Mercurial > farol
changeset 78:264d4579f6bf
More input validation
| author | Benoît Allard <benoit.allard@greenbone.net> |
|---|---|
| date | Thu, 09 Oct 2014 12:15:52 +0200 |
| parents | 641a2b589613 |
| children | 2c7786d7d14e |
| files | farol/producttree.py |
| diffstat | 1 files changed, 10 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/farol/producttree.py Thu Oct 09 12:15:15 2014 +0200 +++ b/farol/producttree.py Thu Oct 09 12:15:52 2014 +0200 @@ -65,17 +65,16 @@ path = [int(p) for p in path.split('/')] cvrf = get_current() ptree = cvrf._producttree - try: - branch = cvrf._producttree.getBranch(path) - except ValueError: - abort(404) + try: branch = cvrf._producttree.getBranch(path) + except (ValueError, IndexError): abort(404) if request.method != 'POST': branches = [('', '')] + [(b.getName(), b.getPath(True)) for b in ptree.getNotTerminalBranches(branch)] return render_template('producttree/edit_branch.j2', branch=branch, branches=branches, types=branch.TYPES) pbranch = ptree if request.form['parent']: - pbranch = ptree.getBranch([int(p) for p in request.form['parent'].split('/')]) + try: pbranch = ptree.getBranch([int(p) for p in request.form['parent'].split('/')]) + except (ValueError, IndexError): abort(404) if pbranch is not branch.getParent(): # We have to 're-link' the element ... @@ -102,7 +101,8 @@ pbranch = ptree if request.form['parent']: - pbranch = ptree.getBranch([int(p) for p in request.form['parent'].split('/')]) + try: pbranch = ptree.getBranch([int(p) for p in request.form['parent'].split('/')]) + except (ValueError, IndexError): abort(404) branch = CVRFProductBranch(request.form['type'], request.form['name'], pbranch) ptree.addBranch(branch) return redirect(url_for('.view')) @@ -143,7 +143,8 @@ oldp = product._parent if request.form['parent_branch']: - pbranch = ptree.getBranch([int(p) for p in request.form['parent_branch'].split('/')]) + try: pbranch = ptree.getBranch([int(p) for p in request.form['parent_branch'].split('/')]) + except (ValueError, IndexError): abort(404) if pbranch is not oldp: # Gonna be funny, needs re-link product.unlink() @@ -185,7 +186,8 @@ parent = ptree if request.form['parent_branch']: - parent = ptree.getBranch([int(p) for p in request.form['parent_branch'].split('/')]) + try: pbranch = ptree.getBranch([int(p) for p in request.form['parent_branch'].split('/')]) + except (ValueError, IndexError): abort(404) elif request.form['parent_relationship']: parent = ptree._relationships[int(request.form['parent_relationship'])]