From: Sebastian Spaeth <Sebastian@SSpaeth.de>
Date: Wed, 9 Jan 2013 11:38:08 +0000 (+0100)
Subject: Sanitize slug input on media edit
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=4ca0755ab63192b9a79c1152673bfeb19e45e8a1;p=mediagoblin.git
Sanitize slug input on media edit
Previously we allowed EVERYTHING, even slashes as slug when editing the media.
Make sure we slugify the input to sanitize it.
(+ string formdata is unicode, so there is no need to convert it)
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
---
diff --git a/mediagoblin/edit/views.py b/mediagoblin/edit/views.py
index ece11df5..646a9e5b 100644
--- a/mediagoblin/edit/views.py
+++ b/mediagoblin/edit/views.py
@@ -32,6 +32,7 @@ from mediagoblin.tools.response import render_to_response, redirect
from mediagoblin.tools.translate import pass_to_ugettext as _
from mediagoblin.tools.text import (
convert_to_tag_list_of_dicts, media_tags_as_string)
+from mediagoblin.tools.url import slugify
from mediagoblin.db.util import check_media_slug_used, check_collection_slug_used
import mimetypes
@@ -57,22 +58,20 @@ def edit_media(request, media):
if request.method == 'POST' and form.validate():
# Make sure there isn't already a MediaEntry with such a slug
# and userid.
- slug_used = check_media_slug_used(media.uploader, request.form['slug'],
- media.id)
+ slug = slugify(request.form['slug'])
+ slug_used = check_media_slug_used(media.uploader, slug, media.id)
if slug_used:
form.slug.errors.append(
_(u'An entry with that slug already exists for this user.'))
else:
- media.title = unicode(request.form['title'])
- media.description = unicode(request.form.get('description'))
+ media.title = request.form['title']
+ media.description = request.form.get('description')
media.tags = convert_to_tag_list_of_dicts(
request.form.get('tags'))
media.license = unicode(request.form.get('license', '')) or None
-
- media.slug = unicode(request.form['slug'])
-
+ media.slug = slug
media.save()
return redirect(request,