Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ba73df8

Browse files
scottshambaughscottshambaugh
committed
Restrict webagg toolbar events to the actual toolbar items
1 parent b885130 commit ba73df8

2 files changed

Lines changed: 27 additions & 2 deletions

File tree

lib/matplotlib/backends/backend_webagg_core.py

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -349,8 +349,11 @@ def _handle_key(self, event):
349349
handle_key_press = handle_key_release = _handle_key
350350

351351
def handle_toolbar_button(self, event):
352-
# TODO: Be more suspicious of the input
353-
getattr(self.toolbar, event['name'])()
352+
name = event['name']
353+
allowed = {item[3] for item in self.toolbar.toolitems}
354+
if name not in allowed:
355+
return
356+
getattr(self.toolbar, name)()
354357

355358
def handle_refresh(self, event):
356359
if self.manager:

lib/matplotlib/tests/test_backend_webagg.py

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@
44
import pytest
55

66
import matplotlib.backends.backend_webagg_core
7+
from matplotlib.backends.backend_webagg_core import (
8+
FigureCanvasWebAggCore, NavigationToolbar2WebAgg,
9+
)
710
from matplotlib.testing import subprocess_run_for_testing
811

912

@@ -33,6 +36,25 @@ def test_webagg_core_no_toolbar():
3336
assert fm._toolbar2_class is None
3437

3538

39+
def test_toolbar_button_dispatch_allowlist():
40+
"""Only declared toolbar items should be dispatched."""
41+
fig = MagicMock()
42+
canvas = FigureCanvasWebAggCore(fig)
43+
canvas.toolbar = MagicMock(spec=NavigationToolbar2WebAgg)
44+
canvas.toolbar.toolitems = NavigationToolbar2WebAgg.toolitems
45+
46+
# Valid toolbar action should be dispatched.
47+
canvas.handle_toolbar_button({'name': 'home'})
48+
canvas.toolbar.home.assert_called_once()
49+
50+
# Invalid names should be silently ignored.
51+
canvas.toolbar.reset_mock()
52+
canvas.handle_toolbar_button({'name': '__init__'})
53+
canvas.handle_toolbar_button({'name': 'not_a_real_button'})
54+
# No methods should have been called.
55+
assert canvas.toolbar.method_calls == []
56+
57+
3658
def test_websocket_check_origin():
3759
"""WebSocket should reject cross-origin connections."""
3860
pytest.importorskip("tornado")

0 commit comments

Comments
 (0)