Projet

Général

Profil

0001-misc-remove-invalid-characters-from-content-disposit.patch

Frédéric Péters, 30 novembre 2021 14:47

Télécharger (3,02 ko)

Voir les différences:

Subject: [PATCH] misc: remove invalid characters from content-disposition
 header (#58972)

 tests/form_pages/test_formdata.py | 33 +++++++++++++++++++++++++++++++
 wcs/forms/common.py               |  6 +++---
 2 files changed, 36 insertions(+), 3 deletions(-)
tests/form_pages/test_formdata.py
182 182
    assert resp.request.environ['PATH_INFO'].endswith(attachment_variable.filename)
183 183

  
184 184

  
185
def test_formdata_attachment_download_with_invalid_character(pub):
186
    create_user(pub)
187
    wf = Workflow(name='status')
188
    st1 = wf.add_status('Status1', 'st1')
189
    attach = AddAttachmentWorkflowStatusItem()
190
    attach.id = '_attach'
191
    attach.by = ['_submitter']
192
    st1.items.append(attach)
193
    attach.parent = st1
194
    wf.store()
195

  
196
    FormDef.wipe()
197
    formdef = FormDef()
198
    formdef.name = 'test'
199
    formdef.workflow_id = wf.id
200
    formdef.fields = []
201
    formdef.store()
202
    formdef.data_class().wipe()
203

  
204
    resp = login(get_app(pub), username='foo', password='foo').get('/test/')
205
    resp = resp.forms[0].submit('submit')
206
    resp = resp.forms[0].submit('submit').follow()
207

  
208
    resp.forms[0]['attachment_attach$file'] = Upload('test\n".txt', b'foobar', 'text/plain')
209
    resp = resp.forms[0].submit('button_attach')
210

  
211
    resp = resp.follow()  # back to form page
212
    resp = resp.click('test\n".txt')
213
    resp = resp.follow()
214
    assert resp.content_type == 'text/plain'
215
    assert resp.text == 'foobar'
216

  
217

  
185 218
def test_formdata_attachment_download_to_backoffice_file_field(pub):
186 219
    create_user(pub)
187 220
    wf = Workflow(name='status')
wcs/forms/common.py
96 96
        if file.charset:
97 97
            response.set_charset(file.charset)
98 98
        if file.base_filename:
99
            # remove invalid characters from filename
100
            filename = file.base_filename.translate(str.maketrans({x: '_' for x in '"\n\r'}))
99 101
            content_disposition = 'attachment'
100 102
            if file.content_type.startswith('image/') and not file.content_type.startswith('image/svg'):
101 103
                content_disposition = 'inline'
102 104
            elif file.content_type == 'application/pdf':
103 105
                content_disposition = 'inline'
104
            response.set_header(
105
                'content-disposition', '%s; filename="%s"' % (content_disposition, file.base_filename)
106
            )
106
            response.set_header('content-disposition', '%s; filename="%s"' % (content_disposition, filename))
107 107

  
108 108
        return file.get_file_pointer().read()
109 109

  
110
-