Here's a patch, with the test case and the fix


On Sat, Apr 5, 2008 at 9:17 AM, Tarek Ziadé <ziade.tarek@gmail.com> wrote:
Hello,

while playing with the allow-host options in setuptools, I have noticed that it is restricted to URLs because url_ok() uses urlparse
over the regular expressions that are provided

This means that it is not possible to allow local folders to be visited since a "file://*" expression for example,
will lead to an empty string:

>>> import urlparse
>>> urlparse.urlparse('file:///tmp/my/local/file.tgz')[1]
''

This will make some links blocked and impossible to add as authorized resource:
...
Link to file:///tmp/tmpE-LbUpbuildouttests/setuptools/ ***BLOCKED*** by --allow-hosts
...

I would like to propose something:

I think this would be easy to change by calling  URL_SCHEME() over the url in url_ok(),
before urlparse is called. If it is not an url we could then consider that the url is "safe"
and return immediatly.

if you think it is a good idea, i can provide a patch with a test,

Regards,

Tarek

--
Tarek Ziadé | Association AfPy | www.afpy.org
Blog FR | http://programmation-python.org
Blog EN | http://tarekziade.wordpress.com/



--
Tarek Ziadé | Association AfPy | www.afpy.org
Blog FR | http://programmation-python.org
Blog EN | http://tarekziade.wordpress.com/