Index: sitescripts/reports/tests/test_updateReport.py
===================================================================
new file mode 100644
--- /dev/null
+++ b/sitescripts/reports/tests/test_updateReport.py
@@ -0,0 +1,119 @@
+# This file is part of the Adblock Plus web scripts,
+# Copyright (C) 2017-present eyeo GmbH
+#
+# Adblock Plus is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3 as
+# published by the Free Software Foundation.
+#
+# Adblock Plus is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Adblock Plus.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+from urllib import urlencode
+from urllib2 import urlopen, HTTPError
+
+import pytest
+from wsgi_intercept import (urllib_intercept, add_wsgi_intercept,
+                            remove_wsgi_intercept)
+
+# We are mocking the functions that use MySQLdb, so it is not needed. This
+# is to prevent the tests from crashing when they try to import it.
+sys.modules['MySQLdb'] = sys
+from sitescripts.reports.web.updateReport import handleRequest
+
+LOCAL_HOST = 'test.local'
+REMOTE_HOST = 'reports.adblockplus.org'
+PORT = 80
+PLAINTEXT_GUID = '12345678-1234-1234-1234-123456789abc'
+UR_PATH = 'sitescripts.reports.web.updateReport.'
+
+
+def intercept_fn(environ, start_response):
+    assert environ['SERVER_NAME'] == REMOTE_HOST
+    assert PLAINTEXT_GUID in environ['PATH_INFO']
+    return 'Intercepted!'
+
+
+@pytest.fixture
+def response_for():
+    """Register two intercepts, and return responses for them."""
+    urllib_intercept.install_opener()
+    add_wsgi_intercept(LOCAL_HOST, PORT, lambda: handleRequest)
+    add_wsgi_intercept(REMOTE_HOST, 443, lambda: intercept_fn)
+
+    def response_for(data):
+        url = 'http://{}:{}'.format(LOCAL_HOST, PORT)
+        response = urlopen(url, urlencode(data))
+        return response.code, response.read()
+
+    yield response_for
+    remove_wsgi_intercept()
+
+
+@pytest.fixture
+def form_data():
+    return {
+        'email': 'jane_doe@example.com',
+        'secret': '92b3e705f2abe74c20c1c5ea9abd9ba2',
+        'guid': PLAINTEXT_GUID,
+        'status': 'x' * 1025,
+        'usefulness': 0,
+        'notify': 'test NOTIFY',
+        'message': 'test MESSAGE',
+        'subject': 'test SUBJECT',
+        'name': 'test NAME',
+    }
+
+
+@pytest.mark.parametrize('field,message', [
+    (('guid', 'badGUID'), 'Invalid or missing report GUID'),
+    (('secret', 'badSECRET'), 'Wrong secret value'),
+])
+def test_http_errs(field, message, response_for, form_data, mocker):
+    mocker.patch(UR_PATH + 'getReport', new=lambda *args: {'usefulness': 1})
+    key, value = field
+    form_data[key] = value
+    with pytest.raises(HTTPError) as error:
+        response_for(form_data)
+
+    assert message in error.value.read()
+
+
+def test_success(response_for, form_data, mocker):
+    # These methods are patched to avoid the need for a MySQL database
+    mocker.patch(UR_PATH + 'getReport', new=lambda *args: {'usefulness': 1,
+                 'email': 'jane_doe@example.com'})
+    sr_mock = mocker.patch(UR_PATH + 'saveReport')
+    uuu_mock = mocker.patch(UR_PATH + 'updateUserUsefulness')
+    sun_mock = mocker.patch(UR_PATH + 'sendUpdateNotification')
+
+    assert response_for(form_data) == (200, '\nIntercepted!')
+
+    assert sr_mock.call_count == 1
+    for key in ['usefulness', 'email']:
+        assert key in sr_mock.call_args[0][1]
+        assert sr_mock.call_args[0][1][key] == str(form_data[key])
+
+    assert '0' in uuu_mock.call_args[0] and 1 in uuu_mock.call_args[0]
+
+    for key in ['email', 'status']:
+        assert key in sun_mock.call_args[0][0]
+    assert sun_mock.call_args[0][0]['email'] == form_data['email']
+
+    # These should not be equal, because updateReport.py strips characters
+    # over 1024, and form_data['status'] has 1025.
+    assert str(sr_mock.call_args[0][1]['status']) != form_data['status']
+    assert str(sun_mock.call_args[0][0]['status']) != form_data['status']
+
+
+def test_get_report_error(response_for, form_data, mocker):
+    mocker.patch(UR_PATH + 'getReport', new=lambda *args: None)
+    with pytest.raises(HTTPError) as error:
+        response_for(form_data)
+
+    assert 'Report does not exist' in error.value.read()
Index: sitescripts/reports/web/updateReport.py
===================================================================
--- a/sitescripts/reports/web/updateReport.py
+++ b/sitescripts/reports/web/updateReport.py
@@ -14,43 +14,32 @@
 # along with Adblock Plus.  If not, see <http://www.gnu.org/licenses/>.
 
 import re
-import os
-import sys
 import random
-from urlparse import parse_qsl
-from sitescripts.utils import get_config, get_template, setupStderr
-from sitescripts.web import url_handler
-from sitescripts.reports.utils import calculateReportSecret, calculateReportSecret_compat, getReport, saveReport, sendUpdateNotification, getUserId, updateUserUsefulness
+from sitescripts.utils import get_config, get_template
+from sitescripts.web import url_handler, form_handler
+from sitescripts.reports.utils import (calculateReportSecret,
+                                       calculateReportSecret_compat, getReport,
+                                       saveReport, sendUpdateNotification,
+                                       getUserId, updateUserUsefulness)
+
+GUID_REGEX = r'^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$'
 
 
 @url_handler('/updateReport')
-def handleRequest(environ, start_response):
-    setupStderr(environ['wsgi.errors'])
-
-    if environ['REQUEST_METHOD'].upper() != 'POST' or not environ.get('CONTENT_TYPE', '').startswith('application/x-www-form-urlencoded'):
-        return showError('Unsupported request method', start_response)
-
-    try:
-        request_body_length = int(environ['CONTENT_LENGTH'])
-    except:
-        return showError('Invalid or missing Content-Length header', start_response)
-
-    request_body = environ['wsgi.input'].read(request_body_length)
-    params = {}
-    for key, value in parse_qsl(request_body):
-        params[key] = value.decode('utf-8')
-
+@form_handler
+def handleRequest(environ, start_response, params):
     guid = params.get('guid', '').lower()
-    if not re.match(r'^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$', guid):
+    if not re.match(GUID_REGEX, guid):
         return showError('Invalid or missing report GUID', start_response)
 
     reportData = getReport(guid)
 
-    if reportData == None:
+    if reportData is None:
         return showError('Report does not exist', start_response)
 
     secret = calculateReportSecret(guid)
-    if params.get('secret', '') != secret and params.get('secret', '') != calculateReportSecret_compat(guid):
+    if (params.get('secret', '') != secret and
+       params.get('secret', '') != calculateReportSecret_compat(guid)):
         return showError('Wrong secret value', start_response)
 
     reportData['status'] = params.get('status', '')
@@ -59,8 +48,10 @@
 
     oldusefulness = reportData.get('usefulness', '0')
     reportData['usefulness'] = params.get('usefulness', '0')
+
     if 'email' in reportData:
-        updateUserUsefulness(getUserId(reportData['email']), reportData['usefulness'], oldusefulness)
+        updateUserUsefulness(getUserId(reportData['email']),
+                             reportData['usefulness'], oldusefulness)
 
     saveReport(guid, reportData)
 
@@ -84,5 +75,6 @@
 
 def showError(message, start_response):
     template = get_template(get_config().get('reports', 'errorTemplate'))
-    start_response('400 Processing Error', [('Content-Type', 'application/xhtml+xml; charset=utf-8')])
+    start_response('400 Processing Error',
+                   [('Content-Type', 'application/xhtml+xml; charset=utf-8')])
     return [template.render({'message': message}).encode('utf-8')]
Index: tox.ini
===================================================================
--- a/tox.ini
+++ b/tox.ini
@@ -46,11 +46,12 @@
     sitescripts/reports/bin/removeOldUsers.py : E501,N802
     sitescripts/reports/bin/updateDigests.py : A201,A301,A302,E501,E713,F401,N802,N806,N816
     sitescripts/reports/bin/updateSubscriptionList.py : A302,E501,E711,N802
+    sitescripts/reports/tests/test_updateReport.py : E402
     sitescripts/reports/utils.py : A206,A302,E501,E711,N802,N803,N806
     sitescripts/reports/web/showDigest.py : A206,A301,A302,E501,F401,N802,N806
     sitescripts/reports/web/showUser.py : A301,A302,E501,E711,N802
     sitescripts/reports/web/submitReport.py : A301,A302,E501,F401,N802,N806
-    sitescripts/reports/web/updateReport.py : A301,E501,E711,E722,F401,N802,N806
+    sitescripts/reports/web/updateReport.py : A301,E711,E722,F401,N802,N806,W504
     sitescripts/submit_email/web/submit_email.py : E501
     sitescripts/subscriptions/bin/generateReport.py : A104,A107,A201,A301,E501,E713,F401,N802,N803,N806,N816
     sitescripts/subscriptions/bin/processTemplate.py : E501,E711,N802,N803,N806,N816