Mercurial > farol > farol
diff farol/document.py @ 127:d49c1ee6bc07
Harden server-side version parsing
| author | Benoît Allard <benoit.allard@greenbone.net> |
|---|---|
| date | Thu, 23 Oct 2014 16:50:02 +0200 |
| parents | 5535ac5fef37 |
| children | d2588d88d47a |
line wrap: on
line diff
--- a/farol/document.py Thu Oct 23 16:32:33 2014 +0200 +++ b/farol/document.py Thu Oct 23 16:50:02 2014 +0200 @@ -25,7 +25,6 @@ from flask import (Blueprint, render_template, abort, redirect, request, url_for, flash) -from farolluz.parsers.cvrf import parseVersion from farolluz.cvrf import (CVRFNote, CVRFReference, CVRFPublisher, CVRFTracking, CVRFTrackingID, CVRFGenerator, CVRFRevision, CVRFAggregateSeverity) @@ -34,7 +33,7 @@ from .controller import (update_note_from_request, create_note_from_request, update_reference_from_request, create_reference_from_request, update_acknowledgment_from_request, create_acknowledgment_from_request, - split_fields, parseDate) + split_fields, parseDate, parseVersion) from .session import document_required, get_current @@ -87,7 +86,11 @@ aliases = split_fields(request.form['id_aliases']) tracking._identification._aliases = aliases tracking._status = request.form['status'] - tracking._version = parseVersion(request.form['version']) + version = parseVersion(request.form['version']) + if version is None: + flash('Cannot parse Version field: "%s"' % request.form['version'], 'warning') + else: + tracking._version = version tracking._initialDate = parseDate(request.form['initial']) tracking._currentDate = parseDate(request.form['current']) if wasNone: @@ -116,7 +119,11 @@ if request.method != 'POST': return render_template('document/edit_revision.j2', number='.'.join('%s'%v for v in revision._number), date=revision._date, description=revision._description, action='Update') - revision._number = parseVersion(request.form['number']) + version = parseVersion(request.form['number']) + if version is None: + flash('Cannot parse Revision Number: %s' % request.form['number']) + else: + revision._number = version revision._date = parseDate(request.form['date']) revision._description = request.form['description'] return redirect(url_for('.view')) @@ -134,6 +141,9 @@ return render_template('document/edit_revision.j2', number='.'.join("%d"%v for v in version), date=utcnow(), action='Add') version = parseVersion(request.form['number']) + if version is None: + flash('Cannot parse Revision Number: "%s", assuming "0.0"' % request.form['number']) + version = (0,0) date = parseDate(request.form['date']) revision = CVRFRevision(version, date, request.form['description']) tracking.addRevision(revision)