Changeset - 328eb707fe3f
Parent rev.
Child rev.
[Not reviewed]
beta
0 2 0
Marcin Kuzminski - 13 years ago 2013-03-21 22:01:52
marcin@python-works.com
added more strict checks for file path in add file controller
2 files changed with 12 insertions and 6 deletions:
rhodecode/controllers/files.py
11
5
rhodecode/templates/files/files_add.html
1
1
0 comments (0 inline, 0 general)
rhodecode/controllers/files.py
Show inline comments
 
@@ -311,125 +311,131 @@ class FilesController(BaseRepoController
 
            if content == old_content:
 
                h.flash(_('No changes'),
 
                    category='warning')
 
                return redirect(url('changeset_home', repo_name=c.repo_name,
 
                                    revision='tip'))
 
            try:
 
                self.scm_model.commit_change(repo=c.rhodecode_repo,
 
                                             repo_name=repo_name, cs=c.cs,
 
                                             user=self.rhodecode_user.user_id,
 
                                             author=author, message=message,
 
                                             content=content, f_path=f_path)
 
                h.flash(_('Successfully committed to %s') % f_path,
 
                        category='success')
 

			




	
	
	
		
 
            except Exception:

			




	
	
	
		
 
                log.error(traceback.format_exc())

			




	
	
	
		
 
                h.flash(_('Error occurred during commit'), category='error')

			




	
	
	
		
 
            return redirect(url('changeset_home',

			




	
	
	
		
 
                                repo_name=c.repo_name, revision='tip'))

			




	
	
	
		
 

			




	
	
	
		
 
        return render('files/files_edit.html')

			




	
	
	
		
 

			




	
	
	
		
 
    @LoginRequired()

			




	
	
	
		
 
    @HasRepoPermissionAnyDecorator('repository.write', 'repository.admin')

			




	
	
	
		
 
    def add(self, repo_name, revision, f_path):

			




	
	
	
		
 

			




	
	
	
		
 
        repo = Repository.get_by_repo_name(repo_name)

			




	
	
	
		
 
        if repo.enable_locking and repo.locked[0]:

			




	
	
	
		
 
            h.flash(_('This repository is has been locked by %s on %s')

			




	
	
	
		
 
                % (h.person_by_id(repo.locked[0]),

			




	
	
	
		
 
                   h.fmt_date(h.time_to_datetime(repo.locked[1]))),

			




	
	
	
		
 
                  'warning')

			




	
	
	
		
 
            return redirect(h.url('files_home',

			




	
	
	
		
 
                                  repo_name=repo_name, revision='tip'))

			




	
	
	
		
 

			




	
	
	
		
 
        r_post = request.POST

			




	
	
	
		
 
        c.cs = self.__get_cs_or_redirect(revision, repo_name,

			




	
	
	
		
 
                                         redirect_after=False)

			




	
	
	
		
 
        if c.cs is None:

			




	
	
	
		
 
            c.cs = EmptyChangeset(alias=c.rhodecode_repo.alias)

			




	
	
	
		
 
        c.default_message = (_('Added file via RhodeCode'))

			




	
	
	
		
 
        c.f_path = f_path

			




	
	
	
		
 

			




	
	
	
		
 
        if r_post:

			




	
	
	
		
 
            unix_mode = 0

			




	
	
	
		
 
            content = convert_line_endings(r_post.get('content'), unix_mode)

			




	
	
	
		
 

			




	
	
	
		
 
            message = r_post.get('message') or c.default_message

			




	
	
	
		
 
            filename = r_post.get('filename')

			




	
	
	
		
 
            location = r_post.get('location')

			




	
	
	
		
 
            filename = r_post.get('filename')

			




	
	
	
		
 
            file_obj = r_post.get('upload_file', None)

			




	
	
	
		
 

			




	
	
	
		
 
            if file_obj is not None and hasattr(file_obj, 'filename'):

			




	
	
	
		
 
                filename = file_obj.filename

			




	
	
	
		
 
                content = file_obj.file

			




	
	
	
		
 

			




	
	
	
		
 
            node_path = os.path.join(location, filename)

			




	
	
	
		
 
            author = self.rhodecode_user.full_contact

			




	
	
	
		
 

			




	
	
	
		
 
            if not content:

			




	
	
	
		
 
                h.flash(_('No content'), category='warning')

			




	
	
	
		
 
                return redirect(url('changeset_home', repo_name=c.repo_name,

			




	
	
	
		
 
                                    revision='tip'))

			




	
	
	
		
 
            if not filename:

			




	
	
	
		
 
                h.flash(_('No filename'), category='warning')

			




	
	
	
		
 
                return redirect(url('changeset_home', repo_name=c.repo_name,

			




	
	
	
		
 
                                    revision='tip'))

			




	
	
	
		
 
            if location.startswith('/') or location.startswith('.') or '../' in location:

			




	
	
	
		
 
                h.flash(_('location must be relative path and must not '

			




	
	
	
		
 
                          'contain .. in path'), category='warning')

			




	
	
	
		
 
                return redirect(url('changeset_home', repo_name=c.repo_name,

			




	
	
	
		
 
                                    revision='tip'))

			




	
	
	
		
 
            location = os.path.normpath(location)

			




	
	
	
		
 
            filename = os.path.basename(filename)

			




	
	
	
		
 
            node_path = os.path.join(location, filename)

			




	
	
	
		
 
            author = self.rhodecode_user.full_contact

			




	
	
	
		
 

			




	
	
	
		
 
            try:

			




	
	
	
		
 
                self.scm_model.create_node(repo=c.rhodecode_repo,

			




	
	
	
		
 
                                           repo_name=repo_name, cs=c.cs,

			




	
	
	
		
 
                                           user=self.rhodecode_user.user_id,

			




	
	
	
		
 
                                           author=author, message=message,

			




	
	
	
		
 
                                           content=content, f_path=node_path)

			




	
	
	
		
 
                h.flash(_('Successfully committed to %s') % node_path,

			




	
	
	
		
 
                        category='success')

			




	
	
	
		
 
            except NodeAlreadyExistsError, e:

			




	
	
	
		
 
            except (NodeError, NodeAlreadyExistsError), e:

			




	
	
	
		
 
                h.flash(_(e), category='error')

			




	
	
	
		
 
            except Exception:

			




	
	
	
		
 
                log.error(traceback.format_exc())

			




	
	
	
		
 
                h.flash(_('Error occurred during commit'), category='error')

			




	
	
	
		
 
            return redirect(url('changeset_home',

			




	
	
	
		
 
                                repo_name=c.repo_name, revision='tip'))

			




	
	
	
		
 

			




	
	
	
		
 
        return render('files/files_add.html')

			




	
	
	
		
 

			




	
	
	
		
 
    @LoginRequired()

			




	
	
	
		
 
    @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',

			




	
	
	
		
 
                                   'repository.admin')

			




	
	
	
		
 
    def archivefile(self, repo_name, fname):

			




	
	
	
		
 

			




	
	
	
		
 
        fileformat = None

			




	
	
	
		
 
        revision = None

			




	
	
	
		
 
        ext = None

			




	
	
	
		
 
        subrepos = request.GET.get('subrepos') == 'true'

			




	
	
	
		
 

			




	
	
	
		
 
        for a_type, ext_data in settings.ARCHIVE_SPECS.items():

			




	
	
	
		
 
            archive_spec = fname.split(ext_data[1])

			




	
	
	
		
 
            if len(archive_spec) == 2 and archive_spec[1] == '':

			




	
	
	
		
 
                fileformat = a_type or ext_data[1]

			




	
	
	
		
 
                revision = archive_spec[0]

			




	
	
	
		
 
                ext = ext_data[1]

			




	
	
	
		
 

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            dbrepo = RepoModel().get_by_repo_name(repo_name)

			




	
	
	
		
 
            if dbrepo.enable_downloads is False:

			




	
	
	
		
 
                return _('downloads disabled')

			




	
	
	
		
 

			




	
	
	
		
 
            if c.rhodecode_repo.alias == 'hg':

			




	
	
	
		
 
                # patch and reset hooks section of UI config to not run any

			




	
	
	
		
 
                # hooks on fetching archives with subrepos

			




	
	
	
		
 
                for k, v in c.rhodecode_repo._repo.ui.configitems('hooks'):

			




	
	
	
		
 
                    c.rhodecode_repo._repo.ui.setconfig('hooks', k, None)

			




	
	
	
		
 

			




	
	
	
		
 
            cs = c.rhodecode_repo.get_changeset(revision)

			




	
	
	
		
 
            content_type = settings.ARCHIVE_SPECS[fileformat][0]

			




	
	
	
		
 
        except ChangesetDoesNotExistError:

			




	
	
	
		
 
            return _('Unknown revision %s') % revision

			




	
	
	
		
 
        except EmptyRepositoryError:

			




	
	
	
		
 
            return _('Empty repository')

			




	
	
	
		
 
        except (ImproperArchiveTypeError, KeyError):

			




	
	
	
		
 
            return _('Unknown archive type')

			




	
	
	
		
 
        # archive cache

			




	
	
	
		
 
        from rhodecode import CONFIG

			




	
	
	
		
 
        rev_name = cs.raw_id[:12]

			




        

    


    
    

    

        

                

                    rhodecode/templates/files/files_add.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -6,87 +6,87 @@

			




	
	
	
		
 

			




	
	
	
		
 
<%def name="js_extra()">

			




	
	
	
		
 
<script type="text/javascript" src="${h.url('/js/codemirror.js')}"></script>

			




	
	
	
		
 
</%def>

			




	
	
	
		
 
<%def name="css_extra()">

			




	
	
	
		
 
<link rel="stylesheet" type="text/css" href="${h.url('/css/codemirror.css')}"/>

			




	
	
	
		
 
</%def>

			




	
	
	
		
 

			




	
	
	
		
 
<%def name="breadcrumbs_links()">

			




	
	
	
		
 
    ${h.link_to(_(u'Home'),h.url('/'))}

			




	
	
	
		
 
    &raquo;

			




	
	
	
		
 
    ${h.link_to(c.repo_name,h.url('summary_home',repo_name=c.repo_name))}

			




	
	
	
		
 
    &raquo;

			




	
	
	
		
 
    ${_('add file')} @ R${c.cs.revision}:${h.short_id(c.cs.raw_id)}

			




	
	
	
		
 
</%def>

			




	
	
	
		
 

			




	
	
	
		
 
<%def name="page_nav()">

			




	
	
	
		
 
    ${self.menu('files')}

			




	
	
	
		
 
</%def>

			




	
	
	
		
 
<%def name="main()">

			




	
	
	
		
 
<div class="box">

			




	
	
	
		
 
    <!-- box / title -->

			




	
	
	
		
 
    <div class="title">

			




	
	
	
		
 
        ${self.breadcrumbs()}

			




	
	
	
		
 
        <ul class="links">

			




	
	
	
		
 
            <li>

			




	
	
	
		
 
              <span style="text-transform: uppercase;">

			




	
	
	
		
 
              <a href="#">${_('branch')}: ${c.cs.branch}</a></span>

			




	
	
	
		
 
            </li>

			




	
	
	
		
 
        </ul>

			




	
	
	
		
 
    </div>

			




	
	
	
		
 
    <div class="table">

			




	
	
	
		
 
        <div id="files_data">

			




	
	
	
		
 
          ${h.form(h.url.current(),method='post',id='eform',enctype="multipart/form-data")}

			




	
	
	
		
 
            <h3>${_('Add new file')}</h3>

			




	
	
	
		
 
            <div class="form">

			




	
	
	
		
 
              <div class="fields">

			




	
	
	
		
 
                  <div id="filename_container" class="field file">

			




	
	
	
		
 
                      <div class="label">

			




	
	
	
		
 
                          <label for="filename">${_('File Name')}:</label>

			




	
	
	
		
 
                      </div>

			




	
	
	
		
 
                      <div class="input">

			




	
	
	
		
 
                          <input type="text" value="" size="30" name="filename" id="filename">

			




	
	
	
		
 
                          ${_('or')} <span class="ui-btn" id="upload_file_enable">${_('Upload file')}</span>

			




	
	
	
		
 
                      </div>

			




	
	
	
		
 
                  </div>

			




	
	
	
		
 
                  <div id="upload_file_container" class="field" style="display:none">

			




	
	
	
		
 
                    <div class="label">

			




	
	
	
		
 
                        <label for="location">${_('Upload file')}</label>

			




	
	
	
		
 
                        <label for="upload_file_container">${_('Upload file')}</label>

			




	
	
	
		
 
                    </div>

			




	
	
	
		
 
                    <div class="file">

			




	
	
	
		
 
                        <input type="file"  size="30" name="upload_file" id="upload_file">

			




	
	
	
		
 
                        ${_('or')} <span class="ui-btn" id="file_enable">${_('Create new file')}</span>

			




	
	
	
		
 
                    </div>

			




	
	
	
		
 
                  </div>

			




	
	
	
		
 
                   <div class="field">

			




	
	
	
		
 
                      <div class="label">

			




	
	
	
		
 
                          <label for="location">${_('Location')}</label>

			




	
	
	
		
 
                      </div>

			




	
	
	
		
 
                      <div class="input">

			




	
	
	
		
 
                          <input type="text" value="${c.f_path}" size="30" name="location" id="location">

			




	
	
	
		
 
                          ${_('use / to separate directories')}

			




	
	
	
		
 
                      </div>

			




	
	
	
		
 
                   </div>

			




	
	
	
		
 
              </div>

			




	
	
	
		
 
            </div>

			




	
	
	
		
 
            <div id="body" class="codeblock">

			




	
	
	
		
 
                <div id="editor_container">

			




	
	
	
		
 
                    <pre id="editor_pre"></pre>

			




	
	
	
		
 
                    <textarea id="editor" name="content" style="display:none"></textarea>

			




	
	
	
		
 
                </div>

			




	
	
	
		
 
                <div style="padding: 10px;color:#666666">${_('commit message')}</div>

			




	
	
	
		
 
                <textarea id="commit" name="message" style="height: 100px;width: 99%;margin-left:4px" placeholder="${c.default_message}"></textarea>

			




	
	
	
		
 
            </div>

			




	
	
	
		
 
            <div style="text-align: l;padding-top: 5px">

			




	
	
	
		
 
            ${h.submit('commit',_('Commit changes'),class_="ui-btn")}

			




	
	
	
		
 
            ${h.reset('reset',_('Reset'),class_="ui-btn")}

			




	
	
	
		
 
            </div>

			




	
	
	
		
 
            ${h.end_form()}

			




	
	
	
		
 
            <script type="text/javascript">

			




	
	
	
		
 
            var reset_url = "${h.url('files_home',repo_name=c.repo_name,revision=c.cs.raw_id,f_path=c.f_path)}";

			




	
	
	
		
 
            initCodeMirror('editor',reset_url);

			




	
	
	
		
 
            </script>

			




	
	
	
		
 
        </div>

			




	
	
	
		
 
    </div>

			




	
	
	
		
 
</div>

			




	
	
	
		
 
</%def>

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.