diff options
| author | Philip Sargent <philip.sargent@gmail.com> | 2023-09-13 18:46:10 +0300 |
|---|---|---|
| committer | Philip Sargent <philip.sargent@gmail.com> | 2023-09-13 18:46:10 +0300 |
| commit | 70dd61b2baeb9de85d7f6e1816df9368a5b18e3f (patch) | |
| tree | 6ae82e1c576a28229d46b5e33e81016b3a6a5349 /core/views/uploads.py | |
| parent | 33a485d207d1ea6b8bf8cc3c67231dccc8778af2 (diff) | |
| download | troggle-70dd61b2baeb9de85d7f6e1816df9368a5b18e3f.tar.gz troggle-70dd61b2baeb9de85d7f6e1816df9368a5b18e3f.tar.bz2 troggle-70dd61b2baeb9de85d7f6e1816df9368a5b18e3f.zip | |
sanitize filenames
Diffstat (limited to 'core/views/uploads.py')
| -rw-r--r-- | core/views/uploads.py | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/core/views/uploads.py b/core/views/uploads.py index 232eb5e..999206a 100644 --- a/core/views/uploads.py +++ b/core/views/uploads.py @@ -12,7 +12,7 @@ from troggle.core.models.caves import GetCaveLookup from troggle.core.models.logbooks import LogbookEntry, writelogbook, PersonLogEntry from troggle.core.models.survex import DrawingFile from troggle.core.models.troggle import DataIssue, Expedition, PersonExpedition -from troggle.core.utils import alphabet_suffix, current_expo +from troggle.core.utils import alphabet_suffix, current_expo, sanitize_name from troggle.parsers.people import GetPersonExpeditionNameLookup, known_foreigner # from databaseReset import reinit_db # don't do this. databaseRest runs code *at import time* @@ -399,7 +399,7 @@ def logbookedit(request, year=None, slug=None): "textrows": rows, }, ) - + @login_required_if_public def expofilerename(request, filepath): """Rename any single file in /expofiles/ - eventually. @@ -434,7 +434,7 @@ def expofilerename(request, filepath): print(message) return render(request, "errors/generic.html", {"message": message}) else: - renameto = request.POST["renameto"] + renameto = sanitize_name(request.POST["renameto"]) if (folder / renameto).is_file() or (folder / renameto).is_dir(): rename_bad = renameto @@ -521,7 +521,7 @@ def photoupload(request, folder=None): if "photographer" in request.POST: formd = TextForm(request.POST) if formd.is_valid(): - newphotographer = request.POST["photographer"] + newphotographer = sanitize_name(request.POST["photographer"]) try: (yearpath / newphotographer).mkdir(exist_ok=True) except: @@ -537,7 +537,7 @@ def photoupload(request, folder=None): # NO CHECK that the files being uploaded are image files fs = FileSystemStorage(dirpath) - renameto = request.POST["renameto"] + renameto = sanitize_name(request.POST["renameto"]) actual_saved = [] if multiple: |