assets: fix delete and overwrite with bad filename (#63221)

2022-03-29 10:12:51 +02:00 · 2022-03-29 10:12:51 +02:00 · 17742635e5
parent db8c99228d
commit 17742635e5
2 changed files with 29 additions and 1 deletions
--- a/combo/apps/assets/views.py
+++ b/combo/apps/assets/views.py
@ -192,6 +192,10 @@ class AssetOverwrite(FormView):
            base_path = os.path.join(base_path, self.request.user.username)
        if not img_orig.startswith(base_path):
            raise PermissionDenied()
+        try:
+            os.stat(default_storage.path(img_orig))
+        except ValueError:
+            raise PermissionDenied()

        upload = self.request.FILES['upload']

@ -241,6 +245,11 @@ class AssetDelete(TemplateView):
            base_path = os.path.join(base_path, request.user.username)
        if not img_orig.startswith(base_path):
            raise PermissionDenied()
+        try:
+            os.stat(default_storage.path(img_orig))
+        except ValueError:
+            raise PermissionDenied()
+
        default_storage.delete(img_orig)
        return redirect(Assets(request=self.request).get_anchored_url(name=os.path.basename(img_orig)))

--- a/tests/test_manager.py
+++ b/tests/test_manager.py
@ -1315,7 +1315,7 @@ def test_add_cell_max_one_by_page(app, admin_user):
    assert resp.location.endswith('/manage/pages/%s/#cell-%s' % (page.id, cells[0].get_reference()))

    resp = app.get('/manage/pages/%s/' % page.id)
-    assert not add_text_cell_url in resp.text
+    assert add_text_cell_url not in resp.text

    # try to add cell anyway
    resp = app.get(add_text_cell_url, status=403)
@ -1811,6 +1811,25 @@ def test_asset_management(app, admin_user):
    resp = resp.form.submit().follow()
    assert 'have any asset yet.' in resp.text

+    # bad filename
+    filenames = [
+        'test.png',
+        'uploads/..test.png',
+        'uploads/.%00.test.png',
+    ]
+    for filename in filenames:
+        resp = app.get('/manage/assets/overwrite/?img=%s' % filename)
+        resp.form['upload'] = Upload(
+            'test.png',
+            base64.decodebytes(
+                b'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAAAAAA6fptVAAAACklEQVQI12NgAgAABAADRWoApgAA\nAABJRU5ErkJggg=='
+            ),
+            'image/png',
+        )
+        resp = resp.form.submit(status=403)
+        resp = app.get('/manage/assets/delete?img=%s' % filename)
+        resp = resp.form.submit(status=403)
+

 def test_asset_management_anchor(app, admin_user):
    app = login(app)