From c967b831c624f480636abc6d246ca8be5afde015 Mon Sep 17 00:00:00 2001
From: Nicolas F <CounterPillow@users.noreply.github.com>
Date: Sat, 27 Oct 2018 16:13:44 +0200
Subject: [PATCH] backend: blacklist Windows reserved filenames (#527)

Windows has a few special filenames that it does not allow the
explorer.exe and command line to see, but can still be created by
applications. This is due to some jank DOS compatibility.

These filenames can be abused to troll Windows users, so we should
probably blacklist them.
---
 nyaa/backend.py | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/nyaa/backend.py b/nyaa/backend.py
index fc9b5a0..7ddb511 100644
--- a/nyaa/backend.py
+++ b/nyaa/backend.py
@@ -14,6 +14,21 @@ from nyaa.extensions import db
 
 app = flask.current_app
 
+# Blacklists for _validate_torrent_filenames
+# TODO: consider moving to config.py?
+CHARACTER_BLACKLIST = [
+    '\u202E',  # RIGHT-TO-LEFT OVERRIDE
+]
+FILENAME_BLACKLIST = [
+    # Windows reserved filenames
+    'con',
+    'nul',
+    'prn',
+    'aux',
+    'com0', 'com1', 'com2', 'com3', 'com4', 'com5', 'com6', 'com7', 'com8', 'com9',
+    'lpt0', 'lpt1', 'lpt2', 'lpt3', 'lpt4', 'lpt5', 'lpt6', 'lpt7', 'lpt8', 'lpt9',
+]
+
 
 class TorrentExtraValidationException(Exception):
     def __init__(self, errors={}):
@@ -62,16 +77,14 @@ def _recursive_dict_iterator(source):
 
 
 def _validate_torrent_filenames(torrent):
-    ''' Checks path parts of a torrent's filetree against blacklisted characters,
-        returning False on rejection '''
-    # TODO Move to config.py
-    character_blacklist = [
-        '\u202E',  # RIGHT-TO-LEFT OVERRIDE
-    ]
+    ''' Checks path parts of a torrent's filetree against blacklisted characters
+        and filenames, returning False on rejection '''
     file_tree = json.loads(torrent.filelist.filelist_blob.decode('utf-8'))
 
     for path_part, value in _recursive_dict_iterator(file_tree):
-        if any(True for c in character_blacklist if c in path_part):
+        if path_part.rsplit('.', 1)[0].lower() in FILENAME_BLACKLIST:
+            return False
+        if any(True for c in CHARACTER_BLACKLIST if c in path_part):
             return False
 
     return True