[extensions-web/wip/ne0sight] extensions: validate screenshots and icons
- From: Yuri Konotopov <ykonotopov src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [extensions-web/wip/ne0sight] extensions: validate screenshots and icons
- Date: Fri, 29 May 2020 05:09:08 +0000 (UTC)
commit dabeaa71dc970b66720f9eab8e5c6b911d835ee0
Author: Yuri Konotopov <ykonotopov gnome org>
Date: Fri May 29 09:08:50 2020 +0400
extensions: validate screenshots and icons
sweettooth/extensions/forms.py | 3 +++
sweettooth/extensions/views.py | 32 ++++++++++++++++++++++++--------
2 files changed, 27 insertions(+), 8 deletions(-)
---
diff --git a/sweettooth/extensions/forms.py b/sweettooth/extensions/forms.py
index 4619526..67be262 100644
--- a/sweettooth/extensions/forms.py
+++ b/sweettooth/extensions/forms.py
@@ -22,3 +22,6 @@ I agree that GNOME Shell Extensions can remove, modify or reassign maintainershi
if not tos_compliant:
raise forms.ValidationError("You must agree to the GNOME Shell Extensions terms of service.")
return tos_compliant
+
+class ImageUploadForm(forms.Form):
+ file = forms.ImageField(required=True)
diff --git a/sweettooth/extensions/views.py b/sweettooth/extensions/views.py
index 47df3a1..0cc9eb6 100644
--- a/sweettooth/extensions/views.py
+++ b/sweettooth/extensions/views.py
@@ -7,7 +7,7 @@ from django.core.paginator import Paginator, InvalidPage
from django.contrib.auth.decorators import login_required
from django.contrib import messages
from django.db import transaction
-from django.http import HttpResponseBadRequest, HttpResponseForbidden, HttpResponseServerError, Http404
+from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseForbidden,
HttpResponseServerError, Http404
from django.shortcuts import get_object_or_404, redirect, render
from django.template.loader import render_to_string
from django.views.decorators.http import require_POST
@@ -15,7 +15,7 @@ from django.urls import reverse
from sweettooth.exceptions import DatabaseErrorWithMessages
from sweettooth.extensions import models, search
-from sweettooth.extensions.forms import UploadForm
+from sweettooth.extensions.forms import ImageUploadForm, UploadForm
from sweettooth.decorators import ajax_view, model_view
from sweettooth.extensions.templatetags.extension_icon import extension_icon
@@ -342,14 +342,28 @@ def ajax_inline_edit_view(request, extension):
return value
+def validate_uploaded_image(request, extension):
+ if not extension.user_can_edit(request.user):
+ return HttpResponseForbidden()
+
+ form = ImageUploadForm(request.POST, request.FILES)
+
+ if not form.is_valid() or form.cleaned_data['file'].size > 2*1024*1024:
+ return HttpResponseForbidden()
+
+ return form.cleaned_data['file']
+
+
@ajax_view
@require_POST
@model_view(models.Extension)
def ajax_upload_screenshot_view(request, extension):
- if not extension.user_can_edit(request.user):
- return HttpResponseForbidden()
+ data = validate_uploaded_image(request, extension)
+ if isinstance(data, HttpResponse):
+ return data
- extension.screenshot = request.FILES['file']
+ extension.screenshot = data
+ extension.full_clean()
extension.save(replace_metadata_json=False)
return extension.screenshot.url
@@ -357,10 +371,12 @@ def ajax_upload_screenshot_view(request, extension):
@require_POST
@model_view(models.Extension)
def ajax_upload_icon_view(request, extension):
- if not extension.user_can_edit(request.user):
- return HttpResponseForbidden()
+ data = validate_uploaded_image(request, extension)
+ if isinstance(data, HttpResponse):
+ return data
- extension.icon = request.FILES['file']
+ extension.icon = data
+ extension.full_clean()
extension.save(replace_metadata_json=False)
return extension.icon.url
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]