Mercurial > farol
changeset 127:d49c1ee6bc07
Harden server-side version parsing
author | Benoît Allard <benoit.allard@greenbone.net> |
---|---|
date | Thu, 23 Oct 2014 16:50:02 +0200 |
parents | e0830bcab004 |
children | 79abdecb2d0b |
files | farol/controller.py farol/document.py |
diffstat | 2 files changed, 20 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/farol/controller.py Thu Oct 23 16:32:33 2014 +0200 +++ b/farol/controller.py Thu Oct 23 16:50:02 2014 +0200 @@ -38,7 +38,7 @@ from flask import request from farolluz.cvrf import CVRFNote, CVRFReference, CVRFAcknowledgment -from farolluz.parsers.cvrf import parseDate as parseXMLDate +from farolluz.parsers.cvrf import parseDate as parseXMLDate, parseVersion as parseXMLVersion def split_fields(field, separator=','): if not field: @@ -91,3 +91,8 @@ m = re.match('(\d{4})-(\d{2})-(\d{2})', string) return datetime(int(m.group(1)), int(m.group(2)), int(m.group(3)), tzinfo=timezone(timedelta(hours=0, minutes=0))) + +def parseVersion(string): + """ An extended version, one that doesn't throw exceptions """ + try: return parseXMLVersion(string) + except ValueError: return None
--- a/farol/document.py Thu Oct 23 16:32:33 2014 +0200 +++ b/farol/document.py Thu Oct 23 16:50:02 2014 +0200 @@ -25,7 +25,6 @@ from flask import (Blueprint, render_template, abort, redirect, request, url_for, flash) -from farolluz.parsers.cvrf import parseVersion from farolluz.cvrf import (CVRFNote, CVRFReference, CVRFPublisher, CVRFTracking, CVRFTrackingID, CVRFGenerator, CVRFRevision, CVRFAggregateSeverity) @@ -34,7 +33,7 @@ from .controller import (update_note_from_request, create_note_from_request, update_reference_from_request, create_reference_from_request, update_acknowledgment_from_request, create_acknowledgment_from_request, - split_fields, parseDate) + split_fields, parseDate, parseVersion) from .session import document_required, get_current @@ -87,7 +86,11 @@ aliases = split_fields(request.form['id_aliases']) tracking._identification._aliases = aliases tracking._status = request.form['status'] - tracking._version = parseVersion(request.form['version']) + version = parseVersion(request.form['version']) + if version is None: + flash('Cannot parse Version field: "%s"' % request.form['version'], 'warning') + else: + tracking._version = version tracking._initialDate = parseDate(request.form['initial']) tracking._currentDate = parseDate(request.form['current']) if wasNone: @@ -116,7 +119,11 @@ if request.method != 'POST': return render_template('document/edit_revision.j2', number='.'.join('%s'%v for v in revision._number), date=revision._date, description=revision._description, action='Update') - revision._number = parseVersion(request.form['number']) + version = parseVersion(request.form['number']) + if version is None: + flash('Cannot parse Revision Number: %s' % request.form['number']) + else: + revision._number = version revision._date = parseDate(request.form['date']) revision._description = request.form['description'] return redirect(url_for('.view')) @@ -134,6 +141,9 @@ return render_template('document/edit_revision.j2', number='.'.join("%d"%v for v in version), date=utcnow(), action='Add') version = parseVersion(request.form['number']) + if version is None: + flash('Cannot parse Revision Number: "%s", assuming "0.0"' % request.form['number']) + version = (0,0) date = parseDate(request.form['date']) revision = CVRFRevision(version, date, request.form['description']) tracking.addRevision(revision)