def process_file(self, file_id, model_version):
""" Codes the input file to different SOC categories """
# get configuration
config = self.config['soccer']
input_dir = config['input_dir']
output_dir = config['output_dir']
model_filepath = config['model_file']
# specify input/output filepaths
input_filepath = safe_join(input_dir, file_id)
output_path = safe_join(output_dir, file_id)
output_filepath = output_path + '.csv'
plot_filepath = output_path + '.png'
# save parameters as json file
with open(output_path + '.json', 'w') as f:
json.dump({
'file_id': file_id,
'model_version': model_version
}, f)
# results are written to output_filepath
code_file(
input_filepath=input_filepath,
output_filepath=output_filepath,
model_version=model_version,
model_filepath=model_filepath
)
plot_results(
results_filepath=output_filepath,
plot_filepath=plot_filepath
)
def up_file(filename, fname, foldername):
path = safe_join(os.path.join(app.config['uploads'], foldername))
if path is None:
abort(404)
files = os.listdir(path)
if not files:
abort(404)
path = safe_join(os.path.join(path, fname))
return send_from_directory(path, filename)
def unique_filename(self, save_directory=config.UPLOAD_DIR) -> str:
unique_name = '{}{}'.format(self.original_filename, self.extension)
filepath = safe_join(save_directory, unique_name)
c = itertools.count()
while os.path.exists(filepath):
unique_name = '{}_{}{}'.format(self.original_filename, next(c),
self.extension)
filepath = safe_join(save_directory, unique_name)
return unique_name
def test_safe_join_os_sep():
import werkzeug.security as sec
prev_value = sec._os_alt_seps
sec._os_alt_seps = "*"
assert safe_join("foo", "bar/baz*") is None
sec._os_alt_steps = prev_value
def save(self, save_directory=config.UPLOAD_DIR) -> None:
"""Saves the file to `UPLOAD_DIR`."""
if os.path.isdir(save_directory) is False:
os.makedirs(save_directory)
save_path = safe_join(save_directory, self.get_filename())
self.__file.save(save_path)
def download(filename):
path = safe_join(current_app.config['VIDEO_FOLDER'], filename)
print(path)
if not os.path.isfile(path):
# zip the folder
zip_in_memory = BytesIO()
with zipfile.ZipFile(
zip_in_memory,
'w',
compression=zipfile.ZIP_DEFLATED,
) as zf:
for dirpath, dirs, files in walk(path):
for f in files:
fn = os.path.join(dirpath, f)
zf.write(fn, os.path.relpath(fn, path))
zip_in_memory.seek(0)
zipname = os.path.basename(path) + '.zip'
return send_file(zip_in_memory,
attachment_filename=zipname,
as_attachment=True)
else:
return send_file(path,
attachment_filename=os.path.basename(path),
as_attachment=True)
def get_path_or_file(self, path):
"""Return a path/file for a static file (e.g. an image).
Renderers can either return a filename, or an opened file-like object.
(A filename will likely be better for performance.)
"""
return safe_join(self.path, path)
def test_safe_join_os_sep():
import werkzeug.security as sec
prev_value = sec._os_alt_seps
sec._os_alt_seps = "*"
assert safe_join("foo", "bar/baz*") is None
sec._os_alt_steps = prev_value
def load_post(filename: str,
meta_only: bool = False) -> Optional[Dict[str, Any]]:
# parse the filename (yyyy-MM-dd-post-title.md)
try:
year, month, day, name = os.path.splitext(filename)[0].split(
"-", maxsplit=3)
year, month, day = int(year), int(month), int(day)
except ValueError:
return None
# load post entry
fullpath = safe_join(posts_folder, filename)
if fullpath is None:
return None
post = load_entry(fullpath, meta_only=meta_only)
if post is None: # note that post may be {}
return None
# add some fields
post["filename"] = filename
post["url"] = url_for(
".post",
year=f"{year:0>4d}",
month=f"{month:0>2d}",
day=f"{day:0>2d}",
name=name,
)
# ensure *title* field
if "title" not in post:
post["title"] = " ".join(name.split("-"))
# ensure *created* field
if "created" not in post:
post["created"] = datetime(year=year, month=month, day=day)
return post
def upload_file():
"""
Endpoint called after submitting a file to upload
it creates a path and filename and saves it to the folder
defined in app.config['UPLOAD_FOLDER'] in the init file.
Then shows a message and redirects to /upload.
:return: A file is uploaded to the 'uploads' folder
"""
dupl_counter = 0 # Variable to store count of files with the same name and append it to new uploaded file.
if request.method == 'POST':
f = request.files['file']
from Riki import app
if platform.system() == 'Windows':
path_and_filename = os.path.join(app.config['UPLOAD_FOLDER'],
f.filename)
else:
path_and_filename = safe_join(app.config['UPLOAD_FOLDER'],
secure_filename(f.filename))
original_name = path_and_filename
while os.path.exists(path_and_filename):
dupl_counter += 1
txt_append = " (" + str(dupl_counter) + ")"
path_and_filename = original_name + txt_append
dupl_counter = 0
f.save(path_and_filename)
flash('File successfully uploaded')
return redirect('/upload')
def upload_image():
def allowed_file(filename):
return '.' in filename and \
filename.rsplit('.', 1)[1].lower() in ['jpg', 'png']
file = request.files['upload']
error = ''
if not file:
return jsonify(uploaded=0, error={'message': 'Please select a file.'})
elif not allowed_file(file.filename):
return jsonify(uploaded=0,
error={'message': 'File extension not allowed.'})
else:
filename = file.filename
extension = '.' + filename.rsplit('.', 1)[1]
filename = hashlib.md5(
(filename +
str(datetime.utcnow())).encode('utf-8')).hexdigest() + extension
filepath = safe_join(current_app.config['IMAGE_UPLOAD_FOLDER'],
filename)
if not filepath:
return jsonify(uploaded=0, error={'message': 'Filename illegal.'})
file.save(filepath)
callback = request.args.get('CKEditorFuncNum')
url = url_for('upload.fetch', filename=filename)
res = """
<script type="text/javascript">window.parent.CKEDITOR.tools.callFunction(%s, '%s', '%s')</script>
""" % (callback, url, error)
return res, 200, {"Content-Type": "text/html"}
def user(username):
user = User.query.filter_by(username=username).first_or_404()
page = request.args.get('page', 1, type=int)
pagination = user.posts.order_by(Post.timestamp.desc()).paginate(
page,
per_page=current_app.config['FLASK_POSTS_PER_PAGE'],
error_out=False)
posts = pagination.items
if user == current_user:
form = ImgForm()
from manage import app
if form.validate_on_submit():
current_user.img = form.picture.data.filename
if current_user.img and user.allowed_img(current_user.img):
imgdest = safe_join(app.config['UPLOAD_FOLDER'],
current_user.img)
form.picture.data.save(imgdest)
db.session.add(current_user)
return redirect(url_for('main.user', username=username))
return render_template('user.html',
form=form,
user=user,
posts=posts,
pagination=pagination)
return render_template('user.html',
user=user,
posts=posts,
pagination=pagination)
def get_allowed_path(self,
user_id: str,
parts: List[str],
source_dir: str = 'files') -> Optional[str]:
"""Check if file name matches allowed pattern.
Args:
user_id: The identifier of the user.
parts: List of all directory names and the filename.
source_dir: Top level folder name inside user folder. This can either be 'files' or 'jobs' in the current
setup. Defaults to the files directory ('files').
Returns:
The file path if it is allowed otherwise None.
"""
files_dir, jobs_dir = self.setup_user_folder(user_id)
if source_dir == 'files':
out_dir = files_dir
else:
out_dir = jobs_dir
filename = parts.pop(-1)
for part in parts:
if re.fullmatch(self.allowed_dirname, part) is None:
return None
if re.fullmatch(self.allowed_filename, filename) is None:
return None
parts.append(filename)
return safe_join(out_dir, *parts)
def delete(path):
real_path = Path(safe_join(os.fspath(app.config["UPLOAD_FOLDER"]), os.fspath(path)))
if not real_path.exists() or not real_path.is_file():
abort(Response(f"File {str(path)} not found", 404))
real_path.unlink()
return json.dumps(str(path)), 200
def browse():
generated_path = safe_join(normalise_relative_path(GENERATED_LISTING_DIR),
'years_listing.html')
content = open(generated_path).read()
return render_template('issue_browser.html',
current_year=datetime.now().year,
content=content)
def upload_image():
def allowed_file(filename):
return '.' in filename and \
filename.rsplit('.', 1)[1].lower() in ['jpg', 'png']
file = request.files['upload']
error = ''
if not file:
return jsonify(uploaded=0, error={'message': 'Please select a file.'})
elif not allowed_file(file.filename):
return jsonify(uploaded=0, error={'message': 'File extension not allowed.'})
else:
filename = file.filename
extension = '.' + filename.rsplit('.', 1)[1]
filename = hashlib.md5((filename + str(datetime.utcnow())).encode('utf-8')).hexdigest() + extension
filepath = safe_join(current_app.config['IMAGE_UPLOAD_FOLDER'], filename)
if not filepath:
return jsonify(uploaded=0, error={'message': 'Filename illegal.'})
file.save(filepath)
callback = request.args.get('CKEditorFuncNum')
url = url_for('upload.fetch', filename=filename)
res = """
<script type="text/javascript">window.parent.CKEDITOR.tools.callFunction(%s, '%s', '%s')</script>
""" % (callback, url, error)
return res, 200, {"Content-Type": "text/html"}
def upload_photo():
#设置随机数
file_num = random.randint(0, 20)
#获取jquery发来的文件
file = request.files["file"]
#这是文件名字
file_name = session["user_name"] + str(file_num) + file.filename
#将文件的路径转为安全的。
file_path = security.safe_join("images/", file_name)
file.save(file_path)
#将文件大小加入session
file_size = os.path.getsize(file_path)
session["file_size"] = file_size
#将文件路径加入session
session["file_path"] = file_path
#将文件标题加入session
session["file_title"] = request.form["title"]
#调用函数插入数据库数据
result = up_load_photo()
if result:
#完成后返回数据,提示已经上传成功。
return "文件上传成功"
else:
return "文件上传失败,请检查网络和文件等,重新上传。"
def DocumentRoot(root, path, status):
safe = security.safe_join(root, path)
print '"%s" + "%s" ==> "%s"' % (root, path, safe)
mime = guess_mimetype(path)
mtime = os.stat(safe).st_mtime
return FileResponse(safe, mime, status)
def package(app, request, path):
# Get our filename and filepath from the request path
filename = os.path.basename(path)
filepath = safe_join(os.path.abspath(app.config.paths.packages), path)
# If we cannot safely join the requested path with our directory
# return a 404
if filepath is None:
raise NotFound("{} was not found".format(filename))
# Open the file and attempt to wrap in the wsgi.file_wrapper if it's
# available, otherwise read it directly.
try:
fp = open(filepath, "rb")
data = wrap_file(request.environ, fp)
except IOError:
raise NotFound("{} was not found".format(filename))
# Get the project name and normalize it
lookup_filename = filename[:-4] if filename.endswith(".asc") else filename
project = app.db.packaging.get_project_for_filename(lookup_filename)
# Get the MD5 hash of the file
content_md5 = app.db.packaging.get_filename_md5(filename)
headers = {}
# Add in additional headers if we're using Fastly
headers["Surrogate-Key"] = " ".join(
fastly.projects.format_keys(project=project), )
# Look up the last serial for this file
serial = app.db.packaging.get_last_serial(project)
if serial is not None:
headers["X-PyPI-Last-Serial"] = serial
# Pass through the data directly to the response object
resp = Response(
data,
headers=headers,
mimetype=get_mimetype(filename),
direct_passthrough=True,
)
# Setup the Last-Modified header
resp.last_modified = os.path.getmtime(filepath)
# Setup the Content-Length header
resp.content_length = os.path.getsize(filepath)
if content_md5:
# Setup the Content-MD5 headers
resp.content_md5 = content_md5
# Setup Conditional Responses
resp.set_etag(content_md5)
resp.make_conditional(request)
return resp
def uploaded_file(folder, filename):
path = os.path.join(app.config['UPLOAD_FOLDER'], folder)
filepath = safe_join(path, filename)
if not os.path.isabs(filepath):
filepath = os.path.join(app.root_path, filepath)
if not os.path.isfile(filepath):
raise NotFound()
return send_file(filepath)
def download_report_file(report_id):
wh = get_warehouse()
report = get_or_404(wh.get_report, report_id, _exc=KeyError)
file_path = safe_join(wh.reports_path, report.filename)
if not path(file_path).isfile():
flask.abort(404)
return flask.send_file(file_path, as_attachment=True,
attachment_filename=report.filename)
def add_profile_picture(username, file):
filename = secure_filename(file.filename)
extension = filename.split('.')[1]
directory = safe_join(os.path.join(current_app.config['UPLOAD_FOLDER']), username)
if not os.path.exists(directory):
print("No existe")
os.makedirs(directory)
print("Salio")
idx_act = 0
picture_name = "%i.%s" % (idx_act, extension)
path_picture = safe_join(os.path.join(directory), picture_name)
while os.path.exists(path_picture):
idx_act += 1
picture_name = "%i.%s" % (idx_act, extension)
path_picture = safe_join(os.path.join(directory), picture_name)
file.save(path_picture)
return picture_name
def get_user_path():
"""Returns the path of the current user's temp directory.
Uses security.safe_join to check for directory traversal attacks.
Returns:
Path to the user directory.
"""
return security.safe_join(TEMP, flask.g.user_id)
def download(name, filename):
wh = get_warehouse()
parcel = get_or_404(wh.get_parcel, name, _exc=KeyError)
file_path = safe_join(parcel.get_path(), filename)
if not path(file_path).isfile():
flask.abort(404)
return flask.send_file(file_path,
as_attachment=True,
attachment_filename=filename)
def get_datastreams(feed):
headers = {"X-ApiKey": feed.api_key}
url = safe_join(API_URL, str(feed.xively_id))
try:
r = requests.get(url, headers=headers)
decoded_data = r.json()
except Exception, e:
flash("Xively request failed")
response = "error"
return response
def secure_filepath(filepath):
''' Ensures this will be a sanitized relative path
'''
secured_filepath = safe_join('.', filepath)
assert secured_filepath is not None, "Filepath wasn't secure"
secured_filepath = secured_filepath[2:]
if not secured_filepath:
logger.warn("Filepath became empty while securing")
return ''
return secured_filepath
def _safe_path_join(root: Path, untrusted: str) -> Path:
"""Join a Path element with an untrusted str.
This is a convenience wrapper for werkzeug's safe_join,
raising a ValueError if the path is malformed."""
untrusted_parts = Path(untrusted).parts
joined = safe_join(root.as_posix(), *untrusted_parts)
if joined is None:
raise ValueError("Untrusted paths.")
return Path(joined)
def delete(filename: str) -> bool:
"""Deletes the file from `config.UPLOAD_DIR`, if it exists."""
file_path = safe_join(config.UPLOAD_DIR, filename)
if os.path.isfile(file_path) is False:
return False
os.remove(file_path)
return True
def get_datapoint(datastream, timestamp):
timestamp = datetime.combine(timestamp, datetime.min.time())
timestamp = timestamp.isoformat()
headers = {"X-ApiKey": datastream.feed.api_key}
url = safe_join(API_URL, str(datastream.feed.xively_id))
url = url + "/datastreams/"
url = safe_join(url, datastream.xively_id)
url = url + ".json?duration=" + "1seconds"
url = url + "&function=average&limit=1"
url = url + "&end=" + timestamp
try:
r = requests.get(url, headers=headers)
decoded_data = r.json()
value = decoded_data["datapoints"][0]["value"]
return float(value)
except Exception, e:
flash("Lookup failed for " + datastream.info + " at " + timestamp)
return False
def download(name, filename):
from werkzeug.security import safe_join
wh = get_warehouse()
parcel = get_or_404(wh.get_parcel, name, _exc=KeyError)
file_path = safe_join(parcel.get_path(), filename)
if not path(file_path).isfile():
flask.abort(404)
return flask.send_file(file_path,
as_attachment=True,
attachment_filename=filename)
def get_directory(sub_dir=None, file_name=None):
dir_name = 'measures'
path = dir_name
if not sub_dir is None:
path = safe_join(dir_name, sub_dir)
if not file_name is None:
path = safe_join(path, file_name)
if os.path.isfile(path): return get_graph()
if path is None:
abort(404)
files = os.listdir(path)
return render_template('soubory.html',
files=files,
sub_dir=sub_dir,
file_name=file_name,
path=path)
def add_song():
if 'add_entry' in request.form:
entry_info = request.form['add_entry']
entry_parts = entry_info.split('+')
dirid = entry_parts[0]
pathname = safe_join(app.config['MUSIC_PATH'],entry_parts[1])
name = request.form['name'+str(dirid)]
if not name or name == '':
name = path.split(pathname)[1]
append_playlist(name, pathname)
return redirect(url_for('playlist'))
def loader(path):
if path is not None:
path = safe_join(directory, path)
else:
path = directory
if path is not None:
if os.path.isdir(path):
path = posixpath.join(path, 'index.html')
if os.path.isfile(path):
return os.path.basename(path), self._opener(path)
return None, None
def get_safe_filename(name):
name, ext = os.path.splitext(name) # pull off for later
name = ''.join(os.path.split(name)) # take any directory tricks out
name = safe_join('', name) or '' # goodbye any lingering tricks
if name not in ('', '.'):
# atomically reserve a unique filename
with NamedTemporaryFile(dir=drop_dir, delete=False,
prefix=name, suffix=ext) as safe_file:
safe_filepath = safe_file.name
return os.path.split(safe_filepath)[-1] # just the filename
else:
return None
def get_dataset(datastream, zoom_level, timeStamp):
headers = {"X-ApiKey": datastream.feed.api_key}
url = safe_join(API_URL, str(datastream.feed.xively_id))
url = url + "/datastreams/"
url = safe_join(url, datastream.xively_id)
url = url + ".json?duration=" + zoom[zoom_level]["duration"]
url = url + "&interval=" + zoom[zoom_level]["interval"]
url = url + "&function=average&find_previous"
if timeStamp != None:
url = url + "&end=" + timeStamp
try:
r = requests.get(url, headers=headers)
decoded_data = r.text
decoded_data = json.loads(decoded_data)
decoded_data.update({"zoom_level": zoom_level})
decoded_data = json.dumps(decoded_data)
return decoded_data
except Exception, e:
flash("Xively request failed")
response = "error"
return False
def get_path(file_name, suffix=""):
"""Returns a safe path in the user's temp directory.
Uses security.safe_join to check for directory traversal attacks.
Args:
file_name: Text filename.
suffix: Text filename suffix. Defaults to ''.
Returns:
Path to the requested file.
"""
return security.safe_join(get_user_path(), f"{file_name}{suffix}")
def upload_song():
songfile = request.files['file']
if (songfile):
if (songfile.filename.endswith('.mp3')):
file_path = safe_join(app.config['MUSIC_PATH'], songfile.filename)
songfile.save(file_path)
name = request.form['name']
if (not name or name == ''):
name = path.split(file_path)[1]
append_playlist(name, file_path)
else: #not mp3 file
flash('File must be an mp3 file')
return redirect(url_for('playlist'))
def submit():
""" Codes the input file to different SOC categories """
# get parameters
file_id = request.form['file_id']
model_version = request.form['model_version']
# get configuration
input_dir = app.config['soccer']['input_dir']
output_dir = app.config['soccer']['output_dir']
model_filepath = app.config['soccer']['model_file']
# specify input/output filepaths
input_filepath = safe_join(input_dir, file_id)
parameters_filepath = safe_join(output_dir, file_id + '.json')
output_filepath = safe_join(output_dir, file_id + '.csv')
plot_filepath = safe_join(output_dir, file_id + '.png')
# save form parameters as json file
with open(parameters_filepath, 'w') as f:
json.dump(request.form, f)
# results are written to output_filepath
code_file(
input_filepath=input_filepath,
output_filepath=output_filepath,
model_version=model_version,
model_filepath=model_filepath
)
plot_results(
results_filepath=output_filepath,
plot_filepath=plot_filepath
)
return jsonify({
'file_id': file_id
})
def upload():
results = []
for filename, file in request.files.items():
if not filename:
continue
file_path = filename.lstrip(os.sep)
safe_path = safe_join(app.config["UPLOAD_FOLDER"], file_path)
if safe_path is None:
raise NotFound()
target = Path(safe_path)
target.parent.mkdir(parents=True, exist_ok=True)
file.save(str(target))
results.append(file_path)
return json.dumps(results), 200
def image_upload():
if request.method == 'POST':
form = ImageForm(request.form)
if form.validate():
image_file = request.files['file']
filename = security.safe_join(app.config['IMAGES_DIR'],
image_file.filename)
image_file.save(filename)
flash('Saved %s' % os.path.basename(filename), 'success')
return redirect(url_for('entries.index'))
else:
form = ImageForm()
return render_template('entries/image_upload.html', form=form)
def inject_url_defaults(self, endpoint, values):
super().inject_url_defaults(endpoint, values)
if endpoint == 'static' and 'filename' in values:
filepath = safe_join(self.static_folder, values['filename'])
h = self._hash_cache.get(filepath)
if h is not None:
values['h'] = h
return
if os.path.isfile(filepath):
h = hashlib.md5()
with open(filepath, 'rb') as f:
h.update(f.read())
h = h.hexdigest()
self._hash_cache[filepath] = h
values['h'] = h
def delete_report(report_id):
if not auth.authorize(['ROLE_ADMIN']):
return flask.abort(403)
wh = get_warehouse()
report = get_or_404(wh.get_report, report_id, _exc=KeyError)
lot_code = report.lot
if flask.request.method == 'POST':
file_path = safe_join(wh.reports_path, report.filename)
if file_path.exists():
file_path.unlink()
wh.delete_report(report_id)
flask.flash('Report was deleted.', 'system')
url = flask.url_for('parcel.lot', code=lot_code)
return flask.redirect(url)
return flask.render_template('report_delete.html', report=report)
def resolve_artifact(self, url_path, pad=None, redirect_slash=True):
"""Resolves an artifact and also triggers a build if necessary.
Returns a tuple in the form ``(artifact_name, filename)`` where
`artifact_name` can be `None` in case a file was targeted explicitly.
"""
if pad is None:
pad = self.get_pad()
artifact_name = filename = record_path = alt = None
# We start with trying to resolve a source and then use the
# primary
source = pad.resolve_url_path(url_path)
if source is not None:
# If the request path does not end with a slash but we
# requested a URL that actually wants a trailing slash, we
# append it. This is consistent with what apache and nginx do
# and it ensures our relative urls work.
if (
not url_path.endswith("/")
and source.url_path != "/"
and source.url_path != url_path
):
return abort(append_slash_redirect(request.environ))
with CliReporter(self.env, verbosity=self.verbosity):
builder = self.get_builder(pad)
prog, _ = builder.build(source)
artifact = prog.primary_artifact
if artifact is not None:
artifact_name = artifact.artifact_name
filename = artifact.dst_filename
alt = source.alt
if isinstance(source, Record):
record_path = source.record.path
if filename is None:
path_list = url_path.strip("/").split("/")
if sys.platform == "win32":
filename = os.path.join(self.output_path, *path_list)
else:
filename = safe_join(self.output_path, *path_list)
return ResolveResult(artifact_name, filename, record_path, alt)
def user(username):
user = User.query.filter_by(username=username).first_or_404()
page = request.args.get('page', 1, type=int)
pagination = user.posts.order_by(Post.timestamp.desc()).paginate(
page, per_page=current_app.config['FLASK_POSTS_PER_PAGE'],
error_out=False)
posts = pagination.items
if user == current_user:
form = ImgForm()
from manage import app
if form.validate_on_submit():
current_user.img = form.picture.data.filename
if current_user.img and user.allowed_img(current_user.img):
imgdest = safe_join(app.config['UPLOAD_FOLDER'], current_user.img)
form.picture.data.save(imgdest)
db.session.add(current_user)
return redirect(url_for('main.user', username=username))
return render_template('user.html', form=form, user=user, posts=posts, pagination=pagination)
return render_template('user.html', user=user, posts=posts, pagination=pagination)
def textedit(fname):
ipath = safe_join('temp', fname)
if fname is None:
return "Invalid filename"
data = flask.request.args or {}
cuts = data.get('cuts')
try:
cuts = json.loads(cuts)
except:
return "Can't load cuts as JSON"
# make sure that we have a list of 4 int lists
if type(cuts) != list or not \
all(type(l) is list and len(l) == 4 and
all(type(e) is int for e in l) for l in cuts):
return "Invalid cut data", 400
try:
img = Image.open(ipath)
except:
return "Image not found", 404
if cuts:
#cuts = sorted(cuts)
new = make_cuts(img, cuts)
else:
new = [img]
try:
outimgs = []
for im in new:
outimgs.append({
"url": make_data_url(im),
"pos": ",".join(str(i) for i in im._cut_pos)
})
except Exception as e:
try:
estr = str(e)
except:
estr = "??"
traceback.print_exc()
return "Cut data caused error: "+estr, 400
return flask.render_template("text.html", outimgs=outimgs, enumerate=enumerate)
def serve_route():
if not session.get('logged_in'):
return login_route()
if request.method == "POST":
filename = request.form['filename']
file = request.files['file']
if filename == "": filename = file.filename
if '/' in filename:
flash("Invalid filename! Cannot contain `/`.", category="error")
elif filename == "":
flash("No file detected!", category="error")
else:
file.save(safe_join(config['UPLOAD_DIR'], filename))
flash("File uploaded!", category="success")
return render_template("index.html")
def load_page(rel_url: str) -> Optional[Dict[str, Any]]:
# convert relative url to full file path
pathnames = rel_url.split("/")
fullpath = safe_join(pages_folder, *pathnames)
if fullpath is None:
return None
if fullpath.endswith(os.path.sep): # /foo/bar/
fullpath = os.path.join(fullpath, "index.md")
elif fullpath.endswith(".html"): # /foo/bar.html
fullpath = os.path.splitext(fullpath)[0] + ".md"
else: # /foo/bar
fullpath += ".md"
# load page entry
page = load_entry(fullpath)
if page is None:
return None
page["url"] = url_for(".page", rel_url=rel_url)
# ensure *title* field
if "title" not in page:
name = os.path.splitext(os.path.basename(fullpath))[0]
page["title"] = " ".join(name.split("-"))
return page
def change_user_username_folder(current_username, new_username): directory = safe_join(os.path.join(current_app.config['UPLOAD_FOLDER']), current_username) if os.path.exists(directory): new_directory = safe_join(os.path.join(current_app.config['UPLOAD_FOLDER']), new_username) os.rename(directory, new_directory)
def get_file(filename, username): filename = safe_join(os.path.join(username), filename) upload_folder = safe_join(os.path.join(os.getcwd()), current_app.config['UPLOAD_FOLDER']) print(filename) return send_from_directory(upload_folder, filename)
def package(app, request, path):
# Get our filename and filepath from the request path
filename = os.path.basename(path)
filepath = safe_join(
os.path.abspath(app.config.paths.packages),
path
)
# If we cannot safely join the requested path with our directory
# return a 404
if filepath is None:
raise NotFound("{} was not found".format(filename))
# Open the file and attempt to wrap in the wsgi.file_wrapper if it's
# available, otherwise read it directly.
try:
fp = open(filepath, "rb")
data = wrap_file(request.environ, fp)
except IOError:
raise NotFound("{} was not found".format(filename))
# Get the project name and normalize it
lookup_filename = filename[:-4] if filename.endswith(".asc") else filename
project = app.db.packaging.get_project_for_filename(lookup_filename)
normalized = normalize(project)
# Get the MD5 hash of the file
content_md5 = app.db.packaging.get_filename_md5(filename)
headers = {}
# Add in additional headers if we're using Fastly
headers.update({
"Surrogate-Key": " ".join([
"package",
"package~{}".format(normalized),
]),
})
# Look up the last serial for this file
serial = app.db.packaging.get_last_serial(project)
if serial is not None:
headers["X-PyPI-Last-Serial"] = serial
# Pass through the data directly to the response object
resp = Response(
data,
headers=headers,
mimetype=get_mimetype(filename),
direct_passthrough=True,
)
# Setup the Last-Modified header
resp.last_modified = os.path.getmtime(filepath)
# Setup the Content-Length header
resp.content_length = os.path.getsize(filepath)
if content_md5:
# Setup the Content-MD5 headers
resp.content_md5 = content_md5
# Setup Conditional Responses
resp.set_etag(content_md5)
resp.make_conditional(request)
return resp
def _resolve_path(self, path):
full_path = safe_join(self.path, path)
if full_path is None:
raise ValueError('Invalid path: {}'.format(path))
return full_path
def test_safe_join_os_sep():
import werkzeug.security as sec
prev_value = sec._os_alt_seps
sec._os_alt_seps = '*'
assert safe_join('foo', 'bar/baz*') is None
sec._os_alt_steps = prev_value
def uploaded_image(farm_id, filename):
print(safe_join(app.config['UPLOAD_FOLDER']+'produce/' + str(farm_id), filename))
return send_from_directory(app.config['UPLOAD_FOLDER']+'produce/' + str(farm_id)+'/',
filename)
def _path_for(fname):
path = safe_join(current_app.config['NOTES_DIR'], fname)
return path
def test_safe_join():
assert safe_join("foo", "bar/baz") == posixpath.join("foo", "bar/baz")
assert safe_join("foo", "../bar/baz") is None
if os.name == "nt":
assert safe_join("foo", "foo\\bar") is None
def test_safe_join(self):
assert safe_join('foo', 'bar/baz') == os.path.join('foo', 'bar/baz')
assert safe_join('foo', '../bar/baz') is None
if os.name == 'nt':
assert safe_join('foo', 'foo\\bar') is None
def test_safe_join(self):
"""Test the safe joining helper"""
assert safe_join('foo', 'bar/baz') == os.path.join('foo', 'bar/baz')
assert safe_join('foo', '../bar/baz') is None
if os.name == 'nt':
assert safe_join('foo', 'foo\\bar') is None
def joinpath(base, path):
'''Shorthand for returning a normalised & joined path'''
return os.path.normpath(safe_join(base, path))
def delete_testcase(pid, fname):
datadir = os.path.join(app.config['TESTCASE_FOLDER'], str(pid))
filename = safe_join(datadir, fname)
if os.path.exists(filename):
os.remove(filename)
return redirect(url_for('admin.manage_data', pid=pid))
