diff --git a/rhodecode/model/forms.py b/rhodecode/model/forms.py --- a/rhodecode/model/forms.py +++ b/rhodecode/model/forms.py @@ -424,7 +424,8 @@ def PullRequestForm(repo_id): def GistForm(lifetime_options): class _GistForm(formencode.Schema): - filename = v.UnicodeString(strip=True, required=False) + filename = All(v.BasePath()(), + v.UnicodeString(strip=True, required=False)) description = v.UnicodeString(required=False, if_missing='') lifetime = v.OneOf(lifetime_options) content = v.UnicodeString(required=True, not_empty=True) diff --git a/rhodecode/model/gist.py b/rhodecode/model/gist.py --- a/rhodecode/model/gist.py +++ b/rhodecode/model/gist.py @@ -120,6 +120,9 @@ class GistModel(BaseModel): processed_mapping = {} for filename in gist_mapping: + if filename != os.path.basename(filename): + raise Exception('Filename cannot be inside a directory') + content = gist_mapping[filename]['content'] #TODO: expand support for setting explicit lexers # if lexer is None: diff --git a/rhodecode/model/validators.py b/rhodecode/model/validators.py --- a/rhodecode/model/validators.py +++ b/rhodecode/model/validators.py @@ -768,7 +768,8 @@ def ValidIp(): messages = dict( badFormat=_('Please enter a valid IPv4 or IpV6 address'), illegalBits=_('The network size (bits) must be within the range' - ' of 0-32 (not %(bits)r)')) + ' of 0-32 (not %(bits)r)') + ) def to_python(self, value, state): v = super(_validator, self).to_python(value, state) @@ -800,10 +801,27 @@ def FieldKey(): class _validator(formencode.validators.FancyValidator): messages = dict( badFormat=_('Key name can only consist of letters, ' - 'underscore, dash or numbers'),) + 'underscore, dash or numbers') + ) def validate_python(self, value, state): if not re.match('[a-zA-Z0-9_-]+$', value): raise formencode.Invalid(self.message('badFormat', state), value, state) return _validator + + +def BasePath(): + class _validator(formencode.validators.FancyValidator): + messages = dict( + badPath=_('Filename cannot be inside a directory') + ) + + def _to_python(self, value, state): + return value + + def validate_python(self, value, state): + if value != os.path.basename(value): + raise formencode.Invalid(self.message('badPath', state), + value, state) + return _validator diff --git a/rhodecode/tests/functional/test_admin_gists.py b/rhodecode/tests/functional/test_admin_gists.py --- a/rhodecode/tests/functional/test_admin_gists.py +++ b/rhodecode/tests/functional/test_admin_gists.py @@ -75,6 +75,16 @@ class TestGistsController(TestController response.mustcontain('gist test') response.mustcontain('