From 5e942ab9a9a217a8482a324c3e61fdd83c1c4247 Mon Sep 17 00:00:00 2001 From: Jan Szejko Date: Fri, 31 Mar 2017 12:05:57 +0200 Subject: [PATCH] convert attachment filenames to ascii --- apps/catalogue/views.py | 6 +++++- apps/fileupload/views.py | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py index 2e82dfa3..cf1ec128 100644 --- a/apps/catalogue/views.py +++ b/apps/catalogue/views.py @@ -21,6 +21,7 @@ from django.shortcuts import get_object_or_404, render, redirect from django.utils.encoding import force_str from django.utils.http import urlquote_plus from django.views.decorators.http import require_POST +from unidecode import unidecode from catalogue import forms from catalogue.forms import TagMultipleForm, TagSingleForm @@ -99,7 +100,10 @@ def create_missing(request): path = settings.MEDIA_ROOT + uppath if not os.path.isdir(path): os.makedirs(path) - dest_path = path + cover.name # UNSAFE + cover.name = unidecode(cover.name) + dest_path = path + cover.name + if not os.path.abspath(dest_path).startswith(os.path.abspath(path)): + raise Http404 with open(dest_path, 'w') as destination: for chunk in cover.chunks(): destination.write(chunk) diff --git a/apps/fileupload/views.py b/apps/fileupload/views.py index 35e0a7ae..c7b93187 100644 --- a/apps/fileupload/views.py +++ b/apps/fileupload/views.py @@ -11,6 +11,8 @@ from django.http import HttpResponse, Http404 from django.utils.decorators import method_decorator from django.views.decorators.vary import vary_on_headers from django.views.generic import FormView +from unidecode import unidecode + from .forms import UploadForm @@ -139,6 +141,7 @@ class UploadView(UploadViewMixin, FormView): os.makedirs(path) data = [] for f in flist: + f.name = unidecode(f.name) with open(self.get_safe_path(f.name), 'w') as destination: for chunk in f.chunks(): destination.write(chunk) -- 2.20.1