assets: fix delete and overwrite with bad filename (#63221)
This commit is contained in:
parent
db8c99228d
commit
17742635e5
|
@ -192,6 +192,10 @@ class AssetOverwrite(FormView):
|
|||
base_path = os.path.join(base_path, self.request.user.username)
|
||||
if not img_orig.startswith(base_path):
|
||||
raise PermissionDenied()
|
||||
try:
|
||||
os.stat(default_storage.path(img_orig))
|
||||
except ValueError:
|
||||
raise PermissionDenied()
|
||||
|
||||
upload = self.request.FILES['upload']
|
||||
|
||||
|
@ -241,6 +245,11 @@ class AssetDelete(TemplateView):
|
|||
base_path = os.path.join(base_path, request.user.username)
|
||||
if not img_orig.startswith(base_path):
|
||||
raise PermissionDenied()
|
||||
try:
|
||||
os.stat(default_storage.path(img_orig))
|
||||
except ValueError:
|
||||
raise PermissionDenied()
|
||||
|
||||
default_storage.delete(img_orig)
|
||||
return redirect(Assets(request=self.request).get_anchored_url(name=os.path.basename(img_orig)))
|
||||
|
||||
|
|
|
@ -1315,7 +1315,7 @@ def test_add_cell_max_one_by_page(app, admin_user):
|
|||
assert resp.location.endswith('/manage/pages/%s/#cell-%s' % (page.id, cells[0].get_reference()))
|
||||
|
||||
resp = app.get('/manage/pages/%s/' % page.id)
|
||||
assert not add_text_cell_url in resp.text
|
||||
assert add_text_cell_url not in resp.text
|
||||
|
||||
# try to add cell anyway
|
||||
resp = app.get(add_text_cell_url, status=403)
|
||||
|
@ -1811,6 +1811,25 @@ def test_asset_management(app, admin_user):
|
|||
resp = resp.form.submit().follow()
|
||||
assert 'have any asset yet.' in resp.text
|
||||
|
||||
# bad filename
|
||||
filenames = [
|
||||
'test.png',
|
||||
'uploads/..test.png',
|
||||
'uploads/.%00.test.png',
|
||||
]
|
||||
for filename in filenames:
|
||||
resp = app.get('/manage/assets/overwrite/?img=%s' % filename)
|
||||
resp.form['upload'] = Upload(
|
||||
'test.png',
|
||||
base64.decodebytes(
|
||||
b'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAAAAAA6fptVAAAACklEQVQI12NgAgAABAADRWoApgAA\nAABJRU5ErkJggg=='
|
||||
),
|
||||
'image/png',
|
||||
)
|
||||
resp = resp.form.submit(status=403)
|
||||
resp = app.get('/manage/assets/delete?img=%s' % filename)
|
||||
resp = resp.form.submit(status=403)
|
||||
|
||||
|
||||
def test_asset_management_anchor(app, admin_user):
|
||||
app = login(app)
|
||||
|
|
Loading…
Reference in New Issue