From 12844220ec2768eb294283f6316096b6ae1bd567 Mon Sep 17 00:00:00 2001
From: Stefan Lew <admin@stefanlew.com>
Date: Sat, 4 Apr 2015 21:29:00 +0200
Subject: [PATCH 1/2] use rel="noreferrer" to prevent leakage of dircap

---
 src/allmydata/web/directory.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/allmydata/web/directory.py b/src/allmydata/web/directory.py
index e75067e14..88d4a5068 100644
--- a/src/allmydata/web/directory.py
+++ b/src/allmydata/web/directory.py
@@ -732,7 +732,7 @@ class DirectoryAsHTML(rend.Page):
             # page that doesn't know about the directory at all
             dlurl = "%s/file/%s/@@named=/%s" % (root, quoted_uri, nameurl)
 
-            ctx.fillSlots("filename", T.a(href=dlurl)[name])
+            ctx.fillSlots("filename", T.a(href=dlurl, rel="noreferrer")[name])
             ctx.fillSlots("type", "SSK")
 
             ctx.fillSlots("size", "?")
@@ -742,7 +742,7 @@ class DirectoryAsHTML(rend.Page):
         elif IImmutableFileNode.providedBy(target):
             dlurl = "%s/file/%s/@@named=/%s" % (root, quoted_uri, nameurl)
 
-            ctx.fillSlots("filename", T.a(href=dlurl)[name])
+            ctx.fillSlots("filename", T.a(href=dlurl, rel="noreferrer")[name])
             ctx.fillSlots("type", "FILE")
 
             ctx.fillSlots("size", target.get_size())

From 481a02aee7a4fb9f3dfe8cfb5db3f0bb812a2ad0 Mon Sep 17 00:00:00 2001
From: Stefan Lew <admin@stefanlew.com>
Date: Sat, 4 Apr 2015 22:10:52 +0200
Subject: [PATCH 2/2] made tests work with new attribute rel="noreferrer"

---
 src/allmydata/test/web/test_grid.py | 2 +-
 src/allmydata/test/web/test_web.py  | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/allmydata/test/web/test_grid.py b/src/allmydata/test/web/test_grid.py
index 8d7f58e7e..53fe3fb26 100644
--- a/src/allmydata/test/web/test_grid.py
+++ b/src/allmydata/test/web/test_grid.py
@@ -535,7 +535,7 @@ class Grid(GridTestMixin, WebErrorMixin, ShouldFailMixin, testutil.ReallyEqualMi
             self.failIfIn("URI:SSK", res)
             get_lonely = "".join([r'<td>FILE</td>',
                                   r'\s+<td>',
-                                  r'<a href="[^"]+%s[^"]+">lonely</a>' % (urllib.quote(lonely_uri),),
+                                  r'<a href="[^"]+%s[^"]+" rel="noreferrer">lonely</a>' % (urllib.quote(lonely_uri),),
                                   r'</td>',
                                   r'\s+<td align="right">%d</td>' % len("one"),
                                   ])
diff --git a/src/allmydata/test/web/test_web.py b/src/allmydata/test/web/test_web.py
index 5643c0c54..4e9d8e0b2 100644
--- a/src/allmydata/test/web/test_web.py
+++ b/src/allmydata/test/web/test_web.py
@@ -1568,7 +1568,7 @@ class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixi
         d = self.GET(self.public_url + "/foo", followRedirect=True)
         def _check(html):
             # Check if encoded entries are there
-            self.failUnlessIn('@@named=/' + self._htmlname_urlencoded + '">'
+            self.failUnlessIn('@@named=/' + self._htmlname_urlencoded + '" rel="noreferrer">'
                               + self._htmlname_escaped + '</a>', html)
             self.failUnlessIn('value="' + self._htmlname_escaped_attr + '"', html)
             self.failIfIn(self._htmlname_escaped_double, html)
@@ -1600,7 +1600,7 @@ class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixi
                        (ROOT, urllib.quote(self._bar_txt_uri)))
             get_bar = "".join([r'<td>FILE</td>',
                                r'\s+<td>',
-                               r'<a href="%s">bar.txt</a>' % bar_url,
+                               r'<a href="%s" rel="noreferrer">bar.txt</a>' % bar_url,
                                r'</td>',
                                r'\s+<td align="right">%d</td>' % len(self.BAR_CONTENTS),
                                ])
@@ -1663,7 +1663,7 @@ class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixi
         def _check5(res):
             self.failUnlessIn('(immutable)', res)
             self.failUnless(re.search('<td>FILE</td>'
-                                      r'\s+<td><a href="[\.\/]+/file/URI%3ALIT%3Akrugkidfnzsc4/@@named=/short">short</a></td>', res), res)
+                                      r'\s+<td><a href="[\.\/]+/file/URI%3ALIT%3Akrugkidfnzsc4/@@named=/short" rel="noreferrer">short</a></td>', res), res)
         d.addCallback(_check5)
         return d