When we generate links from URL's in messages, we add rel="nofollow"

rouilj · rouilj · commit 660015a4983d · 2019-03-30T21:15:33.000-04:00
to combat link spam. This change turns that into rel="nofollow noopener". This prevents the page at the end of the link from having access to the roundup window that displays the link. Details on the issue are are at: https://mathiasbynens.github.io/rel-noopener/ search web for noopener vulnerability. This problem usually requires a target="_blank" to really exploit it and we don't provide that. But adding noopener is extra protection.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -112,6 +112,9 @@ Fixed:
 - issue2551026: template variable not defined even though it is.
   Fix issue where variables defined in TAL expression are not
   available in the scope of the definition. (Tom Ekberg (tekberg))
+- Make all links created with rel=nofollow include noopener. Deals
+  with possible hijack of original page due to malicious link target.
+  https://mathiasbynens.github.io/rel-noopener/ (John Rouillard)
 
 2018-07-13 1.6.0
 
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -957,7 +957,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$'),
             if action in ['link', 'unlink'] and type(args) == type(()):
                 if len(args) == 3:
                     linkcl, linkid, key = args
-                    arg_s += '<a rel="nofollow" href="%s%s">%s%s %s</a>'%(linkcl, linkid,
+                    arg_s += '<a rel="nofollow noopener" href="%s%s">%s%s %s</a>'%(linkcl, linkid,
                         linkcl, linkid, key)
                 else:
                     arg_s = str(args)
@@ -997,7 +997,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$'),
                                     pass
                                 else:
                                     linkid = self._klass.get(self._nodeid, k, None)
-                                    current[k] = '<a rel="nofollow" href="%s%s">%s</a>'%(
+                                    current[k] = '<a rel="nofollow noopener" href="%s%s">%s</a>'%(
                                         classname, linkid, current[k])
 
                     if args[k] and (isinstance(prop, hyperdb.Multilink) or
@@ -1052,7 +1052,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$'),
                                     subml.append('<strike>%s</strike>'%label)
                                 else:
                                     if hrefable:
-                                        subml.append('<a rel="nofollow" '
+                                        subml.append('<a rel="nofollow noopener" '
                                                      'href="%s%s">%s</a>'%(
                                             classname, linkid, label))
                                     elif label is None:
@@ -1080,7 +1080,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$'),
                                 label = None
                         if label is not None:
                             if hrefable:
-                                old = '<a ref="nofollow" href="%s%s">%s</a>'%(classname,
+                                old = '<a ref="nofollow noopener" href="%s%s">%s</a>'%(classname,
                                     args[k], label)
                             else:
                                 old = label;
@@ -1407,7 +1407,7 @@ class StringHTMLProperty(HTMLProperty):
 
     def _hyper_repl(self, match):
         if match.group('url'):
-            return self._hyper_repl_url(match, '<a href="%s" rel="nofollow">%s</a>%s')
+            return self._hyper_repl_url(match, '<a href="%s" rel="nofollow noopener">%s</a>%s')
         elif match.group('email'):
             return self._hyper_repl_email(match, '<a href="mailto:%s">%s</a>')
         elif len(match.group('id')) < 10:
diff --git a/test/test_templating.py b/test/test_templating.py
@@ -264,37 +264,37 @@ def t(s): return p.hyper_re.sub(p._hyper_repl, s)
         ae = self.assertEqual
         ae(t('item123123123123'), 'item123123123123')
         ae(t('http://roundup.net/'),
-           '<a href="http://roundup.net/" rel="nofollow">http://roundup.net/</a>')
+           '<a href="http://roundup.net/" rel="nofollow noopener">http://roundup.net/</a>')
         ae(t('&lt;HTTP://roundup.net/&gt;'),
-           '&lt;<a href="HTTP://roundup.net/" rel="nofollow">HTTP://roundup.net/</a>&gt;')
+           '&lt;<a href="HTTP://roundup.net/" rel="nofollow noopener">HTTP://roundup.net/</a>&gt;')
         ae(t('&lt;http://roundup.net/&gt;.'),
-            '&lt;<a href="http://roundup.net/" rel="nofollow">http://roundup.net/</a>&gt;.')
+            '&lt;<a href="http://roundup.net/" rel="nofollow noopener">http://roundup.net/</a>&gt;.')
         ae(t('&lt;www.roundup.net&gt;'),
-           '&lt;<a href="http://www.roundup.net" rel="nofollow">www.roundup.net</a>&gt;')
+           '&lt;<a href="http://www.roundup.net" rel="nofollow noopener">www.roundup.net</a>&gt;')
         ae(t('(www.roundup.net)'),
-           '(<a href="http://www.roundup.net" rel="nofollow">www.roundup.net</a>)')
+           '(<a href="http://www.roundup.net" rel="nofollow noopener">www.roundup.net</a>)')
         ae(t('foo http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx bar'),
-           'foo <a href="http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx" rel="nofollow">'
+           'foo <a href="http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx" rel="nofollow noopener">'
            'http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx</a> bar')
         ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language))'),
-           '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow">'
+           '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow noopener">'
            'http://en.wikipedia.org/wiki/Python_(programming_language)</a>)')
         ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language)).'),
-           '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow">'
+           '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow noopener">'
            'http://en.wikipedia.org/wiki/Python_(programming_language)</a>).')
         ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language))&gt;.'),
-           '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow">'
+           '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow noopener">'
            'http://en.wikipedia.org/wiki/Python_(programming_language)</a>)&gt;.')
         ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language&gt;)).'),
-           '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language" rel="nofollow">'
+           '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language" rel="nofollow noopener">'
            'http://en.wikipedia.org/wiki/Python_(programming_language</a>&gt;)).')
         for c in '.,;:!':
             # trailing punctuation is not included
             ae(t('http://roundup.net/%c ' % c),
-               '<a href="http://roundup.net/" rel="nofollow">http://roundup.net/</a>%c ' % c)
+               '<a href="http://roundup.net/" rel="nofollow noopener">http://roundup.net/</a>%c ' % c)
             # but it's included if it's part of the URL
             ae(t('http://roundup.net/%c/' % c),
-               '<a href="http://roundup.net/%c/" rel="nofollow">http://roundup.net/%c/</a>' % (c, c))
+               '<a href="http://roundup.net/%c/" rel="nofollow noopener">http://roundup.net/%c/</a>' % (c, c))
 
 '''
 class HTMLPermissions:
