From 8763de4c97ab139626843f8adb81c1898f6dce3f Mon Sep 17 00:00:00 2001
From: Emmanuel Cazenave <ecazenave@entrouvert.com>
Date: Thu, 6 May 2021 11:52:12 +0200
Subject: [PATCH] api: replace '/' with '-' in file name (#53720)

Compatibility with https://docs.djangoproject.com/en/3.2/releases/2.2.21/ (CVE).
---
 fargo/fargo/api_views.py | 2 ++
 tests/test_api.py        | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/fargo/fargo/api_views.py b/fargo/fargo/api_views.py
index 55b77ce..4fc16c1 100644
--- a/fargo/fargo/api_views.py
+++ b/fargo/fargo/api_views.py
@@ -115,6 +115,8 @@ class PushDocument(CommonAPIMixin, GenericAPIView):
             raise serializers.ValidationError(serializer.errors)
 
         data = serializer.validated_data
+        if 'file_name' in data:
+            data['file_name'] = data['file_name'].replace('/', '-')
 
         origin, created = Origin.objects.get_or_create(
             slug=slugify(data.get('origin')), defaults={'label': data.get('origin')}
diff --git a/tests/test_api.py b/tests/test_api.py
index 4efc098..406ecaa 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -174,7 +174,7 @@ def test_push_document_slashed_name(app, admin_user, john_doe):
     assert response.json['result'] == 1
     assert models.Document.objects.count() == 1
     doc = models.UserDocument.objects.first()
-    assert doc.filename == 'monfichier 18/06/2017.pdf'
-    assert doc.get_download_url() == '/%s/download/monfichier%%252018%%252F06%%252F2017.pdf' % doc.pk
+    assert doc.filename == 'monfichier 18-06-2017.pdf'
+    assert doc.get_download_url() == '/%s/download/monfichier%%252018-06-2017.pdf' % doc.pk
     login(app, user=john_doe)
     app.get(doc.get_download_url(), status=200)