##// END OF EJS Templates
validators: apply username validator to prevent bad values beeing searched in DB, and potential XSS payload sent via validators.
super-admin -
r4706:732ede7c stable
parent child Browse files
Show More
@@ -22,6 +22,7 b''
22 22 import colander
23 23 import deform.widget
24 24
25 from rhodecode.model.validation_schema.utils import username_converter
25 26 from rhodecode.translation import _
26 27 from rhodecode.model.validation_schema import validators, preparers, types
27 28
@@ -120,6 +121,7 b' def deferred_repo_group_owner_validator('
120 121
121 122 def repo_owner_validator(node, value):
122 123 from rhodecode.model.db import User
124 value = username_converter(value)
123 125 existing = User.get_by_username(value)
124 126 if not existing:
125 127 msg = _(u'Repo group owner with id `{}` does not exists').format(
@@ -22,7 +22,7 b' import colander'
22 22 import deform.widget
23 23
24 24 from rhodecode.translation import _
25 from rhodecode.model.validation_schema.utils import convert_to_optgroup
25 from rhodecode.model.validation_schema.utils import convert_to_optgroup, username_converter
26 26 from rhodecode.model.validation_schema import validators, preparers, types
27 27
28 28 DEFAULT_LANDING_REF = 'rev:tip'
@@ -55,6 +55,7 b' def deferred_repo_owner_validator(node, '
55 55
56 56 def repo_owner_validator(node, value):
57 57 from rhodecode.model.db import User
58 value = username_converter(value)
58 59 existing = User.get_by_username(value)
59 60 if not existing:
60 61 msg = _(u'Repo owner with id `{}` does not exists').format(value)
@@ -21,6 +21,7 b' import re'
21 21 import colander
22 22
23 23 from rhodecode.model.validation_schema import types, validators
24 from rhodecode.model.validation_schema.utils import username_converter
24 25 from rhodecode.translation import _
25 26
26 27
@@ -43,6 +44,7 b' def deferred_user_group_owner_validator('
43 44
44 45 def owner_validator(node, value):
45 46 from rhodecode.model.db import User
47 value = username_converter(value)
46 48 existing = User.get_by_username(value)
47 49 if not existing:
48 50 msg = _(u'User group owner with id `{}` does not exists').format(value)
@@ -47,3 +47,10 b' def convert_to_optgroup(items):'
47 47 result.append((value, label))
48 48
49 49 return result
50
51
52 def username_converter(value):
53 for noise in ('/', ',', '*', '"', "'", '<', '>', '(', ')', '[', ']', ';'):
54 value = value.replace(noise, '')
55
56 return value
General Comments 0
You need to be logged in to leave comments. Login now