "tdm"] + game_type_cd = request.matchdict['game_type_cd'] + if game_type_cd not in game_types_allowed: + raise httpexceptions.HTTPNotFound() ranks_q = DBSession.query(PlayerRank).\ filter(PlayerRank.game_type_cd==game_type_cd).\ -- 2.39.2