hash filenames before saving to upload directory

mozilla · Feb 21, 2011 · cef96d0 · cef96d0
1 parent a1edb79
commit cef96d0
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 6 deletions.
diff --git a/apps/jetpack/models.py b/apps/jetpack/models.py
@@ -9,6 +9,7 @@
 import commonware
 import tarfile
 import markdown
+import hashlib
 
 from copy import deepcopy
 
@@ -1291,9 +1292,9 @@ def get_display_url(self):
         return reverse('jp_attachment', args=[self.get_uid])
 
     def create_path(self):
-        args = (self.pk, self.filename, self.ext)
-        # @TODO: Verify this is good enough entropy
-        self.path = os.path.join(time.strftime('%Y/%m/%d'), '%s-%s.%s' % args)
+        filename = hashlib.md5(self.filename + self.ext).hexdigest()
+        args = (self.pk, filename, )
+        self.path = os.path.join(time.strftime('%Y/%m/%d'), '%s-%s' % args)
 
     def get_file_path(self):
         if self.path:

diff --git a/apps/jetpack/tests/test_views.py b/apps/jetpack/tests/test_views.py
@@ -3,7 +3,7 @@
 import json
 import StringIO
 import simplejson
-
+import hashlib
 from datetime import datetime
 
 from test_utils import TestCase
@@ -254,8 +254,10 @@ def test_paths(self):
         self.client.post(self.get_change_url(1), data)
         atts = Attachment.objects.filter(revisions__package=self.package)
 
-        assert atts[0].get_file_path().endswith('%s-some.txt' % atts[0].pk)
-        assert atts[1].get_file_path().endswith('%s-some.txt' % atts[1].pk)
+        hash = hashlib.md5('sometxt').hexdigest()
+
+        assert atts[0].get_file_path().endswith('%s-%s' % (atts[0].pk, hash))
+        assert atts[1].get_file_path().endswith('%s-%s' % (atts[1].pk, hash))
 
     def test_attachment_remove(self):
         revision = self.add_one()