api: replace '/' with '-' in file name (#53720)
gitea/fargo/pipeline/head Build started... Details

Compatibility with https://docs.djangoproject.com/en/3.2/releases/2.2.21/ (CVE).
This commit is contained in:
Emmanuel Cazenave 2021-05-06 11:52:12 +02:00
parent 297c70e5f9
commit 8763de4c97
2 changed files with 4 additions and 2 deletions

View File

@ -115,6 +115,8 @@ class PushDocument(CommonAPIMixin, GenericAPIView):
raise serializers.ValidationError(serializer.errors)
data = serializer.validated_data
if 'file_name' in data:
data['file_name'] = data['file_name'].replace('/', '-')
origin, created = Origin.objects.get_or_create(
slug=slugify(data.get('origin')), defaults={'label': data.get('origin')}

View File

@ -174,7 +174,7 @@ def test_push_document_slashed_name(app, admin_user, john_doe):
assert response.json['result'] == 1
assert models.Document.objects.count() == 1
doc = models.UserDocument.objects.first()
assert doc.filename == 'monfichier 18/06/2017.pdf'
assert doc.get_download_url() == '/%s/download/monfichier%%252018%%252F06%%252F2017.pdf' % doc.pk
assert doc.filename == 'monfichier 18-06-2017.pdf'
assert doc.get_download_url() == '/%s/download/monfichier%%252018-06-2017.pdf' % doc.pk
login(app, user=john_doe)
app.get(doc.get_download_url(), status=200)