CreatBot/CreatBotMoonraker
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

application: verify upload filename

Browse Source 
Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Eric Callahan
2024-10-21 20:29:54 -04:00
parent 71f9e677b8
commit 4e00a0760e
1 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
moonraker/components/application.py
View File

@@ -980,10 +980,7 @@ class FileUploadHandler(AuthorizedRequestHandler):
async def post(self) -> None: async def post(self) -> None:
if self.parse_failed: if self.parse_failed:
self._file.on_finish() self._file.on_finish()
try: self._remove_temp_file()
os.remove(self._file.filename)
except Exception:
pass
raise tornado.web.HTTPError(500, "File Upload Parsing Failed") raise tornado.web.HTTPError(500, "File Upload Parsing Failed")
form_args = {} form_args = {}
chk_target = self._targets.pop('checksum') chk_target = self._targets.pop('checksum')
@@ -992,20 +989,20 @@ class FileUploadHandler(AuthorizedRequestHandler):
# Validate checksum # Validate checksum
recd_cksum = chk_target.value.decode().lower() recd_cksum = chk_target.value.decode().lower()
if calc_chksum != recd_cksum: if calc_chksum != recd_cksum:
# remove temporary file self._remove_temp_file()
try:
os.remove(self._file.filename)
except Exception:
pass
raise tornado.web.HTTPError( raise tornado.web.HTTPError(
422, 422,
f"File checksum mismatch: expected {recd_cksum}, " f"File checksum mismatch: expected {recd_cksum}, "
f"calculated {calc_chksum}" f"calculated {calc_chksum}"
) )
mp_fname: Optional[str] = self._file.multipart_filename
if mp_fname is None or not mp_fname.strip():
self._remove_temp_file()
raise tornado.web.HTTPError(400, "Multipart filename omitted")
for name, target in self._targets.items(): for name, target in self._targets.items():
if target.value: if target.value:
form_args[name] = target.value.decode() form_args[name] = target.value.decode()
form_args['filename'] = self._file.multipart_filename form_args['filename'] = mp_fname
form_args['tmp_file_path'] = self._file.filename form_args['tmp_file_path'] = self._file.filename
debug_msg = "\nFile Upload Arguments:" debug_msg = "\nFile Upload Arguments:"
for name, value in form_args.items(): for name, value in form_args.items():
@@ -1013,7 +1010,7 @@ class FileUploadHandler(AuthorizedRequestHandler):
debug_msg += f"\nChecksum: {calc_chksum}" debug_msg += f"\nChecksum: {calc_chksum}"
form_args["current_user"] = self.current_user form_args["current_user"] = self.current_user
logging.debug(debug_msg) logging.debug(debug_msg)
logging.info(f"Processing Uploaded File: {self._file.multipart_filename}") logging.info(f"Processing Uploaded File: {mp_fname}")
try: try:
result = await self.file_manager.finalize_upload(form_args) result = await self.file_manager.finalize_upload(form_args)
except ServerError as e: except ServerError as e:
@@ -1041,6 +1038,12 @@ class FileUploadHandler(AuthorizedRequestHandler):
self.set_header("Content-Type", "application/json; charset=UTF-8") self.set_header("Content-Type", "application/json; charset=UTF-8")
self.finish(jsonw.dumps(result)) self.finish(jsonw.dumps(result))
def _remove_temp_file(self) -> None:
try:
os.remove(self._file.filename)
except Exception:
pass
# Default Handler for unregistered endpoints # Default Handler for unregistered endpoints
class AuthorizedErrorHandler(AuthorizedRequestHandler): class AuthorizedErrorHandler(AuthorizedRequestHandler):
async def prepare(self) -> None: async def prepare(self) -> None: