From 70dd61b2baeb9de85d7f6e1816df9368a5b18e3f Mon Sep 17 00:00:00 2001
From: Philip Sargent <philip.sargent@gmail.com>
Date: Wed, 13 Sep 2023 18:46:10 +0300
Subject: [PATCH] sanitize filenames

---
 core/utils.py              |  5 +++++
 core/views/uploads.py      | 10 +++++-----
 core/views/wallets_edit.py |  2 ++
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/core/utils.py b/core/utils.py
index 9144113..17bd953 100644
--- a/core/utils.py
+++ b/core/utils.py
@@ -44,6 +44,11 @@ except:
     pass
 
 
+def sanitize_name(name):
+    """Filenames sould not caontain these characters as then the system barf when it tries to use them in URLs
+    """
+    return name.replace("#","-").replace("?","=").replace("&","+").replace(":","^")
+
 def get_process_memory():
     usage = resource.getrusage(resource.RUSAGE_SELF)
     return usage[2] / 1024.0
diff --git a/core/views/uploads.py b/core/views/uploads.py
index 232eb5e..999206a 100644
--- a/core/views/uploads.py
+++ b/core/views/uploads.py
@@ -12,7 +12,7 @@ from troggle.core.models.caves import GetCaveLookup
 from troggle.core.models.logbooks import LogbookEntry, writelogbook, PersonLogEntry
 from troggle.core.models.survex import DrawingFile
 from troggle.core.models.troggle import DataIssue, Expedition, PersonExpedition
-from troggle.core.utils import alphabet_suffix, current_expo
+from troggle.core.utils import alphabet_suffix, current_expo, sanitize_name
 from troggle.parsers.people import GetPersonExpeditionNameLookup, known_foreigner
 
 # from databaseReset import reinit_db # don't do this. databaseRest runs code *at import time*
@@ -399,7 +399,7 @@ def logbookedit(request, year=None, slug=None):
                         "textrows": rows,
                      },
                 )
-    
+   
 @login_required_if_public
 def expofilerename(request, filepath):
     """Rename any single file in /expofiles/ - eventually.
@@ -434,7 +434,7 @@ def expofilerename(request, filepath):
             print(message)
             return render(request, "errors/generic.html", {"message": message})
         else:
-            renameto = request.POST["renameto"]
+            renameto = sanitize_name(request.POST["renameto"])
             
             if (folder / renameto).is_file() or (folder / renameto).is_dir():
                 rename_bad = renameto
@@ -521,7 +521,7 @@ def photoupload(request, folder=None):
         if "photographer" in request.POST:
             formd = TextForm(request.POST)
             if formd.is_valid():
-                newphotographer = request.POST["photographer"]
+                newphotographer = sanitize_name(request.POST["photographer"])
                 try:
                     (yearpath / newphotographer).mkdir(exist_ok=True)
                 except:
@@ -537,7 +537,7 @@ def photoupload(request, folder=None):
                 # NO CHECK that the files being uploaded are image files
                 fs = FileSystemStorage(dirpath)
 
-                renameto = request.POST["renameto"]
+                renameto = sanitize_name(request.POST["renameto"])
 
                 actual_saved = []
                 if multiple:
diff --git a/core/views/wallets_edit.py b/core/views/wallets_edit.py
index 9f9d02d..19b80f7 100644
--- a/core/views/wallets_edit.py
+++ b/core/views/wallets_edit.py
@@ -14,6 +14,8 @@ from django.http import HttpResponseRedirect
 from django.shortcuts import render
 
 import settings
+from troggle.core.utils import current_expo, sanitize_name
+
 from troggle.core.models.caves import Cave
 from troggle.core.models.logbooks import LogbookEntry  # , PersonLogEntry
 from troggle.core.models.survex import SurvexBlock, SurvexFile, SurvexPersonRole