From cef96d02cb44f755d158279e44d4262741c67b2a Mon Sep 17 00:00:00 2001
From: Sean McArthur <sean.monstar@gmail.com>
Date: Fri, 11 Feb 2011 19:05:38 +0100
Subject: [PATCH] hash filenames before saving to upload directory

---
 apps/jetpack/models.py           | 7 ++++---
 apps/jetpack/tests/test_views.py | 8 +++++---
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/apps/jetpack/models.py b/apps/jetpack/models.py
index f77dcf40..316630a9 100644
--- a/apps/jetpack/models.py
+++ b/apps/jetpack/models.py
@@ -9,6 +9,7 @@
 import commonware
 import tarfile
 import markdown
+import hashlib
 
 from copy import deepcopy
 
@@ -1291,9 +1292,9 @@ def get_display_url(self):
         return reverse('jp_attachment', args=[self.get_uid])
 
     def create_path(self):
-        args = (self.pk, self.filename, self.ext)
-        # @TODO: Verify this is good enough entropy
-        self.path = os.path.join(time.strftime('%Y/%m/%d'), '%s-%s.%s' % args)
+        filename = hashlib.md5(self.filename + self.ext).hexdigest()
+        args = (self.pk, filename, )
+        self.path = os.path.join(time.strftime('%Y/%m/%d'), '%s-%s' % args)
 
     def get_file_path(self):
         if self.path:
diff --git a/apps/jetpack/tests/test_views.py b/apps/jetpack/tests/test_views.py
index c7394485..4b37f160 100644
--- a/apps/jetpack/tests/test_views.py
+++ b/apps/jetpack/tests/test_views.py
@@ -3,7 +3,7 @@
 import json
 import StringIO
 import simplejson
-
+import hashlib
 from datetime import datetime
 
 from test_utils import TestCase
@@ -254,8 +254,10 @@ def test_paths(self):
         self.client.post(self.get_change_url(1), data)
         atts = Attachment.objects.filter(revisions__package=self.package)
 
-        assert atts[0].get_file_path().endswith('%s-some.txt' % atts[0].pk)
-        assert atts[1].get_file_path().endswith('%s-some.txt' % atts[1].pk)
+        hash = hashlib.md5('sometxt').hexdigest()
+
+        assert atts[0].get_file_path().endswith('%s-%s' % (atts[0].pk, hash))
+        assert atts[1].get_file_path().endswith('%s-%s' % (atts[1].pk, hash))
 
     def test_attachment_remove(self):
         revision = self.add_one()