Check that name is valid in name_from_path
Before it was possible craft XML requests, so that the storage backend got requests with invalid hrefs.
This commit is contained in:
parent
139076faee
commit
d5b8ddd71c
@ -423,7 +423,11 @@ def name_from_path(path, collection):
|
|||||||
start = collection.path + "/"
|
start = collection.path + "/"
|
||||||
if not path.startswith(start):
|
if not path.startswith(start):
|
||||||
raise ValueError("'%s' doesn't start with '%s'" % (path, start))
|
raise ValueError("'%s' doesn't start with '%s'" % (path, start))
|
||||||
return path[len(start):].rstrip("/")
|
name = path[len(start):][:-1]
|
||||||
|
if name and not storage.is_safe_path_component(name):
|
||||||
|
raise ValueError("'%s' is not a component in collection '%s'" %
|
||||||
|
(path, collection.path))
|
||||||
|
return name
|
||||||
|
|
||||||
|
|
||||||
def props_from_request(root, actions=("set", "remove")):
|
def props_from_request(root, actions=("set", "remove")):
|
||||||
|
Loading…
Reference in New Issue
Block a user