From 28c8ab565654e44e45a175fe213f3e00d3f6a39b Mon Sep 17 00:00:00 2001
From: Olivier Dony <odo@openerp.com>
Date: Wed, 6 Feb 2013 17:25:42 +0100
Subject: [PATCH] [FIX] web_linkedin: force protocol and domain when loading
 LinkedIn images

Should work in all cases and prevents abuse.

lp bug: https://launchpad.net/bugs/1116226 fixed

bzr revid: odo@openerp.com-20130206162542-d9oejg5iyox36b0y
---
 addons/web_linkedin/web_linkedin.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/addons/web_linkedin/web_linkedin.py b/addons/web_linkedin/web_linkedin.py
index 277b4497ffc..62883840f2d 100644
--- a/addons/web_linkedin/web_linkedin.py
+++ b/addons/web_linkedin/web_linkedin.py
@@ -21,6 +21,7 @@
 
 import base64
 import urllib2
+from urlparse import urlparse, urlunparse
 
 import openerp
 from openerp.osv import fields, osv
@@ -30,11 +31,12 @@ class Binary(openerp.addons.web.http.Controller):
 
     @openerp.addons.web.http.jsonrequest
     def url2binary(self, req, url):
-        if not url.startswith("http"):
-            raise Exception("Not allowed to load a file using this protocol")
-        if url.count("?") > 0 or url.count("&") > 0 or url.count("=") > 0:
-            raise Exception("Not allowed to use GET parameters")
+        """Used exclusively to load images from LinkedIn profiles, must not be used for anything else."""
         req.session.assert_valid(force=True)
+        _scheme, _netloc, path, params, query, fragment = urlparse(url)
+        # media.linkedin.com is the master domain for LinkedIn media (replicated to CDNs),
+        # so forcing it should always work and prevents abusing this method to load arbitrary URLs
+        url = urlunparse(('http', 'media.linkedin.com', path, params, query, fragment))
         bfile = urllib2.urlopen(url)
         return base64.b64encode(bfile.read())