kallithea Changeset - 328eb707fe3f

Changeset - 328eb707fe3f

Parent rev.

Child rev.

[Not reviewed]

beta

0 2 0

Marcin Kuzminski - 13 years ago 2013-03-21 22:01:52
marcin@python-works.com

added more strict checks for file path in add file controller

2 files changed with 12 insertions and 6 deletions:

rhodecode/controllers/files.py

rhodecode/templates/files/files_add.html

0 comments (0 inline, 0 general)

rhodecode/controllers/files.py

➞

Show inline comments

@@ @@ -335,77 +335,83 @@ class FilesController(BaseRepoController @@
     def add(self, repo_name, revision, f_path):
         repo = Repository.get_by_repo_name(repo_name)
         if repo.enable_locking and repo.locked[0]:
             h.flash(_('This repository is has been locked by %s on %s')
                 % (h.person_by_id(repo.locked[0]),
                    h.fmt_date(h.time_to_datetime(repo.locked[1]))),
                   'warning')
             return redirect(h.url('files_home',
                                   repo_name=repo_name, revision='tip'))
         r_post = request.POST
         c.cs = self.__get_cs_or_redirect(revision, repo_name,
                                          redirect_after=False)
         if c.cs is None:
             c.cs = EmptyChangeset(alias=c.rhodecode_repo.alias)
         c.default_message = (_('Added file via RhodeCode'))
         c.f_path = f_path
         if r_post:
             unix_mode = 0
             content = convert_line_endings(r_post.get('content'), unix_mode)
             message = r_post.get('message') or c.default_message
             filename = r_post.get('filename')
             location = r_post.get('location')
             filename = r_post.get('filename')
             file_obj = r_post.get('upload_file', None)
             if file_obj is not None and hasattr(file_obj, 'filename'):
                 filename = file_obj.filename
                 content = file_obj.file
             node_path = os.path.join(location, filename)
             author = self.rhodecode_user.full_contact
             if not content:
                 h.flash(_('No content'), category='warning')
                 return redirect(url('changeset_home', repo_name=c.repo_name,
                                     revision='tip'))
             if not filename:
                 h.flash(_('No filename'), category='warning')
                 return redirect(url('changeset_home', repo_name=c.repo_name,
                                     revision='tip'))
             if location.startswith('/') or location.startswith('.') or '../' in location:
                 h.flash(_('location must be relative path and must not '
                           'contain .. in path'), category='warning')
                 return redirect(url('changeset_home', repo_name=c.repo_name,
                                     revision='tip'))
             location = os.path.normpath(location)
             filename = os.path.basename(filename)
             node_path = os.path.join(location, filename)
             author = self.rhodecode_user.full_contact
             try:
                 self.scm_model.create_node(repo=c.rhodecode_repo,
                                            repo_name=repo_name, cs=c.cs,
                                            user=self.rhodecode_user.user_id,
                                            author=author, message=message,
                                            content=content, f_path=node_path)
                 h.flash(_('Successfully committed to %s') % node_path,
                         category='success')
             except NodeAlreadyExistsError, e:
+            except (NodeError, NodeAlreadyExistsError), e:
                 h.flash(_(e), category='error')
             except Exception:
                 log.error(traceback.format_exc())
                 h.flash(_('Error occurred during commit'), category='error')
             return redirect(url('changeset_home',
                                 repo_name=c.repo_name, revision='tip'))
         return render('files/files_add.html')
     @LoginRequired()
     @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
                                    'repository.admin')
     def archivefile(self, repo_name, fname):
         fileformat = None
         revision = None
         ext = None
         subrepos = request.GET.get('subrepos') == 'true'
         for a_type, ext_data in settings.ARCHIVE_SPECS.items():
             archive_spec = fname.split(ext_data[1])
             if len(archive_spec) == 2 and archive_spec[1] == '':
                 fileformat = a_type or ext_data[1]
                 revision = archive_spec[0]

rhodecode/templates/files/files_add.html

➞

Show inline comments

@@ @@ -30,49 +30,49 @@ @@
         <ul class="links">
             <li>
               <span style="text-transform: uppercase;">
               <a href="#">${_('branch')}: ${c.cs.branch}</a></span>
             </li>
         </ul>
     </div>
     <div class="table">
         <div id="files_data">
           ${h.form(h.url.current(),method='post',id='eform',enctype="multipart/form-data")}
             <h3>${_('Add new file')}</h3>
             <div class="form">
               <div class="fields">
                   <div id="filename_container" class="field file">
                       <div class="label">
                           <label for="filename">${_('File Name')}:</label>
                       </div>
                       <div class="input">
                           <input type="text" value="" size="30" name="filename" id="filename">
                           ${_('or')} <span class="ui-btn" id="upload_file_enable">${_('Upload file')}</span>
                       </div>
                   </div>
                   <div id="upload_file_container" class="field" style="display:none">
                     <div class="label">
-                        <label for="location">${_('Upload file')}</label>
+                        <label for="upload_file_container">${_('Upload file')}</label>
                     </div>
                     <div class="file">
                         <input type="file"  size="30" name="upload_file" id="upload_file">
                         ${_('or')} <span class="ui-btn" id="file_enable">${_('Create new file')}</span>
                     </div>
                   </div>
                    <div class="field">
                       <div class="label">
                           <label for="location">${_('Location')}</label>
                       </div>
                       <div class="input">
                           <input type="text" value="${c.f_path}" size="30" name="location" id="location">
                           ${_('use / to separate directories')}
                       </div>
                    </div>
               </div>
             </div>
             <div id="body" class="codeblock">
                 <div id="editor_container">
                     <pre id="editor_pre"></pre>
                     <textarea id="editor" name="content" style="display:none"></textarea>
                 </div>
                 <div style="padding: 10px;color:#666666">${_('commit message')}</div>
                 <textarea id="commit" name="message" style="height: 100px;width: 99%;margin-left:4px" placeholder="${c.default_message}"></textarea>

0 comments (0 inline, 0 general)