# HG changeset patch # User BenoƮt Allard # Date 1412849752 -7200 # Node ID 264d4579f6bf7329e40e8647fd72249361057e58 # Parent 641a2b5896131f330d5e1d3372fa040966dd44ee More input validation diff -r 641a2b589613 -r 264d4579f6bf farol/producttree.py --- a/farol/producttree.py Thu Oct 09 12:15:15 2014 +0200 +++ b/farol/producttree.py Thu Oct 09 12:15:52 2014 +0200 @@ -65,17 +65,16 @@ path = [int(p) for p in path.split('/')] cvrf = get_current() ptree = cvrf._producttree - try: - branch = cvrf._producttree.getBranch(path) - except ValueError: - abort(404) + try: branch = cvrf._producttree.getBranch(path) + except (ValueError, IndexError): abort(404) if request.method != 'POST': branches = [('', '')] + [(b.getName(), b.getPath(True)) for b in ptree.getNotTerminalBranches(branch)] return render_template('producttree/edit_branch.j2', branch=branch, branches=branches, types=branch.TYPES) pbranch = ptree if request.form['parent']: - pbranch = ptree.getBranch([int(p) for p in request.form['parent'].split('/')]) + try: pbranch = ptree.getBranch([int(p) for p in request.form['parent'].split('/')]) + except (ValueError, IndexError): abort(404) if pbranch is not branch.getParent(): # We have to 're-link' the element ... @@ -102,7 +101,8 @@ pbranch = ptree if request.form['parent']: - pbranch = ptree.getBranch([int(p) for p in request.form['parent'].split('/')]) + try: pbranch = ptree.getBranch([int(p) for p in request.form['parent'].split('/')]) + except (ValueError, IndexError): abort(404) branch = CVRFProductBranch(request.form['type'], request.form['name'], pbranch) ptree.addBranch(branch) return redirect(url_for('.view')) @@ -143,7 +143,8 @@ oldp = product._parent if request.form['parent_branch']: - pbranch = ptree.getBranch([int(p) for p in request.form['parent_branch'].split('/')]) + try: pbranch = ptree.getBranch([int(p) for p in request.form['parent_branch'].split('/')]) + except (ValueError, IndexError): abort(404) if pbranch is not oldp: # Gonna be funny, needs re-link product.unlink() @@ -185,7 +186,8 @@ parent = ptree if request.form['parent_branch']: - parent = ptree.getBranch([int(p) for p in request.form['parent_branch'].split('/')]) + try: pbranch = ptree.getBranch([int(p) for p in request.form['parent_branch'].split('/')]) + except (ValueError, IndexError): abort(404) elif request.form['parent_relationship']: parent = ptree._relationships[int(request.form['parent_relationship'])]