convert attachment filenames to ascii

diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index 2e82dfa..cf1ec12 100644 (file)
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -21,6 +21,7 @@ from django.shortcuts import get_object_or_404, render, redirect
 from django.utils.encoding import force_str
 from django.utils.http import urlquote_plus
 from django.views.decorators.http import require_POST
+from unidecode import unidecode
 
 from catalogue import forms
 from catalogue.forms import TagMultipleForm, TagSingleForm
@@ -99,7 +100,10 @@ def create_missing(request):
                 path = settings.MEDIA_ROOT + uppath
                 if not os.path.isdir(path):
                     os.makedirs(path)
-                dest_path = path + cover.name   # UNSAFE
+                cover.name = unidecode(cover.name)
+                dest_path = path + cover.name
+                if not os.path.abspath(dest_path).startswith(os.path.abspath(path)):
+                    raise Http404
                 with open(dest_path, 'w') as destination:
                     for chunk in cover.chunks():
                         destination.write(chunk)

diff --git a/apps/fileupload/views.py b/apps/fileupload/views.py
index 35e0a7a..c7b9318 100644 (file)
--- a/apps/fileupload/views.py
+++ b/apps/fileupload/views.py
@@ -11,6 +11,8 @@ from django.http import HttpResponse, Http404
 from django.utils.decorators import method_decorator
 from django.views.decorators.vary import vary_on_headers
 from django.views.generic import FormView
+from unidecode import unidecode
+
 from .forms import UploadForm
 
 
@@ -139,6 +141,7 @@ class UploadView(UploadViewMixin, FormView):
             os.makedirs(path)
         data = []
         for f in flist:
+            f.name = unidecode(f.name)
             with open(self.get_safe_path(f.name), 'w') as destination:
                 for chunk in f.chunks():
                     destination.write(chunk)