def test_escapeString(self): from viur.core.utils import escapeString self.assertEqual("None", escapeString(None)) self.assertEqual("abcde", escapeString("abcdefghi", maxLength=5)) self.assertEqual("<html>&</html>", escapeString("<html>\n&\0</html>"))
def singleValueFromClient(self, value, skel, name, origData): value = utils.escapeString(value) err = self.isInvalid(value) if not err: return utils.escapeString(value), None return self.getEmptyValue(), [ ReadFromClientError(ReadFromClientErrorSeverity.Invalid, name, err) ]
def requestParams(render): """ Jinja2 global: Allows for accessing the request-parameters from the template. These returned values are escaped, as users tend to use these in an unsafe manner. :returns: dict of parameter and values. :rtype: dict """ res = {} for k, v in currentRequest.get().kwargs.items(): res[utils.escapeString(k)] = utils.escapeString(v) return res
def add(self, skelType, node, *args, **kwargs): ## We can't add files directly (they need to be uploaded # if skelType != "node": # raise errors.NotAcceptable() if skelType == "leaf": # We need to handle leafs separately here skey = kwargs.get("skey") targetKey = kwargs.get("key") #if not skey or not securitykey.validate(skey, useSessionKey=True) or not targetKey: # raise errors.PreconditionFailed() skel = self.addLeafSkel() if not skel.fromDB(targetKey): raise errors.NotFound() if not skel["pending"]: raise errors.PreconditionFailed() skel["pending"] = False skel["parentdir"] = skel["pendingParentdir"] if skel["parentdir"]: rootNode = self.getRootNode(skel["parentdir"]) else: rootNode = None if not self.canAdd("leaf", rootNode): raise errors.Forbidden() blobs = list(bucket.list_blobs(prefix="%s/" % targetKey)) if len(blobs) != 1: logging.error("Invalid number of blobs in folder") logging.error(targetKey) raise errors.PreconditionFailed() blob = blobs[0] skel["mimetype"] = utils.escapeString(blob.content_type) skel["name"] = utils.escapeString( blob.name.replace("%s/source/" % targetKey, "")) skel["size"] = blob.size skel["rootnode"] = rootNode skel["weak"] = rootNode is None skel.toDB() # Add updated download-URL as the auto-generated isn't valid yet skel["downloadUrl"] = utils.downloadUrlFor(skel["dlkey"], skel["name"], derived=False) return self.render.addItemSuccess(skel) return super(File, self).add(skelType, node, *args, **kwargs)
def fromClient(self, valuesCache, name, data): """ Reads a value from the client. If this value is valid for this bone, store this rawValue and return None. Otherwise our previous value is left unchanged and an error-message is returned. :param name: Our name in the :class:`server.skeleton.Skeleton` :type name: str :param data: *User-supplied* request-data :type data: dict :returns: str or None """ if not name in data and not any( x.startswith("%s." % name) for x in data): return [ ReadFromClientError(ReadFromClientErrorSeverity.NotSet, name, "Field not submitted") ] res = None errors = [] if self.multiple and self.languages: res = LanguageWrapper(self.languages) for lang in self.languages: res[lang] = [] if "%s.%s" % (name, lang) in data: val = data["%s.%s" % (name, lang)] if isinstance(val, str): err = self.isInvalid(val) if not err: res[lang].append(utils.escapeString(val)) else: errors.append( ReadFromClientError( ReadFromClientErrorSeverity.Invalid, name, err)) elif isinstance(val, list): for v in val: err = self.isInvalid(v) if not err: res[lang].append(utils.escapeString(v)) else: errors.append( ReadFromClientError( ReadFromClientErrorSeverity.Invalid, name, err)) if not any(res.values()) and not errors: errors.append( ReadFromClientError(ReadFromClientErrorSeverity.Empty, name, "No rawValue entered")) elif self.multiple and not self.languages: rawValue = data.get(name) res = [] if not rawValue: errors.append( ReadFromClientError(ReadFromClientErrorSeverity.Empty, name, "No rawValue entered")) else: if not isinstance(rawValue, list): rawValue = [rawValue] for val in rawValue: err = self.isInvalid(val) if not err: res.append(utils.escapeString(val)) else: errors.append( ReadFromClientError( ReadFromClientErrorSeverity.Invalid, name, err)) if len(res) > 0: res = res[0:254] # Max 254 character else: errors.append( ReadFromClientError(ReadFromClientErrorSeverity.Empty, name, "No valid rawValue entered")) elif not self.multiple and self.languages: res = LanguageWrapper(self.languages) for lang in self.languages: if "%s.%s" % (name, lang) in data: val = data["%s.%s" % (name, lang)] err = self.isInvalid(val) if not err: res[lang] = utils.escapeString(val) else: errors.append( ReadFromClientError( ReadFromClientErrorSeverity.Invalid, name, err)) if len(res.keys()) == 0 and not errors: errors.append( ReadFromClientError(ReadFromClientErrorSeverity.Empty, name, "No rawValue entered")) else: rawValue = data.get(name) err = self.isInvalid(rawValue) if not err: res = utils.escapeString(rawValue) else: errors.append( ReadFromClientError(ReadFromClientErrorSeverity.Invalid, name, err)) if not rawValue and not errors: errors.append( ReadFromClientError(ReadFromClientErrorSeverity.Empty, name, "No rawValue entered")) valuesCache[name] = res if errors: return errors
def upload(self, node=None, *args, **kwargs): try: canAdd = self.canAdd("leaf", node) except: canAdd = False if not canAdd: for upload in self.getUploads(): upload.delete() raise errors.Forbidden() try: res = [] if node: # The file is uploaded into a rootNode nodeSkel = self.editNodeSkel() if not nodeSkel.fromDB(node): for upload in self.getUploads(): upload.delete() raise errors.NotFound() else: weak = False parentDir = str(node) parentRepo = nodeSkel["parentrepo"] else: weak = True parentDir = None parentRepo = None # Handle the actual uploads for upload in self.getUploads(): fileName = decodeFileName(upload.filename) height = width = 0 if str(upload.content_type).startswith("image/"): try: servingURL = images.get_serving_url(upload.key()) if request.current.get().isDevServer: # NOTE: changed for Ticket ADMIN-37 servingURL = urlparse(servingURL).path elif servingURL.startswith("http://"): # Rewrite Serving-URLs to https if we are live servingURL = servingURL.replace( "http://", "https://") except: servingURL = "" try: # only fetching the file header or all if the file is smaller than 1M data = blobstore.fetch_data(upload.key(), 0, min(upload.size, 1000000)) image = images.Image(image_data=data) height = image.height width = image.width except Exception as err: logging.error( "some error occurred while trying to fetch the image header with dimensions" ) logging.exception(err) else: servingURL = "" fileSkel = self.addLeafSkel() fileSkel.setValues({ "name": utils.escapeString(fileName), "size": upload.size, "mimetype": utils.escapeString(upload.content_type), "dlkey": str(upload.key()), "servingurl": servingURL, "parentdir": parentDir, "parentrepo": parentRepo, "weak": weak, "width": width, "height": height }) fileSkel.toDB() res.append(fileSkel) self.onItemUploaded(fileSkel) # Uploads stored successfully, generate response to the client for r in res: logging.info("Upload successful: %s (%s)" % (r["name"], r["dlkey"])) user = utils.getCurrentUser() if user: logging.info("User: %s (%s)" % (user["name"], user["key"])) return self.render.addItemSuccess(res) except Exception as err: logging.exception(err) for upload in self.getUploads(): upload.delete() utils.markFileForDeletion(str(upload.key())) raise errors.InternalServerError()