Skip to content

Commit

Permalink
FIX #65 - import_file_name form field can be use to access the filesy…
Browse files Browse the repository at this point in the history 
…stem

Thanks @avoine for report and proposed solution
  • Loading branch information
@bmihelac
bmihelac committed Feb 20, 2014
1 parent 2d5df6c commit 93494b0
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 3 deletions.
10 changes: 7 additions & 3 deletions import_export/admin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import tempfile
from datetime import datetime
import os.path

from django.contrib import admin
from django.utils.translation import ugettext_lazy as _
Expand Down Expand Up @@ -101,8 +102,11 @@ def process_import(self, request, *args, **kwargs):
input_format = import_formats[
int(confirm_form.cleaned_data['input_format'])
]()
import_file = open(confirm_form.cleaned_data['import_file_name'],
input_format.get_read_mode())
import_file_name = os.path.join(
tempfile.gettempdir(),
confirm_form.cleaned_data['import_file_name']
)
import_file = open(import_file_name, input_format.get_read_mode())
data = import_file.read()
if not input_format.is_binary() and self.from_encoding:
data = force_text(data, self.from_encoding)
Expand Down Expand Up @@ -162,7 +166,7 @@ def import_action(self, request, *args, **kwargs):

if not result.has_errors():
context['confirm_form'] = ConfirmImportForm(initial={
'import_file_name': uploaded_file.name,
'import_file_name': os.path.basename(uploaded_file.name),
'input_format': form.cleaned_data['input_format'],
})

Expand Down
7 changes: 7 additions & 0 deletions import_export/forms.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
from __future__ import unicode_literals

import os.path

from django import forms
from django.utils.translation import ugettext_lazy as _

Expand Down Expand Up @@ -28,6 +30,11 @@ class ConfirmImportForm(forms.Form):
import_file_name = forms.CharField(widget=forms.HiddenInput())
input_format = forms.CharField(widget=forms.HiddenInput())

def clean_import_file_name(self):
data = self.cleaned_data['import_file_name']
data = os.path.basename(data)
return data


class ExportForm(forms.Form):
file_format = forms.ChoiceField(
Expand Down
14 changes: 14 additions & 0 deletions tests/core/tests/admin_integration_tests.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,3 +72,17 @@ def test_import_export_buttons_visible_without_add_permission(self):

self.assertContains(response, _('Export'))
self.assertContains(response, _('Import'))

def test_import_file_name_in_tempdir(self):
# 65 - import_file_name form field can be use to access the filesystem
import_file_name = os.path.join(
os.path.dirname(__file__),
os.path.pardir,
'exports',
'books.csv')
data = {
'input_format': "0",
'import_file_name': import_file_name,
}
with self.assertRaises(IOError):
self.client.post('/admin/core/book/process_import/', data)

0 comments on commit 93494b0

Please sign in to comment.