changeset 127:d49c1ee6bc07

Harden server-side version parsing
author Benoît Allard <benoit.allard@greenbone.net>
date Thu, 23 Oct 2014 16:50:02 +0200
parents e0830bcab004
children 79abdecb2d0b
files farol/controller.py farol/document.py
diffstat 2 files changed, 20 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/farol/controller.py	Thu Oct 23 16:32:33 2014 +0200
+++ b/farol/controller.py	Thu Oct 23 16:50:02 2014 +0200
@@ -38,7 +38,7 @@
 from flask import request
 
 from farolluz.cvrf import CVRFNote, CVRFReference, CVRFAcknowledgment
-from farolluz.parsers.cvrf import parseDate as parseXMLDate
+from farolluz.parsers.cvrf import parseDate as parseXMLDate, parseVersion as parseXMLVersion
 
 def split_fields(field, separator=','):
     if not field:
@@ -91,3 +91,8 @@
     m = re.match('(\d{4})-(\d{2})-(\d{2})', string)
     return datetime(int(m.group(1)), int(m.group(2)), int(m.group(3)),
                     tzinfo=timezone(timedelta(hours=0, minutes=0)))
+
+def parseVersion(string):
+    """ An extended version, one that doesn't throw exceptions """
+    try: return parseXMLVersion(string)
+    except ValueError: return None
--- a/farol/document.py	Thu Oct 23 16:32:33 2014 +0200
+++ b/farol/document.py	Thu Oct 23 16:50:02 2014 +0200
@@ -25,7 +25,6 @@
 from flask import (Blueprint, render_template, abort, redirect, request,
     url_for, flash)
 
-from farolluz.parsers.cvrf import parseVersion
 from farolluz.cvrf import (CVRFNote, CVRFReference, CVRFPublisher,
     CVRFTracking, CVRFTrackingID, CVRFGenerator, CVRFRevision,
     CVRFAggregateSeverity)
@@ -34,7 +33,7 @@
 from .controller import (update_note_from_request, create_note_from_request,
     update_reference_from_request, create_reference_from_request,
     update_acknowledgment_from_request, create_acknowledgment_from_request,
-    split_fields, parseDate)
+    split_fields, parseDate, parseVersion)
 from .session import document_required, get_current
 
 
@@ -87,7 +86,11 @@
     aliases = split_fields(request.form['id_aliases'])
     tracking._identification._aliases = aliases
     tracking._status = request.form['status']
-    tracking._version = parseVersion(request.form['version'])
+    version = parseVersion(request.form['version'])
+    if version is None:
+        flash('Cannot parse Version field: "%s"' % request.form['version'], 'warning')
+    else:
+        tracking._version = version
     tracking._initialDate = parseDate(request.form['initial'])
     tracking._currentDate = parseDate(request.form['current'])
     if wasNone:
@@ -116,7 +119,11 @@
     if request.method != 'POST':
         return render_template('document/edit_revision.j2', number='.'.join('%s'%v for v in revision._number), date=revision._date, description=revision._description, action='Update')
 
-    revision._number = parseVersion(request.form['number'])
+    version = parseVersion(request.form['number'])
+    if version is None:
+        flash('Cannot parse Revision Number: %s' % request.form['number'])
+    else:
+        revision._number = version
     revision._date = parseDate(request.form['date'])
     revision._description = request.form['description']
     return redirect(url_for('.view'))
@@ -134,6 +141,9 @@
         return render_template('document/edit_revision.j2', number='.'.join("%d"%v for v in version), date=utcnow(), action='Add')
 
     version = parseVersion(request.form['number'])
+    if version is None:
+        flash('Cannot parse Revision Number: "%s", assuming "0.0"' % request.form['number'])
+        version = (0,0)
     date = parseDate(request.form['date'])
     revision = CVRFRevision(version, date, request.form['description'])
     tracking.addRevision(revision)

http://farol.wald.intevation.org