From 6b45d0e5718f35c483a8d89994838965715cbbb4 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 11 Oct 2019 13:58:23 +0200 Subject: [PATCH 2/2] utils.zip: add check for XML syntax (#36848) --- passerelle/utils/zip.py | 8 +++++++- tests/test_utils_zip.py | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/passerelle/utils/zip.py b/passerelle/utils/zip.py index 548e5f5e..c8d69b78 100644 --- a/passerelle/utils/zip.py +++ b/passerelle/utils/zip.py @@ -14,11 +14,12 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . -from __future__ import unicode_literals +from __future__ import unicode_literals, absolute_import import io import os.path import json +import xml.etree.ElementTree as ET import zipfile from jsonschema import validate, ValidationError @@ -122,6 +123,11 @@ class ZipTemplate(object): except TemplateDoesNotExist as e: raise ZipTemplateDoesNotExist('part template %s not found' % template_path, e) content = template.render(self.ctx) + if name.endswith('.xml'): + try: + ET.fromstring(content) + except ET.ParseError as e: + raise ZipTemplateSyntaxError('XML syntax error in part template %s' % template_path, e) yield name, content def render_to_bytes(self): diff --git a/tests/test_utils_zip.py b/tests/test_utils_zip.py index c51ca4c3..07420968 100644 --- a/tests/test_utils_zip.py +++ b/tests/test_utils_zip.py @@ -98,7 +98,7 @@ def test_with_parts(tpl_builder, dest): ZipTemplate( tpl_builder( '{{ name }}-{{ counter }}.zip', - ('{{ name }}-{{ counter }}-part1.xml', '{{ body }}'), + ('{{ name }}-{{ counter }}-part1.xml', '{{ body }}'), ), ctx={'name': 'coucou', 'counter': 10, 'body': 'blabla'}).render_to_path(dest) @@ -106,4 +106,4 @@ def test_with_parts(tpl_builder, dest): with full_path.open() as fd: with zipfile.ZipFile(fd) as zi: assert zi.namelist() == ['coucou-10-part1.xml'] - assert zi.open('coucou-10-part1.xml').read() == 'blabla' + assert zi.open('coucou-10-part1.xml').read() == 'blabla' -- 2.23.0