##// END OF EJS Templates
validators: apply username validator to prevent bad values beeing searched in DB, and potential XSS payload sent via validators.
super-admin -
r4706:732ede7c stable
parent child Browse files
Show More
@@ -22,6 +22,7 b''
22 import colander
22 import colander
23 import deform.widget
23 import deform.widget
24
24
25 from rhodecode.model.validation_schema.utils import username_converter
25 from rhodecode.translation import _
26 from rhodecode.translation import _
26 from rhodecode.model.validation_schema import validators, preparers, types
27 from rhodecode.model.validation_schema import validators, preparers, types
27
28
@@ -120,6 +121,7 b' def deferred_repo_group_owner_validator('
120
121
121 def repo_owner_validator(node, value):
122 def repo_owner_validator(node, value):
122 from rhodecode.model.db import User
123 from rhodecode.model.db import User
124 value = username_converter(value)
123 existing = User.get_by_username(value)
125 existing = User.get_by_username(value)
124 if not existing:
126 if not existing:
125 msg = _(u'Repo group owner with id `{}` does not exists').format(
127 msg = _(u'Repo group owner with id `{}` does not exists').format(
@@ -22,7 +22,7 b' import colander'
22 import deform.widget
22 import deform.widget
23
23
24 from rhodecode.translation import _
24 from rhodecode.translation import _
25 from rhodecode.model.validation_schema.utils import convert_to_optgroup
25 from rhodecode.model.validation_schema.utils import convert_to_optgroup, username_converter
26 from rhodecode.model.validation_schema import validators, preparers, types
26 from rhodecode.model.validation_schema import validators, preparers, types
27
27
28 DEFAULT_LANDING_REF = 'rev:tip'
28 DEFAULT_LANDING_REF = 'rev:tip'
@@ -55,6 +55,7 b' def deferred_repo_owner_validator(node, '
55
55
56 def repo_owner_validator(node, value):
56 def repo_owner_validator(node, value):
57 from rhodecode.model.db import User
57 from rhodecode.model.db import User
58 value = username_converter(value)
58 existing = User.get_by_username(value)
59 existing = User.get_by_username(value)
59 if not existing:
60 if not existing:
60 msg = _(u'Repo owner with id `{}` does not exists').format(value)
61 msg = _(u'Repo owner with id `{}` does not exists').format(value)
@@ -21,6 +21,7 b' import re'
21 import colander
21 import colander
22
22
23 from rhodecode.model.validation_schema import types, validators
23 from rhodecode.model.validation_schema import types, validators
24 from rhodecode.model.validation_schema.utils import username_converter
24 from rhodecode.translation import _
25 from rhodecode.translation import _
25
26
26
27
@@ -43,6 +44,7 b' def deferred_user_group_owner_validator('
43
44
44 def owner_validator(node, value):
45 def owner_validator(node, value):
45 from rhodecode.model.db import User
46 from rhodecode.model.db import User
47 value = username_converter(value)
46 existing = User.get_by_username(value)
48 existing = User.get_by_username(value)
47 if not existing:
49 if not existing:
48 msg = _(u'User group owner with id `{}` does not exists').format(value)
50 msg = _(u'User group owner with id `{}` does not exists').format(value)
@@ -47,3 +47,10 b' def convert_to_optgroup(items):'
47 result.append((value, label))
47 result.append((value, label))
48
48
49 return result
49 return result
50
51
52 def username_converter(value):
53 for noise in ('/', ',', '*', '"', "'", '<', '>', '(', ')', '[', ']', ';'):
54 value = value.replace(noise, '')
55
56 return value
General Comments 0
You need to be logged in to leave comments. Login now