1
0
Fork 0
mirror of https://gitlab.com/SIGBUS/nyaa.git synced 2024-12-22 04:10:00 +00:00

upload/edit: sanitize some string fields

This commit introduces a regex to replace illegal (expectedly unused)
characters from torrent display name, information link and description
upon upload or edit.

Fixes #541
This commit is contained in:
TheAMM 2019-01-15 02:16:10 +02:00 committed by Nicolas F
parent 1374375a16
commit d7f9618fbf
2 changed files with 17 additions and 3 deletions

View file

@ -1,5 +1,6 @@
import json
import os
import re
from datetime import datetime, timedelta
from ipaddress import ip_address
@ -29,6 +30,14 @@ FILENAME_BLACKLIST = [
'lpt0', 'lpt1', 'lpt2', 'lpt3', 'lpt4', 'lpt5', 'lpt6', 'lpt7', 'lpt8', 'lpt9',
]
# Invalid RSS characters regex, used to sanitize some strings
ILLEGAL_XML_CHARS_RE = re.compile(u'[\x00-\x08\x0b\x0c\x0e-\x1F\uD800-\uDFFF\uFFFE\uFFFF]')
def sanitize_string(string, replacement='\uFFFD'):
''' Simply replaces characters based on a regex '''
return ILLEGAL_XML_CHARS_RE.sub(replacement, string)
class TorrentExtraValidationException(Exception):
def __init__(self, errors={}):
@ -200,6 +209,11 @@ def handle_torrent_upload(upload_form, uploading_user=None, fromAPI=False):
information = (upload_form.information.data or '').strip()
description = (upload_form.description.data or '').strip()
# Sanitize fields
display_name = sanitize_string(display_name)
information = sanitize_string(information)
description = sanitize_string(description)
torrent_filesize = info_dict.get('length') or sum(
f['length'] for f in info_dict.get('files'))

View file

@ -106,9 +106,9 @@ def edit_torrent(torrent_id):
# Form has been sent, edit torrent with data.
torrent.main_category_id, torrent.sub_category_id = \
form.category.parsed_data.get_category_ids()
torrent.display_name = (form.display_name.data or '').strip()
torrent.information = (form.information.data or '').strip()
torrent.description = (form.description.data or '').strip()
torrent.display_name = backend.sanitize_string((form.display_name.data or '').strip())
torrent.information = backend.sanitize_string((form.information.data or '').strip())
torrent.description = backend.sanitize_string((form.description.data or '').strip())
torrent.hidden = form.is_hidden.data
torrent.remake = form.is_remake.data