lucaspalomodevelop/indico-plugins
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/indico-plugins.git synced 2026-03-12 23:27:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

URSH: Validate custom shortcuts

Browse Source 
There shouldn't be any risk even if someone sends garbage containing
let's say `../`, but better to stay on the safe side than actually
sending an API request containing something obviously incorrect.
This commit is contained in:
Adrian Moennich 2019-08-20 14:36:30 +02:00
parent 80c5782678
commit 0fac1a4ae8
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ursh/indico_ursh/controllers.py
View File

@ -24,6 +24,9 @@ from indico_ursh.util import register_shortcut, request_short_url, strip_end
from indico_ursh.views import WPShortenURLPage
CUSTOM_SHORTCUT_ALPHABET = frozenset('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-')
class RHGetShortURL(RH):
"""Make a request to the URL shortening service"""
@ -84,6 +87,10 @@ class RHCustomShortURLPage(RHManageEventBase):
def _process_POST(self):
original_url = self._make_absolute_url(request.args['original_url'])
shortcut = request.form['shortcut'].strip()
if not (set(shortcut) <= CUSTOM_SHORTCUT_ALPHABET):
raise BadRequest('Invalid shortcut')
result = register_shortcut(original_url, shortcut, session.user)
if result.get('error'):