# HG changeset patch # User Marcin Kuzminski # Date 2017-10-10 08:46:54 # Node ID b40892156b6074248897c5a7b09e0362bde03b44 # Parent e8d12db88ec0c0feb92b26d283d26ba6de36d54b files: remove rigth-to-left override character for display in files. This allows faking the name a bit, we in this particular place want to skip the override for enhanced security. diff --git a/rhodecode/lib/vcs/nodes.py b/rhodecode/lib/vcs/nodes.py --- a/rhodecode/lib/vcs/nodes.py +++ b/rhodecode/lib/vcs/nodes.py @@ -114,7 +114,8 @@ class Node(object): only. Moreover, every single node is identified by the ``path`` attribute, so it cannot end with slash, too. Otherwise, path could lead to mistakes. """ - + RTLO_MARKER = u"\u202E" # RTLO marker allows swapping text, and certain + # security attacks could be used with this commit = None def __init__(self, path, kind): @@ -149,6 +150,20 @@ class Node(object): return safe_unicode(self.path) @LazyProperty + def has_rtlo(self): + """Detects if a path has right-to-left-override marker""" + return self.RTLO_MARKER in self.unicode_path + + @LazyProperty + def unicode_path_safe(self): + """ + Special SAFE representation of path without the right-to-left-override. + This should be only used for "showing" the file, cannot be used for any + urls etc. + """ + return safe_unicode(self.path).replace(self.RTLO_MARKER, '') + + @LazyProperty def dir_path(self): """ Returns name of the directory from full path of this vcs node. Empty diff --git a/rhodecode/templates/files/files_source.mako b/rhodecode/templates/files/files_source.mako --- a/rhodecode/templates/files/files_source.mako +++ b/rhodecode/templates/files/files_source.mako @@ -6,7 +6,7 @@ - ${c.file} + ${c.file.unicode_path_safe} % if c.lf_node: