zydronium/neocities
1
0
Fork 0
mirror of https://github.com/neocities/neocities.git synced 2025-04-25 01:32:36 +02:00
Code Issues Projects Releases Packages Wiki Activity

fix escaping issues for file deletion

Browse source
This commit is contained in:
Kyle Drake 2016-06-30 15:29:23 -07:00
parent 80d7536fe1
commit c33a8a86b1
5 changed files with 17 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Gemfile
View file

@ -48,6 +48,7 @@ gem 'acme-client', {
branch: 'no_activesupport' branch: 'no_activesupport'
} }
gem 'http' gem 'http'
gem 'htmlentities'
platform :mri, :rbx do platform :mri, :rbx do
gem 'magic' # sudo apt-get install file, For OSX: brew install libmagic gem 'magic' # sudo apt-get install file, For OSX: brew install libmagic

2
Gemfile.lock
View file

@ -97,6 +97,7 @@ GEM
hiredis (0.6.1) hiredis (0.6.1)
hoe (3.14.2) hoe (3.14.2)
rake (>= 0.8, < 11.0) rake (>= 0.8, < 11.0)
htmlentities (4.3.4)
http (2.0.1) http (2.0.1)
addressable (~> 2.3) addressable (~> 2.3)
http-cookie (~> 1.0) http-cookie (~> 1.0)
@ -287,6 +288,7 @@ DEPENDENCIES
geoip geoip
hiredis hiredis
hoe (= 3.14.2) hoe (= 3.14.2)
htmlentities
http http
io-extra io-extra
jdbc-postgres jdbc-postgres

5
app/site_files.rb
View file

@ -134,10 +134,11 @@ end
post '/site_files/delete' do post '/site_files/delete' do
require_login require_login
current_site.delete_file params[:filename] path = HTMLEntities.new.decode params[:filename]
current_site.delete_file path
flash[:success] = "Deleted #{params[:filename]}. Please note it can take up to 30 minutes for deleted files to stop being viewable on your site." flash[:success] = "Deleted #{params[:filename]}. Please note it can take up to 30 minutes for deleted files to stop being viewable on your site."
dirname = Pathname(params[:filename]).dirname dirname = Pathname(path).dirname
dir_query = dirname.nil? || dirname.to_s == '.' ? '' : "?dir=#{Rack::Utils.escape dirname}" dir_query = dirname.nil? || dirname.to_s == '.' ? '' : "?dir=#{Rack::Utils.escape dirname}"
redirect "/dashboard#{dir_query}" redirect "/dashboard#{dir_query}"

10
tests/site_file_tests.rb
View file

@ -69,6 +69,16 @@ describe 'site_files' do
@site.reload.site_files.select {|f| f.path =~ /#{Regexp.quote '8)'}/}.length.must_equal 0 @site.reload.site_files.select {|f| f.path =~ /#{Regexp.quote '8)'}/}.length.must_equal 0
end end
it 'deletes with escaped apostrophe' do
upload(
'dir' => "test'ing",
'files[]' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
)
@site.reload.site_files.select {|s| s.path == "test'ing"}.length.must_equal 1
delete_file filename: "test'ing"
@site.reload.site_files.select {|s| s.path == "test'ing"}.length.must_equal 0
end
it 'deletes a directory and all files in it' do it 'deletes a directory and all files in it' do
upload( upload(
'dir' => 'test', 'dir' => 'test',

2
views/dashboard.erb
View file

@ -167,7 +167,7 @@
<a href="?dir=<%= Rack::Utils.escape file[:path] %>"><i class="fa fa-edit" title="Manage"></i> Manage</a> <a href="?dir=<%= Rack::Utils.escape file[:path] %>"><i class="fa fa-edit" title="Manage"></i> Manage</a>
<% end %> <% end %>
<% if !file[:is_root_index] %> <% if !file[:is_root_index] %>
<a href="#" onclick="confirmFileDelete('<%= file[:path].gsub("'", '&apos;') %>')"><i class="fa fa-trash" title="Delete"></i> Delete</a> <a href="#" onclick="confirmFileDelete('<%== file[:path].gsub("'", '&apos;') %>')"><i class="fa fa-trash" title="Delete"></i> Delete</a>
<% end %> <% end %>
<% if file[:is_directory] %> <% if file[:is_directory] %>
<a class="link-overlay" href="?dir=<%= Rack::Utils.escape file[:path] %>" title="View <%= file[:path] %>"></a> <a class="link-overlay" href="?dir=<%= Rack::Utils.escape file[:path] %>" title="View <%= file[:path] %>"></a>