Make tracker names match [A-Za-z0-9._-]+
Fixes an issue where "_" could be used as a wildcard in tracker names. Also prohibits use of '.git' and '.hg' as tracker names.
This commit is contained in:
parent
f4cb8f8137
commit
790f8e301b
|
@ -51,7 +51,7 @@ def get_tracker(owner, name, with_for_update=False, user=None):
|
|||
return None, None
|
||||
tracker = (Tracker.query
|
||||
.filter(Tracker.owner_id == owner.id)
|
||||
.filter(Tracker.name.ilike(name)))
|
||||
.filter(Tracker.name.ilike(name.replace('_', '\\_'))))
|
||||
if with_for_update:
|
||||
tracker = tracker.with_for_update()
|
||||
tracker = tracker.one_or_none()
|
||||
|
|
|
@ -36,21 +36,21 @@ USER_MENTION_PATTERN = re.compile(r"""
|
|||
|
||||
# Matches ticket mentions, e.g. #17, tracker#17 and ~user/tracker#17
|
||||
TICKET_MENTION_PATTERN = re.compile(r"""
|
||||
(?<![^\s(]) # No leading non-whitespace characters
|
||||
(~(?P<username>\w+)/)? # Optional username
|
||||
(?P<tracker_name>[a-z0-9_.-]+)? # Optional tracker name
|
||||
\#(?P<ticket_id>\d+) # Ticket ID
|
||||
\b # Word boundary
|
||||
(?<![^\s(]) # No leading non-whitespace characters
|
||||
(~(?P<username>\w+)/)? # Optional username
|
||||
(?P<tracker_name>[A-Za-z0-9_.-]+)? # Optional tracker name
|
||||
\#(?P<ticket_id>\d+) # Ticket ID
|
||||
\b # Word boundary
|
||||
""", re.VERBOSE)
|
||||
|
||||
# Matches ticket URL
|
||||
TICKET_URL_PATTERN = re.compile(f"""
|
||||
(?<![^\\s(]) # No leading non-whitespace characters
|
||||
{origin}/ # Base URL
|
||||
~(?P<username>\\w+)/ # Username
|
||||
(?P<tracker_name>[a-z0-9_.-]+)/ # Tracker name
|
||||
(?P<ticket_id>\\d+) # Ticket ID
|
||||
\\b # Word boundary
|
||||
(?<![^\\s(]) # No leading non-whitespace characters
|
||||
{origin}/ # Base URL
|
||||
~(?P<username>\\w+)/ # Username
|
||||
(?P<tracker_name>[A-Za-z0-9_.-]+)/ # Tracker name
|
||||
(?P<ticket_id>\\d+) # Ticket ID
|
||||
\\b # Word boundary
|
||||
""", re.VERBOSE)
|
||||
|
||||
def get_participant_for_user(user):
|
||||
|
|
|
@ -6,7 +6,7 @@ from srht.flagtype import FlagType
|
|||
from srht.validation import Validation
|
||||
from todosrht.types import TicketAccess, TicketStatus, TicketResolution
|
||||
|
||||
name_re = re.compile(r"^([a-zA-Z][a-zA-Z0-9._-]*?)+$")
|
||||
name_re = re.compile(r"^[A-Za-z0-9._-]+$")
|
||||
|
||||
class Tracker(Base):
|
||||
__tablename__ = 'tracker'
|
||||
|
@ -70,11 +70,14 @@ class Tracker(Base):
|
|||
"Must be between 1 and 255 characters",
|
||||
field="name")
|
||||
valid.expect(not valid.ok or name_re.match(name),
|
||||
"Only alphanumeric characters or <samp>._-</samp>",
|
||||
"Name must match [A-Za-z0-9._-]+",
|
||||
field="name")
|
||||
valid.expect(not valid.ok or name not in [".", ".."],
|
||||
"Name cannot be '.' or '..'",
|
||||
field="name")
|
||||
valid.expect(not valid.ok or name not in [".git", ".hg"],
|
||||
"Name must not be '.git' or '.hg'",
|
||||
field="name")
|
||||
valid.expect(not desc or len(desc) < 4096,
|
||||
"Must be less than 4096 characters",
|
||||
field="description")
|
||||
|
@ -83,7 +86,7 @@ class Tracker(Base):
|
|||
|
||||
tracker = (Tracker.query
|
||||
.filter(Tracker.owner_id == user.id)
|
||||
.filter(Tracker.name.ilike(name))
|
||||
.filter(Tracker.name.ilike(name.replace('_', '\\_')))
|
||||
).first()
|
||||
valid.expect(not tracker,
|
||||
"A tracker by this name already exists", field="name")
|
||||
|
|
Loading…
Reference in New Issue