Ejemplo n.º 1
0
    def test_escapeString(self):
        from viur.core.utils import escapeString

        self.assertEqual("None", escapeString(None))
        self.assertEqual("abcde", escapeString("abcdefghi", maxLength=5))
        self.assertEqual("<html>&</html>",
                         escapeString("<html>\n&\0</html>"))
Ejemplo n.º 2
0
 def singleValueFromClient(self, value, skel, name, origData):
     value = utils.escapeString(value)
     err = self.isInvalid(value)
     if not err:
         return utils.escapeString(value), None
     return self.getEmptyValue(), [
         ReadFromClientError(ReadFromClientErrorSeverity.Invalid, name, err)
     ]
Ejemplo n.º 3
0
def requestParams(render):
	"""
	Jinja2 global: Allows for accessing the request-parameters from the template.

	These returned values are escaped, as users tend to use these in an unsafe manner.

	:returns: dict of parameter and values.
	:rtype: dict
	"""
	res = {}
	for k, v in currentRequest.get().kwargs.items():
		res[utils.escapeString(k)] = utils.escapeString(v)
	return res
Ejemplo n.º 4
0
    def add(self, skelType, node, *args, **kwargs):
        ## We can't add files directly (they need to be uploaded
        # if skelType != "node":
        #	raise errors.NotAcceptable()
        if skelType == "leaf":  # We need to handle leafs separately here
            skey = kwargs.get("skey")
            targetKey = kwargs.get("key")
            #if not skey or not securitykey.validate(skey, useSessionKey=True) or not targetKey:
            #	raise errors.PreconditionFailed()

            skel = self.addLeafSkel()
            if not skel.fromDB(targetKey):
                raise errors.NotFound()
            if not skel["pending"]:
                raise errors.PreconditionFailed()
            skel["pending"] = False
            skel["parentdir"] = skel["pendingParentdir"]
            if skel["parentdir"]:
                rootNode = self.getRootNode(skel["parentdir"])
            else:
                rootNode = None
            if not self.canAdd("leaf", rootNode):
                raise errors.Forbidden()
            blobs = list(bucket.list_blobs(prefix="%s/" % targetKey))
            if len(blobs) != 1:
                logging.error("Invalid number of blobs in folder")
                logging.error(targetKey)
                raise errors.PreconditionFailed()
            blob = blobs[0]
            skel["mimetype"] = utils.escapeString(blob.content_type)
            skel["name"] = utils.escapeString(
                blob.name.replace("%s/source/" % targetKey, ""))
            skel["size"] = blob.size
            skel["rootnode"] = rootNode
            skel["weak"] = rootNode is None
            skel.toDB()
            # Add updated download-URL as the auto-generated isn't valid yet
            skel["downloadUrl"] = utils.downloadUrlFor(skel["dlkey"],
                                                       skel["name"],
                                                       derived=False)
            return self.render.addItemSuccess(skel)

        return super(File, self).add(skelType, node, *args, **kwargs)
Ejemplo n.º 5
0
    def fromClient(self, valuesCache, name, data):
        """
			Reads a value from the client.
			If this value is valid for this bone,
			store this rawValue and return None.
			Otherwise our previous value is
			left unchanged and an error-message
			is returned.

			:param name: Our name in the :class:`server.skeleton.Skeleton`
			:type name: str
			:param data: *User-supplied* request-data
			:type data: dict
			:returns: str or None
		"""
        if not name in data and not any(
                x.startswith("%s." % name) for x in data):
            return [
                ReadFromClientError(ReadFromClientErrorSeverity.NotSet, name,
                                    "Field not submitted")
            ]
        res = None
        errors = []
        if self.multiple and self.languages:
            res = LanguageWrapper(self.languages)
            for lang in self.languages:
                res[lang] = []
                if "%s.%s" % (name, lang) in data:
                    val = data["%s.%s" % (name, lang)]
                    if isinstance(val, str):
                        err = self.isInvalid(val)
                        if not err:
                            res[lang].append(utils.escapeString(val))
                        else:
                            errors.append(
                                ReadFromClientError(
                                    ReadFromClientErrorSeverity.Invalid, name,
                                    err))
                    elif isinstance(val, list):
                        for v in val:
                            err = self.isInvalid(v)
                            if not err:
                                res[lang].append(utils.escapeString(v))
                            else:
                                errors.append(
                                    ReadFromClientError(
                                        ReadFromClientErrorSeverity.Invalid,
                                        name, err))
            if not any(res.values()) and not errors:
                errors.append(
                    ReadFromClientError(ReadFromClientErrorSeverity.Empty,
                                        name, "No rawValue entered"))
        elif self.multiple and not self.languages:
            rawValue = data.get(name)
            res = []
            if not rawValue:
                errors.append(
                    ReadFromClientError(ReadFromClientErrorSeverity.Empty,
                                        name, "No rawValue entered"))
            else:
                if not isinstance(rawValue, list):
                    rawValue = [rawValue]
                for val in rawValue:
                    err = self.isInvalid(val)
                    if not err:
                        res.append(utils.escapeString(val))
                    else:
                        errors.append(
                            ReadFromClientError(
                                ReadFromClientErrorSeverity.Invalid, name,
                                err))
                if len(res) > 0:
                    res = res[0:254]  # Max 254 character
                else:
                    errors.append(
                        ReadFromClientError(ReadFromClientErrorSeverity.Empty,
                                            name, "No valid rawValue entered"))
        elif not self.multiple and self.languages:
            res = LanguageWrapper(self.languages)
            for lang in self.languages:
                if "%s.%s" % (name, lang) in data:
                    val = data["%s.%s" % (name, lang)]
                    err = self.isInvalid(val)
                    if not err:
                        res[lang] = utils.escapeString(val)
                    else:
                        errors.append(
                            ReadFromClientError(
                                ReadFromClientErrorSeverity.Invalid, name,
                                err))
            if len(res.keys()) == 0 and not errors:
                errors.append(
                    ReadFromClientError(ReadFromClientErrorSeverity.Empty,
                                        name, "No rawValue entered"))
        else:
            rawValue = data.get(name)
            err = self.isInvalid(rawValue)
            if not err:
                res = utils.escapeString(rawValue)
            else:
                errors.append(
                    ReadFromClientError(ReadFromClientErrorSeverity.Invalid,
                                        name, err))
            if not rawValue and not errors:
                errors.append(
                    ReadFromClientError(ReadFromClientErrorSeverity.Empty,
                                        name, "No rawValue entered"))
        valuesCache[name] = res
        if errors:
            return errors
Ejemplo n.º 6
0
    def upload(self, node=None, *args, **kwargs):
        try:
            canAdd = self.canAdd("leaf", node)
        except:
            canAdd = False
        if not canAdd:
            for upload in self.getUploads():
                upload.delete()
            raise errors.Forbidden()

        try:
            res = []
            if node:
                # The file is uploaded into a rootNode
                nodeSkel = self.editNodeSkel()
                if not nodeSkel.fromDB(node):
                    for upload in self.getUploads():
                        upload.delete()
                    raise errors.NotFound()
                else:
                    weak = False
                    parentDir = str(node)
                    parentRepo = nodeSkel["parentrepo"]
            else:
                weak = True
                parentDir = None
                parentRepo = None

            # Handle the actual uploads
            for upload in self.getUploads():
                fileName = decodeFileName(upload.filename)
                height = width = 0

                if str(upload.content_type).startswith("image/"):
                    try:
                        servingURL = images.get_serving_url(upload.key())
                        if request.current.get().isDevServer:
                            # NOTE: changed for Ticket ADMIN-37
                            servingURL = urlparse(servingURL).path
                        elif servingURL.startswith("http://"):
                            # Rewrite Serving-URLs to https if we are live
                            servingURL = servingURL.replace(
                                "http://", "https://")
                    except:
                        servingURL = ""

                    try:
                        # only fetching the file header or all if the file is smaller than 1M
                        data = blobstore.fetch_data(upload.key(), 0,
                                                    min(upload.size, 1000000))
                        image = images.Image(image_data=data)
                        height = image.height
                        width = image.width
                    except Exception as err:
                        logging.error(
                            "some error occurred while trying to fetch the image header with dimensions"
                        )
                        logging.exception(err)

                else:
                    servingURL = ""

                fileSkel = self.addLeafSkel()

                fileSkel.setValues({
                    "name":
                    utils.escapeString(fileName),
                    "size":
                    upload.size,
                    "mimetype":
                    utils.escapeString(upload.content_type),
                    "dlkey":
                    str(upload.key()),
                    "servingurl":
                    servingURL,
                    "parentdir":
                    parentDir,
                    "parentrepo":
                    parentRepo,
                    "weak":
                    weak,
                    "width":
                    width,
                    "height":
                    height
                })
                fileSkel.toDB()
                res.append(fileSkel)
                self.onItemUploaded(fileSkel)

            # Uploads stored successfully, generate response to the client
            for r in res:
                logging.info("Upload successful: %s (%s)" %
                             (r["name"], r["dlkey"]))
            user = utils.getCurrentUser()

            if user:
                logging.info("User: %s (%s)" % (user["name"], user["key"]))

            return self.render.addItemSuccess(res)

        except Exception as err:
            logging.exception(err)

            for upload in self.getUploads():
                upload.delete()
                utils.markFileForDeletion(str(upload.key()))

            raise errors.InternalServerError()