weeheavy/pelican-theme
1
0
Fork 0
forked from github/pelican
Code Pull requests Activity

Check safety of save_as earlier if possible

Browse source 
The check in the writer still serves as a safety net.
This commit is contained in:
Jonas Wielicki 2017-02-03 09:13:14 +01:00
commit 018f4468cc
5 changed files with 103 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

34
pelican/contents.py
View file

@ -17,8 +17,9 @@ from pelican import signals
from pelican.settings import DEFAULT_CONFIG
from pelican.utils import (SafeDatetime, deprecated_attribute, memoized,
path_to_url, posixize_path,
python_2_unicode_compatible, set_date_tzinfo,
slugify, strftime, truncate_html_words)
python_2_unicode_compatible, sanitised_join,
set_date_tzinfo, slugify, strftime,
truncate_html_words)
# Import these so that they're avalaible when you import from pelican.contents.
from pelican.urlwrappers import (Author, Category, Tag, URLWrapper) # NOQA
@ -161,6 +162,22 @@ class Content(object):
if not hasattr(self, prop):
raise NameError(prop)
def valid_save_as(self):
"""Return true if save_as doesn't write outside output path, false
otherwise."""
try:
output_path = self.settings["OUTPUT_PATH"]
except KeyError:
# we cannot check
return True
try:
sanitised_join(output_path, self.save_as)
except RuntimeError: # outside output_dir
return False
return True
@property
def url_format(self):
"""Returns the URL, formatted with the proper values"""
@ -470,9 +487,20 @@ class Static(Page):
def is_valid_content(content, f):
try:
content.check_properties()
return True
except NameError as e:
logger.error(
"Skipping %s: could not find information about '%s'",
f, six.text_type(e))
return False
if not content.valid_save_as():
logger.error(
"Skipping %s: file %r would be written outside output path",
f,
content.save_as,
)
# Note: future code might want to use a result variable instead, to
# allow showing multiple error messages at once.
return False
return True