def run(tool, filename):
if any(tool in s for s in ALLOWED_TOOLS):
filename = secure_filename(filename)
cmd = tool + ' /tmp/files/' + filename
output = subprocess.Popen(cmd, shell=True,
stdout=subprocess.PIPE).stdout.read()
return output
else:
return 'Unknown tool'
def upload():
if request.method == 'POST':
user = request.headers.get('X-Auth-User')
if not user:
return jsonify({'errno': 401, 'errmsg': 'No Authentication.'})
f = request.files['file']
if not f or f.filename == '':
return jsonify({'errno': 1, 'errmsg': 'File could not empty.'})
secure_name = str(int(time.time() * 1000)) + "-"
secure_name += util.secure_filename(f.filename)
f.save(os.path.join(app.config['UPLOAD_FOLDER'], secure_name))
return jsonify({'errno': 0, 'url': url_for('get', name=secure_name)})
return render_template('upload.html')
def _secure_folder_path(folderpath, skip_existing, keep_unicode):
"""
Splits a folder path, runs each component through the secure_filename
function, and returns the reconstituted folder path. If skip_existing
is True, components of the path that already exist will not be modified.
Raises a ValueError if any of the path components becomes empty.
"""
_, _, f_list = filepath_components(add_sep(folderpath))
built_path = ''
for component in f_list:
if component:
next_path = os.path.join(built_path, component)
if not skip_existing or not path_exists(next_path, require_directory=True):
try:
component = secure_filename(component, keep_unicode)
except ValueError as e:
raise ValueError(unicode(e) + u': ' + component)
built_path = os.path.join(built_path, component)
return built_path
def delete_files_route(filename):
if request.method == 'DELETE':
delete_file(secure_filename(filename))
return jsonify(filename)
def move_file(db_image, target_path, user_account, data_manager, permissions_manager):
"""
Moves an image file to the given new path and filename (the folder component
of which must already exist), adds image history and updates the associated
database records. The image file is effectively renamed if the folder part
of the path remains the same.
The user account must have Delete File permission for the source folder
and Upload File permission for the target folder, or alternatively have
the file admin system permission.
This method creates and commits its own separate database connection
so that the operation is atomic.
Returns the updated image object.
Raises a DoesNotExistError if the source image file does not exist
or the target folder does not exist.
Raises an AlreadyExistsError if the target file already exists.
Raises an IOError or OSError if the target file cannot be created.
Raises a ValueError if the target filename is invalid.
Raises a DBError for database errors.
Raises a SecurityError if the current user does not have sufficient
permission to perform the move or if the target path is outside of
IMAGES_BASE_DIR.
"""
db_session = data_manager.db_get_session()
file_moved = False
success = False
try:
_validate_path_chars(target_path)
target_path = filepath_normalize(target_path)
# Connect db_image to our database session
db_image = data_manager.get_image(db_image.id, _db_session=db_session)
if not db_image:
raise DoesNotExistError('Image ID %d does not exist' % db_image.id)
# Save the old path for rolling back
source_path = db_image.src
source_folder = filepath_parent(source_path)
source_filename = filepath_filename(source_path)
# Get and secure the target filename
target_folder = filepath_parent(target_path)
target_filename = filepath_filename(target_path)
target_filename = secure_filename(
target_filename,
app.config['ALLOW_UNICODE_FILENAMES']
)
target_path = os.path.join(target_folder, target_filename)
# Insist on minimum a.xyz file name (else raise ValueError)
validate_filename(target_filename)
# Target folder must exist
ensure_path_exists(target_folder, require_directory=True)
# Do nothing if target path is the same as the source
if strip_sep(db_image.src, leading=True) == strip_sep(target_path, leading=True):
success = True
return db_image
# Get source and target folder data
db_source_folder = db_image.folder
db_target_folder = auto_sync_existing_folder(
target_folder, data_manager, _db_session=db_session
)
if db_target_folder is None:
raise DoesNotExistError(target_folder) # Should never happen
# Check source file exists
ensure_path_exists(db_image.src, require_file=True)
# Check target file does not exist (we cannot merge)
if path_exists(target_path, require_file=True):
raise AlreadyExistsError('Target file already exists: ' + target_path)
renaming = (db_source_folder == db_target_folder)
# Check permissions for source and destination folders
permissions_manager.ensure_folder_permitted(
db_target_folder,
FolderPermission.ACCESS_UPLOAD,
user_account
)
if not renaming:
permissions_manager.ensure_folder_permitted(
db_source_folder,
FolderPermission.ACCESS_DELETE,
user_account
)
# We know there's no physical target file, but if there is an
# old (deleted) db record for the target path, purge it first
db_old_target_image = data_manager.get_image(
src=target_path, _db_session=db_session
)
if db_old_target_image:
data_manager.delete_image(
db_old_target_image,
purge=True,
_db_session=db_session,
_commit=False
)
# Move the physical file
filesystem_manager.move(source_path, target_path)
file_moved = True
# Update the database
db_image.status = Image.STATUS_ACTIVE
db_image.folder = db_target_folder
data_manager.set_image_src(db_image, target_path)
# Add history
if renaming:
history_info = 'Renamed from ' + source_filename + ' to ' + target_filename
else:
history_info = 'Moved from ' + source_folder + ' to ' + target_folder
data_manager.add_image_history(
db_image,
user_account,
ImageHistory.ACTION_MOVED,
history_info,
_db_session=db_session,
_commit=False
)
# OK!
success = True
return db_image
finally:
# Rollback file move?
if not success and file_moved:
try:
filesystem_manager.move(target_path, source_path)
except:
pass
# Commit or rollback database
try:
if success:
db_session.commit()
else:
db_session.rollback()
finally:
db_session.close()
