Projet

Général

Profil

0001-api-replace-with-in-file-name-53720.patch

Emmanuel Cazenave, 06 mai 2021 11:59

Télécharger (1,72 ko)

Voir les différences: 

Subject: [PATCH] api: replace '/' with '-' in file name (#53720)

Compatibility with https://docs.djangoproject.com/en/3.2/releases/2.2.21/ (CVE).

 fargo/fargo/api_views.py | 2 ++
 tests/test_api.py        | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)
fargo/fargo/api_views.py
115 115 
            raise serializers.ValidationError(serializer.errors)
116 116 

  		




  117
  117
  
    
        data = serializer.validated_data

  		




  
  118
  
    
        if 'file_name' in data:

  		




  
  119
  
    
            data['file_name'] = data['file_name'].replace('/', '-')

  		




  118
  120
  
    

  		




  119
  121
  
    
        origin, created = Origin.objects.get_or_create(

  		




  120
  122
  
    
            slug=slugify(data.get('origin')), defaults={'label': data.get('origin')}

  		












  

    
      tests/test_api.py
    
  





  174
  174
  
    
    assert response.json['result'] == 1

  		




  175
  175
  
    
    assert models.Document.objects.count() == 1

  		




  176
  176
  
    
    doc = models.UserDocument.objects.first()

  		




  177
  
  
    
    assert doc.filename == 'monfichier 18/06/2017.pdf'

  		




  178
  
  
    
    assert doc.get_download_url() == '/%s/download/monfichier%%252018%%252F06%%252F2017.pdf' % doc.pk

  		




  
  177
  
    
    assert doc.filename == 'monfichier 18-06-2017.pdf'

  		




  
  178
  
    
    assert doc.get_download_url() == '/%s/download/monfichier%%252018-06-2017.pdf' % doc.pk

  		




  179
  179
  
    
    login(app, user=john_doe)

  		




  180
  180
  
    
    app.get(doc.get_download_url(), status=200)

  		




  181
  
  
    
-