# HG changeset patch # User Steve Losh # Date 1278785665 14400 # Node ID 9d8c2dd1ed72eb565e8a5b9a85a7afa213f76c1c # Parent 82d7322620316286c4fdf5768e600661588b85e8 web: fix unicode in revhash urls diff -r 82d732262031 -r 9d8c2dd1ed72 review/web.py --- a/review/web.py Sat Jul 10 13:46:12 2010 -0400 +++ b/review/web.py Sat Jul 10 14:14:25 2010 -0400 @@ -77,6 +77,18 @@ allow_anon=app.allow_anon, utils=utils, datastore=g.datastore, title=app.title, **kwargs) +def _get_revision_or_404(revhash): + revhash = revhash.lower() + if not all(c in 'abcdef1234567890' for c in revhash): + abort(404) + + try: + rcset = g.datastore[revhash] + rev = rcset.target[revhash] + return rcset, rev + except error.RepoLookupError: + abort(404) + @app.before_request def load_datastore(): @@ -118,22 +130,18 @@ body = request.form.get('new-signoff-body', '') style = 'markdown' if request.form.get('signoff-markdown') else '' - try: - current = request.form.get('current') - if current: - g.datastore.edit_signoff(current, body, signoff, style=style) - else: - rcset = g.datastore[revhash] - rcset.add_signoff(body, signoff, style=style) - except error.RepoLookupError: - abort(404) + current = request.form.get('current') + if current: + g.datastore.edit_signoff(current, body, signoff, style=style) + else: + rcset, rev = _get_revision_or_404(revhash) + rcset.add_signoff(body, signoff, style=style) return redirect("%s/changeset/%s/" % (app.site_root, revhash)) def _handle_comment(revhash): filename = base64.b64decode(request.form.get('filename-b64', u'')) ufilename = request.form.get('filename-u', u'') - print repr(filename), repr(ufilename) lines = str(request.form.get('lines', '')) if lines: @@ -142,16 +150,13 @@ body = request.form['new-comment-body'] style = 'markdown' if request.form.get('comment-markdown') else '' - try: - if body: - current = request.form.get('current') - if current: - g.datastore.edit_comment(current, body, ufilename, filename, lines, style) - else: - rcset = g.datastore[revhash] - rcset.add_comment(body, ufilename, filename, lines, style) - except error.RepoLookupError: - abort(404) + if body: + current = request.form.get('current') + if current: + g.datastore.edit_comment(current, body, ufilename, filename, lines, style) + else: + rcset, rev = _get_revision_or_404(revhash) + rcset.add_comment(body, ufilename, filename, lines, style) return redirect("%s/changeset/%s/" % (app.site_root, revhash)) @@ -164,11 +169,7 @@ elif not app.read_only or app.allow_anon: return _handle_comment(revhash) - try: - rcset = g.datastore[revhash] - except error.RepoLookupError: - abort(404) - rev = rcset.target[revhash] + rcset, rev = _get_revision_or_404(revhash) cu_signoffs = rcset.signoffs_for_current_user() cu_signoff = cu_signoffs[0] if cu_signoffs else None @@ -188,6 +189,8 @@ cmdutil.export(g.datastore.target, [revhash], fp=result) except error.RepoLookupError: abort(404) + except UnicodeEncodeError: + abort(404) return Response(result.getvalue(), content_type="text/plain") @app.route('/pull/', methods=['POST'])