From d5369bc1420055613a1b49d981c14be2c138b78c Mon Sep 17 00:00:00 2001 From: crunk Date: Sat, 19 Mar 2022 19:48:56 +0100 Subject: [PATCH] sanitized css files using bleach --- requirements.txt | 2 +- setup.py | 3 +++ src/.gitignore | 3 +++ verse/editor.py | 16 ++++++++++++---- verse/forms/editorform.py | 2 +- verse/upload.py | 1 + 6 files changed, 21 insertions(+), 6 deletions(-) create mode 100644 setup.py create mode 100644 src/.gitignore diff --git a/requirements.txt b/requirements.txt index 0d66cbf..3f744c9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,7 +5,6 @@ black==21.11b1 blinker==1.4 cffi==1.15.0 click==8.0.3 --e git+https://git.vvvvvvaria.org/crunk/distribusi-verse.git@1a50898d216ae95c3eb9c144bb7ec678e638daa6#egg=distribusi dnspython==2.1.0 email-validator==1.1.3 Flask==2.0.2 @@ -40,3 +39,4 @@ tomli==1.2.2 typing-extensions==4.0.1 Werkzeug==2.0.2 WTForms==3.0.0 +-e git+https://git.vvvvvvaria.org/crunk/distribusi-verse.git@1a50898d216ae95c3eb9c144bb7ec678e638daa6#egg=distribusi diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..340f994 --- /dev/null +++ b/setup.py @@ -0,0 +1,3 @@ +from setuptools import setup, find_packages + +setup(name='library', version='1.0', packages=find_packages()) diff --git a/src/.gitignore b/src/.gitignore new file mode 100644 index 0000000..94548af --- /dev/null +++ b/src/.gitignore @@ -0,0 +1,3 @@ +* +*/ +!.gitignore diff --git a/verse/editor.py b/verse/editor.py index f387b57..cffabb5 100644 --- a/verse/editor.py +++ b/verse/editor.py @@ -1,5 +1,7 @@ import os from flask import render_template +import bleach +from werkzeug.utils import secure_filename from sqlalchemy.exc import ( DataError, DatabaseError, @@ -54,16 +56,22 @@ def SaveUploadCssFile(editorform, newcssfolder): if not os.path.exists(newcssfolder): os.mkdir(newcssfolder) cssfile = editorform.cssfile.data - cssfile.save(os.path.join(newcssfolder, editorform.cssname.data)) + cssfilename = f"{secure_filename(editorform.cssname.data)}.css" + cssfile.save(os.path.join(newcssfolder, cssfilename)) + openfile = open(os.path.join(newcssfolder, cssfilename), 'r+') + cleancss = bleach.clean(openfile.read()) + openfile.write(cleancss) + openfile.close def WriteCssToFile(editorform, newcssfolder): if not os.path.exists(newcssfolder): os.mkdir(newcssfolder) - cssfilename = "{}.css".format(editorform.cssname.data) + cssfilename = f"{secure_filename(editorform.cssname.data)}.css" + cleancss = bleach.clean(editorform.css.data) with open(os.path.join(newcssfolder, cssfilename), "w") as cssfile: - cssfile.write(editorform.css.data) + cssfile.write(cleancss) cssfile.close @@ -72,7 +80,7 @@ def MakePublicTheme(editorform, current_distribusi): distribusi = Distribusis.query.filter_by( distribusiname=current_distribusi ).first() - distribusi.publictheme = editorform.cssname.data + distribusi.publictheme = secure_filename(editorform.cssname.data) db.session.commit() except InvalidRequestError: diff --git a/verse/forms/editorform.py b/verse/forms/editorform.py index 7c3dc8b..49a6436 100644 --- a/verse/forms/editorform.py +++ b/verse/forms/editorform.py @@ -25,7 +25,7 @@ class EditorForm(FlaskForm): FileAllowed(["css"], "css files only!"), FileSize( max_size=10485760, - message="Zipfile size must be smaller than 100MB", + message="css file size must be smaller than 10MB", ), ], ) diff --git a/verse/upload.py b/verse/upload.py index be59e3c..df2560a 100644 --- a/verse/upload.py +++ b/verse/upload.py @@ -73,6 +73,7 @@ def UploadUpdatedFiles(uploadfolder): distribusi.course = uploadform.course.data distribusi.year = uploadform.academicyear.data distribusi.tags = uploadform.tags.data + distribusi.visible = False db.session.commit() except (InvalidRequestError, DataError, InterfaceError, DatabaseError): db.session.rollback()