mirror of
https://gitlab.com/SIGBUS/nyaa.git
synced 2024-12-22 12:50:01 +00:00
upload/edit: sanitize some string fields
This commit introduces a regex to replace illegal (expectedly unused) characters from torrent display name, information link and description upon upload or edit. Fixes #541
This commit is contained in:
parent
a6d800b4ca
commit
95238ce835
|
@ -1,5 +1,6 @@
|
|||
import json
|
||||
import os
|
||||
import re
|
||||
from datetime import datetime, timedelta
|
||||
from ipaddress import ip_address
|
||||
|
||||
|
@ -29,6 +30,14 @@ FILENAME_BLACKLIST = [
|
|||
'lpt0', 'lpt1', 'lpt2', 'lpt3', 'lpt4', 'lpt5', 'lpt6', 'lpt7', 'lpt8', 'lpt9',
|
||||
]
|
||||
|
||||
# Invalid RSS characters regex, used to sanitize some strings
|
||||
ILLEGAL_XML_CHARS_RE = re.compile(u'[\x00-\x08\x0b\x0c\x0e-\x1F\uD800-\uDFFF\uFFFE\uFFFF]')
|
||||
|
||||
|
||||
def sanitize_string(string, replacement='\uFFFD'):
|
||||
''' Simply replaces characters based on a regex '''
|
||||
return ILLEGAL_XML_CHARS_RE.sub(replacement, string)
|
||||
|
||||
|
||||
class TorrentExtraValidationException(Exception):
|
||||
def __init__(self, errors={}):
|
||||
|
@ -200,6 +209,11 @@ def handle_torrent_upload(upload_form, uploading_user=None, fromAPI=False):
|
|||
information = (upload_form.information.data or '').strip()
|
||||
description = (upload_form.description.data or '').strip()
|
||||
|
||||
# Sanitize fields
|
||||
display_name = sanitize_string(display_name)
|
||||
information = sanitize_string(information)
|
||||
description = sanitize_string(description)
|
||||
|
||||
torrent_filesize = info_dict.get('length') or sum(
|
||||
f['length'] for f in info_dict.get('files'))
|
||||
|
||||
|
|
|
@ -106,9 +106,9 @@ def edit_torrent(torrent_id):
|
|||
# Form has been sent, edit torrent with data.
|
||||
torrent.main_category_id, torrent.sub_category_id = \
|
||||
form.category.parsed_data.get_category_ids()
|
||||
torrent.display_name = (form.display_name.data or '').strip()
|
||||
torrent.information = (form.information.data or '').strip()
|
||||
torrent.description = (form.description.data or '').strip()
|
||||
torrent.display_name = backend.sanitize_string((form.display_name.data or '').strip())
|
||||
torrent.information = backend.sanitize_string((form.information.data or '').strip())
|
||||
torrent.description = backend.sanitize_string((form.description.data or '').strip())
|
||||
|
||||
torrent.hidden = form.is_hidden.data
|
||||
torrent.remake = form.is_remake.data
|
||||
|
|
Loading…
Reference in a new issue