Mercurial > kallithea
changeset 3846:2576a20d94ca beta
Gist: don't allow files inside directories when creating gists
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Sun, 12 May 2013 00:41:38 +0200 |
| parents | 0a023c381350 |
| children | bec04f371579 |
| files | rhodecode/model/forms.py rhodecode/model/gist.py rhodecode/model/validators.py rhodecode/tests/functional/test_admin_gists.py |
| diffstat | 4 files changed, 35 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/rhodecode/model/forms.py Sun May 12 00:26:47 2013 +0200 +++ b/rhodecode/model/forms.py Sun May 12 00:41:38 2013 +0200 @@ -424,7 +424,8 @@ def GistForm(lifetime_options): class _GistForm(formencode.Schema): - filename = v.UnicodeString(strip=True, required=False) + filename = All(v.BasePath()(), + v.UnicodeString(strip=True, required=False)) description = v.UnicodeString(required=False, if_missing='') lifetime = v.OneOf(lifetime_options) content = v.UnicodeString(required=True, not_empty=True)
--- a/rhodecode/model/gist.py Sun May 12 00:26:47 2013 +0200 +++ b/rhodecode/model/gist.py Sun May 12 00:41:38 2013 +0200 @@ -120,6 +120,9 @@ processed_mapping = {} for filename in gist_mapping: + if filename != os.path.basename(filename): + raise Exception('Filename cannot be inside a directory') + content = gist_mapping[filename]['content'] #TODO: expand support for setting explicit lexers # if lexer is None:
--- a/rhodecode/model/validators.py Sun May 12 00:26:47 2013 +0200 +++ b/rhodecode/model/validators.py Sun May 12 00:41:38 2013 +0200 @@ -768,7 +768,8 @@ messages = dict( badFormat=_('Please enter a valid IPv4 or IpV6 address'), illegalBits=_('The network size (bits) must be within the range' - ' of 0-32 (not %(bits)r)')) + ' of 0-32 (not %(bits)r)') + ) def to_python(self, value, state): v = super(_validator, self).to_python(value, state) @@ -800,10 +801,27 @@ class _validator(formencode.validators.FancyValidator): messages = dict( badFormat=_('Key name can only consist of letters, ' - 'underscore, dash or numbers'),) + 'underscore, dash or numbers') + ) def validate_python(self, value, state): if not re.match('[a-zA-Z0-9_-]+$', value): raise formencode.Invalid(self.message('badFormat', state), value, state) return _validator + + +def BasePath(): + class _validator(formencode.validators.FancyValidator): + messages = dict( + badPath=_('Filename cannot be inside a directory') + ) + + def _to_python(self, value, state): + return value + + def validate_python(self, value, state): + if value != os.path.basename(value): + raise formencode.Invalid(self.message('badPath', state), + value, state) + return _validator
--- a/rhodecode/tests/functional/test_admin_gists.py Sun May 12 00:26:47 2013 +0200 +++ b/rhodecode/tests/functional/test_admin_gists.py Sun May 12 00:41:38 2013 +0200 @@ -75,6 +75,16 @@ response.mustcontain('gist test') response.mustcontain('<div class="ui-btn green badge">Public gist</div>') + def test_create_with_path_with_dirs(self): + self.log_user() + response = self.app.post(url('gists'), + params={'lifetime': -1, + 'content': 'gist test', + 'filename': '/home/foo', + 'public': 'public'}, + status=200) + response.mustcontain('Filename cannot be inside a directory') + def test_access_expired_gist(self): self.log_user() gist = _create_gist('never-see-me')