Sanitize slug input on media edit

Previously we allowed EVERYTHING, even slashes as slug when editing the media.
Make sure we slugify the input to sanitize it.

(+ string formdata is unicode, so there is no need to convert it)

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
This commit is contained in:
Sebastian Spaeth 2013-01-09 12:38:08 +01:00
parent 7525cdf9eb
commit 4ca0755ab6

View File

@ -32,6 +32,7 @@ from mediagoblin.tools.response import render_to_response, redirect
from mediagoblin.tools.translate import pass_to_ugettext as _ from mediagoblin.tools.translate import pass_to_ugettext as _
from mediagoblin.tools.text import ( from mediagoblin.tools.text import (
convert_to_tag_list_of_dicts, media_tags_as_string) convert_to_tag_list_of_dicts, media_tags_as_string)
from mediagoblin.tools.url import slugify
from mediagoblin.db.util import check_media_slug_used, check_collection_slug_used from mediagoblin.db.util import check_media_slug_used, check_collection_slug_used
import mimetypes import mimetypes
@ -57,22 +58,20 @@ def edit_media(request, media):
if request.method == 'POST' and form.validate(): if request.method == 'POST' and form.validate():
# Make sure there isn't already a MediaEntry with such a slug # Make sure there isn't already a MediaEntry with such a slug
# and userid. # and userid.
slug_used = check_media_slug_used(media.uploader, request.form['slug'], slug = slugify(request.form['slug'])
media.id) slug_used = check_media_slug_used(media.uploader, slug, media.id)
if slug_used: if slug_used:
form.slug.errors.append( form.slug.errors.append(
_(u'An entry with that slug already exists for this user.')) _(u'An entry with that slug already exists for this user.'))
else: else:
media.title = unicode(request.form['title']) media.title = request.form['title']
media.description = unicode(request.form.get('description')) media.description = request.form.get('description')
media.tags = convert_to_tag_list_of_dicts( media.tags = convert_to_tag_list_of_dicts(
request.form.get('tags')) request.form.get('tags'))
media.license = unicode(request.form.get('license', '')) or None media.license = unicode(request.form.get('license', '')) or None
media.slug = slug
media.slug = unicode(request.form['slug'])
media.save() media.save()
return redirect(request, return redirect(request,