hg.stevelosh.com > hg-review

9d8c2dd1ed72 

web: fix unicode in revhash urls
[view raw] [browse files]
author Steve Losh <steve@stevelosh.com>
date Sat, 10 Jul 2010 14:14:25 -0400
parents 82d732262031
children 62247513862f
branches/tags (none)
files review/web.py

Changes

--- a/review/web.py	Sat Jul 10 13:46:12 2010 -0400
+++ b/review/web.py	Sat Jul 10 14:14:25 2010 -0400
@@ -77,6 +77,18 @@
         allow_anon=app.allow_anon, utils=utils, datastore=g.datastore,
         title=app.title, **kwargs)
 
+def _get_revision_or_404(revhash):
+    revhash = revhash.lower()
+    if not all(c in 'abcdef1234567890' for c in revhash):
+        abort(404)
+
+    try:
+        rcset = g.datastore[revhash]
+        rev = rcset.target[revhash]
+        return rcset, rev
+    except error.RepoLookupError:
+        abort(404)
+
 
 @app.before_request
 def load_datastore():
@@ -118,22 +130,18 @@
     body = request.form.get('new-signoff-body', '')
     style = 'markdown' if request.form.get('signoff-markdown') else ''
 
-    try:
-        current = request.form.get('current')
-        if current:
-            g.datastore.edit_signoff(current, body, signoff, style=style)
-        else:
-            rcset = g.datastore[revhash]
-            rcset.add_signoff(body, signoff, style=style)
-    except error.RepoLookupError:
-        abort(404)
+    current = request.form.get('current')
+    if current:
+        g.datastore.edit_signoff(current, body, signoff, style=style)
+    else:
+        rcset, rev = _get_revision_or_404(revhash)
+        rcset.add_signoff(body, signoff, style=style)
 
     return redirect("%s/changeset/%s/" % (app.site_root, revhash))
 
 def _handle_comment(revhash):
     filename = base64.b64decode(request.form.get('filename-b64', u''))
     ufilename = request.form.get('filename-u', u'')
-    print repr(filename), repr(ufilename)
 
     lines = str(request.form.get('lines', ''))
     if lines:
@@ -142,16 +150,13 @@
     body = request.form['new-comment-body']
     style = 'markdown' if request.form.get('comment-markdown') else ''
     
-    try:
-        if body:
-            current = request.form.get('current')
-            if current:
-                g.datastore.edit_comment(current, body, ufilename, filename, lines, style)
-            else:
-                rcset = g.datastore[revhash]
-                rcset.add_comment(body, ufilename, filename, lines, style)
-    except error.RepoLookupError:
-        abort(404)
+    if body:
+        current = request.form.get('current')
+        if current:
+            g.datastore.edit_comment(current, body, ufilename, filename, lines, style)
+        else:
+            rcset, rev = _get_revision_or_404(revhash)
+            rcset.add_comment(body, ufilename, filename, lines, style)
     
     return redirect("%s/changeset/%s/" % (app.site_root, revhash))
 
@@ -164,11 +169,7 @@
         elif not app.read_only or app.allow_anon:
             return _handle_comment(revhash)
     
-    try:
-        rcset = g.datastore[revhash]
-    except error.RepoLookupError:
-        abort(404)
-    rev = rcset.target[revhash]
+    rcset, rev = _get_revision_or_404(revhash)
     
     cu_signoffs = rcset.signoffs_for_current_user()
     cu_signoff = cu_signoffs[0] if cu_signoffs else None
@@ -188,6 +189,8 @@
         cmdutil.export(g.datastore.target, [revhash], fp=result)
     except error.RepoLookupError:
         abort(404)
+    except UnicodeEncodeError:
+        abort(404)
     return Response(result.getvalue(), content_type="text/plain")
 
 @app.route('/pull/', methods=['POST'])