mirror of https://github.com/akuker/RASCSI.git
Improve invalid path error handling, and escape single quotes in JS (#1174)
This commit is contained in:
parent
fa475d8b12
commit
1ce6fd1d55
|
@ -341,17 +341,17 @@
|
||||||
<input type="submit" value="{{ _("Attach") }}" title="{{ _("Attach") }}">
|
<input type="submit" value="{{ _("Attach") }}" title="{{ _("Attach") }}">
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</form>
|
</form>
|
||||||
<form action="/files/rename" method="post" class="file-rename" onsubmit="var new_file_name = prompt('{{ _("Enter new file name for: %(file_name)s", file_name=file["name"]) }}', '{{ file['name'] }}'); if (new_file_name === null) event.preventDefault(); document.getElementById('new_file_name_{{ subdir }}_{{ loop.index }}').value = new_file_name;">
|
<form action="/files/rename" method="post" class="file-rename" onsubmit="var new_file_name = prompt('{{ _("Enter a new file name:") }}', '{{ file["name"]|replace("'", "\\'") }}'); if (new_file_name === null) event.preventDefault(); document.getElementById('new_file_name_{{ subdir }}_{{ loop.index }}').value = new_file_name;">
|
||||||
<input name="file_name" type="hidden" value="{{ file['name'] }}">
|
<input name="file_name" type="hidden" value="{{ file['name'] }}">
|
||||||
<input name="new_file_name" id="new_file_name_{{ subdir }}_{{ loop.index }}" type="hidden" value="">
|
<input name="new_file_name" id="new_file_name_{{ subdir }}_{{ loop.index }}" type="hidden" value="">
|
||||||
<input type="submit" value="{{ _("Rename") }}" title="{{ _("Rename") }}">
|
<input type="submit" value="{{ _("Rename") }}" title="{{ _("Rename") }}">
|
||||||
</form>
|
</form>
|
||||||
<form action="/files/copy" method="post" class="file-copy" onsubmit="var copy_file_name = prompt('{{ _("Save copy of %(file_name)s as:", file_name=file["name"]) }}', '{{ file['name'] }}'); if (copy_file_name === null) event.preventDefault(); document.getElementById('copy_file_name_{{ subdir }}_{{ loop.index }}').value = copy_file_name;">
|
<form action="/files/copy" method="post" class="file-copy" onsubmit="var copy_file_name = prompt('{{ _("Enter a file name for the copy:") }}', '{{ file["name"]|replace("'", "\\'") }}'); if (copy_file_name === null) event.preventDefault(); document.getElementById('copy_file_name_{{ subdir }}_{{ loop.index }}').value = copy_file_name;">
|
||||||
<input name="file_name" type="hidden" value="{{ file['name'] }}">
|
<input name="file_name" type="hidden" value="{{ file['name'] }}">
|
||||||
<input name="copy_file_name" id="copy_file_name_{{ subdir }}_{{ loop.index }}" type="hidden" value="">
|
<input name="copy_file_name" id="copy_file_name_{{ subdir }}_{{ loop.index }}" type="hidden" value="">
|
||||||
<input type="submit" value="{{ _("Copy") }}" title="{{ _("Copy") }}">
|
<input type="submit" value="{{ _("Copy") }}" title="{{ _("Copy") }}">
|
||||||
</form>
|
</form>
|
||||||
<form action="/files/delete" method="post" class="file-delete" onsubmit="return confirm('{{ _("Delete file: %(file_name)s?", file_name=file["name"]) }}')">
|
<form action="/files/delete" method="post" class="file-delete" onsubmit="return confirm('{{ _("Delete file: %(file_name)s?", file_name=file["name"]|replace("'", "\\'")) }}')">
|
||||||
<input name="file_name" type="hidden" value="{{ file['name'] }}">
|
<input name="file_name" type="hidden" value="{{ file['name'] }}">
|
||||||
<input type="submit" value="{{ _("Delete") }}" title="{{ _("Delete") }}">
|
<input type="submit" value="{{ _("Delete") }}" title="{{ _("Delete") }}">
|
||||||
</form>
|
</form>
|
||||||
|
|
|
@ -300,11 +300,17 @@ def is_safe_path(file_name):
|
||||||
Returns True if the path is safe
|
Returns True if the path is safe
|
||||||
Returns False if the path is either absolute, or tries to traverse the file system
|
Returns False if the path is either absolute, or tries to traverse the file system
|
||||||
"""
|
"""
|
||||||
if file_name.is_absolute() or ".." in str(file_name) or str(file_name)[0] == "~":
|
error_message = ""
|
||||||
return {
|
if file_name.is_absolute():
|
||||||
"status": False,
|
error_message = _("Path must not be absolute")
|
||||||
"msg": _("No permission to use path '%(file_name)s'", file_name=file_name),
|
elif "../" in str(file_name):
|
||||||
}
|
error_message = _("Path must not traverse the file system")
|
||||||
|
elif str(file_name)[0] == "~":
|
||||||
|
error_message = _("Path must not start in the home directory")
|
||||||
|
|
||||||
|
if error_message:
|
||||||
|
logging.error("Not an allowed path: %s", str(file_name))
|
||||||
|
return {"status": False, "msg": error_message}
|
||||||
|
|
||||||
return {"status": True, "msg": ""}
|
return {"status": True, "msg": ""}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue