PublicSnapshot
/
tubesync
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add check against folders outside of DOWNLOAD_ROOT

This commit is contained in:
KuhnChris 2023-02-11 20:42:59 +01:00
parent b8434ff444
commit 844d17006e
1 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
tubesync/sync/views.py
View File

@ -7,12 +7,14 @@ from django.views.generic import TemplateView, ListView, DetailView
from django.views.generic.edit import (FormView, FormMixin, CreateView, UpdateView, from django.views.generic.edit import (FormView, FormMixin, CreateView, UpdateView,
DeleteView) DeleteView)
from django.views.generic.detail import SingleObjectMixin from django.views.generic.detail import SingleObjectMixin
from django.core.exceptions import SuspiciousFileOperation
from django.http import HttpResponse from django.http import HttpResponse
from django.urls import reverse_lazy from django.urls import reverse_lazy
from django.db import IntegrityError from django.db import IntegrityError
from django.db.models import Q, Count, Sum, When, Case from django.db.models import Q, Count, Sum, When, Case
from django.forms import ValidationError from django.forms import Form, ValidationError
from django.utils.text import slugify from django.utils.text import slugify
from django.utils._os import safe_join
from django.utils import timezone from django.utils import timezone
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from common.utils import append_uri_params from common.utils import append_uri_params
@ -279,20 +281,35 @@ class EditSourceMixin:
'invalid_media_format': _('Invalid media format, the media format contains ' 'invalid_media_format': _('Invalid media format, the media format contains '
'errors or is empty. Check the table at the end of ' 'errors or is empty. Check the table at the end of '
'this page for valid media name variables'), 'this page for valid media name variables'),
'dir_outside_dlroot': _('You cannot specify a directory outside of the '
'base directory (%BASEDIR%)')
} }
def form_valid(self, form): def form_valid(self, form: Form):
# Perform extra validation to make sure the media_format is valid # Perform extra validation to make sure the media_format is valid
obj = form.save(commit=False) obj = form.save(commit=False)
source_type = form.cleaned_data['media_format'] source_type = form.cleaned_data['media_format']
example_media_file = obj.get_example_media_format() example_media_file = obj.get_example_media_format()
if example_media_file == '': if example_media_file == '':
form.add_error( form.add_error(
'media_format', 'media_format',
ValidationError(self.errors['invalid_media_format']) ValidationError(self.errors['invalid_media_format'])
) )
# Check for suspicious file path(s)
try:
targetCheck = form.cleaned_data['directory']+"/.virt"
newdir = safe_join(settings.DOWNLOAD_ROOT,targetCheck)
except SuspiciousFileOperation:
form.add_error(
'directory',
ValidationError(self.errors['dir_outside_dlroot'].replace("%BASEDIR%",str(settings.DOWNLOAD_ROOT)))
)
if form.errors: if form.errors:
return super().form_invalid(form) return super().form_invalid(form)
return super().form_valid(form) return super().form_valid(form)