diff options
Diffstat (limited to 'core/views/uploads.py')
| -rw-r--r-- | core/views/uploads.py | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/core/views/uploads.py b/core/views/uploads.py index 9ef11ac..c7b7e74 100644 --- a/core/views/uploads.py +++ b/core/views/uploads.py @@ -157,6 +157,7 @@ class LogbookEditForm(forms.Form): # not a model-form, just a form-form @login_required_if_public def edittxtpage(request, path, filepath): """Editing a .txt file on expoweb/ + Yes this is a security hazard as arbitrary text can be uploaded and it is not enclosed in any HTML furniture. """ def simple_get(viewtext): form = ExpotextfileForm() @@ -175,9 +176,10 @@ def edittxtpage(request, path, filepath): message="" if not filepath.is_file(): + message = f"File not found '{filepath}\n\nfailure detected in expowebpage() in views.expo.py" print(f"Not a file: {filepath}") - errpage = f"<html>" + default_head + f"<h3>File not found '{filepath}'<br><br>failure detected in expowebpage() in views.expo.py</h3> </body>" - return HttpResponse(errpage) + return render(request, "errors/generic.html", {"message": message}) + try: with open(filepath, "r") as f: originaltext = f.read() @@ -207,6 +209,9 @@ def edittxtpage(request, path, filepath): if "Save" in request.POST: print("submitted for saving..") + # should insert sanitization in here + # but user cannot rename the file, and cannot create new files + # and this is only used for .txt files if newtext != originaltext: # Check if content has changed at all print("text changed.. saving and committing") try: |