sanitize filenames

2024-11-21 23:01:52 +00:00 · 2023-09-13 18:46:10 +03:00 · 2023-09-13 18:46:10 +03:00 · 70dd61b2ba
commit 70dd61b2ba
parent 33a485d207
3 changed files with 12 additions and 5 deletions
--- a/core/utils.py
+++ b/core/utils.py
@ -44,6 +44,11 @@ except:
    pass


+def sanitize_name(name):
+    """Filenames sould not caontain these characters as then the system barf when it tries to use them in URLs
+    """
+    return name.replace("#","-").replace("?","=").replace("&","+").replace(":","^")
+
 def get_process_memory():
    usage = resource.getrusage(resource.RUSAGE_SELF)
    return usage[2] / 1024.0
--- a/core/views/uploads.py
+++ b/core/views/uploads.py
@ -12,7 +12,7 @@ from troggle.core.models.caves import GetCaveLookup
 from troggle.core.models.logbooks import LogbookEntry, writelogbook, PersonLogEntry
 from troggle.core.models.survex import DrawingFile
 from troggle.core.models.troggle import DataIssue, Expedition, PersonExpedition
-from troggle.core.utils import alphabet_suffix, current_expo
+from troggle.core.utils import alphabet_suffix, current_expo, sanitize_name
 from troggle.parsers.people import GetPersonExpeditionNameLookup, known_foreigner

 # from databaseReset import reinit_db # don't do this. databaseRest runs code *at import time*
@ -399,7 +399,7 @@ def logbookedit(request, year=None, slug=None):
                        "textrows": rows,
                     },
                )
-    
+   
@login_required_if_public
 def expofilerename(request, filepath):
    """Rename any single file in /expofiles/ - eventually.
@ -434,7 +434,7 @@ def expofilerename(request, filepath):
            print(message)
            return render(request, "errors/generic.html", {"message": message})
        else:
-            renameto = request.POST["renameto"]
+            renameto = sanitize_name(request.POST["renameto"])
            
            if (folder / renameto).is_file() or (folder / renameto).is_dir():
                rename_bad = renameto
@ -521,7 +521,7 @@ def photoupload(request, folder=None):
        if "photographer" in request.POST:
            formd = TextForm(request.POST)
            if formd.is_valid():
-                newphotographer = request.POST["photographer"]
+                newphotographer = sanitize_name(request.POST["photographer"])
                try:
                    (yearpath / newphotographer).mkdir(exist_ok=True)
                except:
@ -537,7 +537,7 @@ def photoupload(request, folder=None):
                # NO CHECK that the files being uploaded are image files
                fs = FileSystemStorage(dirpath)

-                renameto = request.POST["renameto"]
+                renameto = sanitize_name(request.POST["renameto"])

                actual_saved = []
                if multiple:
--- a/core/views/wallets_edit.py
+++ b/core/views/wallets_edit.py
@ -14,6 +14,8 @@ from django.http import HttpResponseRedirect
 from django.shortcuts import render

 import settings
+from troggle.core.utils import current_expo, sanitize_name
+
 from troggle.core.models.caves import Cave
 from troggle.core.models.logbooks import LogbookEntry  # , PersonLogEntry
 from troggle.core.models.survex import SurvexBlock, SurvexFile, SurvexPersonRole