##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

added more strict checks for file path in add file controller
marcink -
r3559:328eb707 beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -356,17 +356,14 b' class FilesController(BaseRepoController'
356 content = convert_line_endings(r_post.get('content'), unix_mode)
356 content = convert_line_endings(r_post.get('content'), unix_mode)
357
357
358 message = r_post.get('message') or c.default_message
358 message = r_post.get('message') or c.default_message
359 filename = r_post.get('filename')
359 location = r_post.get('location')
360 location = r_post.get('location')
360 filename = r_post.get('filename')
361 file_obj = r_post.get('upload_file', None)
361 file_obj = r_post.get('upload_file', None)
362
362
363 if file_obj is not None and hasattr(file_obj, 'filename'):
363 if file_obj is not None and hasattr(file_obj, 'filename'):
364 filename = file_obj.filename
364 filename = file_obj.filename
365 content = file_obj.file
365 content = file_obj.file
366
366
367 node_path = os.path.join(location, filename)
368 author = self.rhodecode_user.full_contact
369
370 if not content:
367 if not content:
371 h.flash(_('No content'), category='warning')
368 h.flash(_('No content'), category='warning')
372 return redirect(url('changeset_home', repo_name=c.repo_name,
369 return redirect(url('changeset_home', repo_name=c.repo_name,
@@ -375,6 +372,15 b' class FilesController(BaseRepoController'
375 h.flash(_('No filename'), category='warning')
372 h.flash(_('No filename'), category='warning')
376 return redirect(url('changeset_home', repo_name=c.repo_name,
373 return redirect(url('changeset_home', repo_name=c.repo_name,
377 revision='tip'))
374 revision='tip'))
375 if location.startswith('/') or location.startswith('.') or '../' in location:
376 h.flash(_('location must be relative path and must not '
377 'contain .. in path'), category='warning')
378 return redirect(url('changeset_home', repo_name=c.repo_name,
379 revision='tip'))
380 location = os.path.normpath(location)
381 filename = os.path.basename(filename)
382 node_path = os.path.join(location, filename)
383 author = self.rhodecode_user.full_contact
378
384
379 try:
385 try:
380 self.scm_model.create_node(repo=c.rhodecode_repo,
386 self.scm_model.create_node(repo=c.rhodecode_repo,
@@ -384,7 +390,7 b' class FilesController(BaseRepoController'
384 content=content, f_path=node_path)
390 content=content, f_path=node_path)
385 h.flash(_('Successfully committed to %s') % node_path,
391 h.flash(_('Successfully committed to %s') % node_path,
386 category='success')
392 category='success')
387 except NodeAlreadyExistsError, e:
393 except (NodeError, NodeAlreadyExistsError), e:
388 h.flash(_(e), category='error')
394 h.flash(_(e), category='error')
389 except Exception:
395 except Exception:
390 log.error(traceback.format_exc())
396 log.error(traceback.format_exc())
Show file before | Show file after | Hide comments
@@ -51,7 +51,7 b''
51 </div>
51 </div>
52 <div id="upload_file_container" class="field" style="display:none">
52 <div id="upload_file_container" class="field" style="display:none">
53 <div class="label">
53 <div class="label">
54 <label for="location">${_('Upload file')}</label>
54 <label for="upload_file_container">${_('Upload file')}</label>
55 </div>
55 </div>
56 <div class="file">
56 <div class="file">
57 <input type="file" size="30" name="upload_file" id="upload_file">
57 <input type="file" size="30" name="upload_file" id="upload_file">
General Comments 0
You need to be logged in to leave comments. Login now