# HG changeset patch
# User Marcin Kuzminski <marcin@python-works.com>
# Date 1363899712 -3600
# Node ID 328eb707fe3fec042f4560316ccc9f9d2747a399
# Parent  d91cdc111d2f83a6da19e29226b8dfab1fe480fa
added more strict checks for file path in add file controller

diff -r d91cdc111d2f -r 328eb707fe3f rhodecode/controllers/files.py
--- a/rhodecode/controllers/files.py	Thu Mar 21 21:12:03 2013 +0100
+++ b/rhodecode/controllers/files.py	Thu Mar 21 22:01:52 2013 +0100
@@ -356,17 +356,14 @@
             content = convert_line_endings(r_post.get('content'), unix_mode)
 
             message = r_post.get('message') or c.default_message
+            filename = r_post.get('filename')
             location = r_post.get('location')
-            filename = r_post.get('filename')
             file_obj = r_post.get('upload_file', None)
 
             if file_obj is not None and hasattr(file_obj, 'filename'):
                 filename = file_obj.filename
                 content = file_obj.file
 
-            node_path = os.path.join(location, filename)
-            author = self.rhodecode_user.full_contact
-
             if not content:
                 h.flash(_('No content'), category='warning')
                 return redirect(url('changeset_home', repo_name=c.repo_name,
@@ -375,6 +372,15 @@
                 h.flash(_('No filename'), category='warning')
                 return redirect(url('changeset_home', repo_name=c.repo_name,
                                     revision='tip'))
+            if location.startswith('/') or location.startswith('.') or '../' in location:
+                h.flash(_('location must be relative path and must not '
+                          'contain .. in path'), category='warning')
+                return redirect(url('changeset_home', repo_name=c.repo_name,
+                                    revision='tip'))
+            location = os.path.normpath(location)
+            filename = os.path.basename(filename)
+            node_path = os.path.join(location, filename)
+            author = self.rhodecode_user.full_contact
 
             try:
                 self.scm_model.create_node(repo=c.rhodecode_repo,
@@ -384,7 +390,7 @@
                                            content=content, f_path=node_path)
                 h.flash(_('Successfully committed to %s') % node_path,
                         category='success')
-            except NodeAlreadyExistsError, e:
+            except (NodeError, NodeAlreadyExistsError), e:
                 h.flash(_(e), category='error')
             except Exception:
                 log.error(traceback.format_exc())
diff -r d91cdc111d2f -r 328eb707fe3f rhodecode/templates/files/files_add.html
--- a/rhodecode/templates/files/files_add.html	Thu Mar 21 21:12:03 2013 +0100
+++ b/rhodecode/templates/files/files_add.html	Thu Mar 21 22:01:52 2013 +0100
@@ -51,7 +51,7 @@
                   </div>
                   <div id="upload_file_container" class="field" style="display:none">
                     <div class="label">
-                        <label for="location">${_('Upload file')}</label>
+                        <label for="upload_file_container">${_('Upload file')}</label>
                     </div>
                     <div class="file">
                         <input type="file"  size="30" name="upload_file" id="upload_file">