From a1ff6986cad05d9286b209a0486a14bb4f0ee1a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= Date: Tue, 30 Jun 2015 18:59:45 +0200 Subject: [PATCH] Verify extension of uploaded language packs & plugins Should be valid zip archives/tarballs. Also use only the extension of an uploaded plugin archive as suffix for the temporary file that's used for installing it. --- src/octoprint/plugins/pluginmanager/__init__.py | 10 ++++++++-- src/octoprint/server/api/languages.py | 8 +++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/octoprint/plugins/pluginmanager/__init__.py b/src/octoprint/plugins/pluginmanager/__init__.py index 6c4e039b..05ab3784 100644 --- a/src/octoprint/plugins/pluginmanager/__init__.py +++ b/src/octoprint/plugins/pluginmanager/__init__.py @@ -121,11 +121,17 @@ class PluginManagerPlugin(octoprint.plugin.SimpleApiPlugin, upload_path = flask.request.values[input_upload_path] upload_name = flask.request.values[input_upload_name] + exts = filter(lambda x: upload_name.endswith(x), (".zip", ".tar.gz", ".tgz", ".tar")) + if not len(exts): + return flask.make_response("File doesn't have a valid extension for a plugin archive", 400) + + ext = exts[0] + import tempfile import shutil import os - archive = tempfile.NamedTemporaryFile(delete=False, suffix="-{upload_name}".format(**locals())) + archive = tempfile.NamedTemporaryFile(delete=False, suffix="{ext}".format(**locals())) try: archive.close() shutil.copy(upload_path, archive.name) @@ -197,7 +203,7 @@ class PluginManagerPlugin(octoprint.plugin.SimpleApiPlugin, if url is not None: pip_args = ["install", sarge.shell_quote(url)] elif path is not None: - pip_args = ["install", path] + pip_args = ["install", sarge.shell_quote(path)] else: raise ValueError("Either url or path must be provided") diff --git a/src/octoprint/server/api/languages.py b/src/octoprint/server/api/languages.py index 820089e4..ef35d99d 100644 --- a/src/octoprint/server/api/languages.py +++ b/src/octoprint/server/api/languages.py @@ -90,11 +90,17 @@ def getInstalledLanguagePacks(): def uploadLanguagePack(): input_name = "file" input_upload_path = input_name + "." + settings().get(["server", "uploads", "pathSuffix"]) - if not input_upload_path in request.values: + input_upload_name = input_name + "." + settings().get(["server", "uploads", "nameSuffix"]) + if not input_upload_path in request.values or not input_upload_name in request.values: return make_response("No file included", 400) + upload_name = request.values[input_upload_name] upload_path = request.values[input_upload_path] + exts = filter(lambda x: upload_name.endswith(x), (".zip", ".tar.gz", ".tgz", ".tar")) + if not len(exts): + return make_response("File doesn't have a valid extension for a plugin archive", 400) + target_path = settings().getBaseFolder("translations") if tarfile.is_tarfile(upload_path):