Prevent raw content being served from storage. (#7443)

TODO: Detailed description to be added once deployed.

appengine/storage.js

@@ -130,6 +130,8 @@ BlocklyStorage.handleRequest_ = function() {
           BlocklyStorage.alert(BlocklyStorage.HASH_ERROR.replace('%1',
               window.location.hash));
         } else {
+          // Remove poison line to prevent raw content from being served.
+          data = data.replace(/^\{\[\(\< UNTRUSTED CONTENT \>\)\]\}\n/, '');
           BlocklyStorage.loadXml_(data, BlocklyStorage.httpRequest_.workspace);
         }
       }

appengine/storage.py

@@ -80,11 +80,20 @@ def keyToXml(key_provided):
     with client.context():
       result.put()
     xml = result.xml_content
+    # Add a poison line to prevent raw content from being served.
+    xml = "{[(< UNTRUSTED CONTENT >)]}\n" + xml
   return xml
 
 
 def app(environ, start_response):
-  forms = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ)
+  headers = [
+    ("Content-Type", "text/plain")
+  ]
+  if environ["REQUEST_METHOD"] != "POST":
+    start_response("405 Method Not Allowed", headers)
+    return ["Storage only accepts POST".encode('utf-8')]
+
+  forms = cgi.FieldStorage(fp=environ["wsgi.input"], environ=environ)
   if "xml" in forms:
     out = xmlToKey(forms["xml"].value)
   elif "key" in forms:
@@ -92,8 +101,5 @@ def app(environ, start_response):
   else:
     out = ""
 
-  headers = [
-    ("Content-Type", "text/plain")
-  ]
   start_response("200 OK", headers)
   return [out.encode("utf-8")]