X-Git-Url: https://git.mdrn.pl/redakcja.git/blobdiff_plain/4e7aaa55651ce32fed3e729ff6b8da680a30fd36..03ac012472fcaa2c0d8011ff8e71a2d861d75575:/apps/catalogue/views.py

diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index 1021c878..cf1ec128 100644
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -21,6 +21,7 @@ from django.shortcuts import get_object_or_404, render, redirect
 from django.utils.encoding import force_str
 from django.utils.http import urlquote_plus
 from django.views.decorators.http import require_POST
+from unidecode import unidecode
 
 from catalogue import forms
 from catalogue.forms import TagMultipleForm, TagSingleForm
@@ -99,7 +100,10 @@ def create_missing(request):
                 path = settings.MEDIA_ROOT + uppath
                 if not os.path.isdir(path):
                     os.makedirs(path)
-                dest_path = path + cover.name   # UNSAFE
+                cover.name = unidecode(cover.name)
+                dest_path = path + cover.name
+                if not os.path.abspath(dest_path).startswith(os.path.abspath(path)):
+                    raise Http404
                 with open(dest_path, 'w') as destination:
                     for chunk in cover.chunks():
                         destination.write(chunk)
@@ -353,9 +357,6 @@ def book_owner(request, pk):
     doc = get_object_or_404(Document, pk=pk, deleted=False)
     if not doc.can_edit(request.user):
         return HttpResponseForbidden("Not authorized.")
-    user_is_owner = doc.owner_organization and doc.owner_organization.is_member(request.user)
-    if not (doc.owner_user == request.user or user_is_owner):
-        raise Http404
 
     error = ''