Fixed AMF controller to validate changeset comments

Fixed AMF controller so that it doesn't accept non-UTF8 comments, and throws away non-XML characters.
2010-08-08 15:47:55 +01:00 · 2010-08-08 15:47:55 +01:00 · 838b1ee7e9
commit 838b1ee7e9
parent 13c60137c2
2 changed files with 30 additions and 1 deletions
--- a/app/controllers/amf_controller.rb
+++ b/app/controllers/amf_controller.rb
@ -187,6 +187,11 @@ class AmfController < ApplicationController
      if !user then return -1,"You are not logged in, so Potlatch can't write any changes to the database." end
      unless user.active_blocks.empty? then return -1,t('application.setup_user_auth.blocked') end

+      if cstags
+        if !tags_ok(cstags) then return -1,"One of the tags is invalid. Linux users may need to upgrade to Flash Player 10.1." end
+        cstags = strip_non_xml_chars cstags
+      end
+
      # close previous changeset and add comment
      if closeid
        cs = Changeset.find(closeid.to_i)
@ -197,6 +202,8 @@ class AmfController < ApplicationController
          cs.save!
        else
          cs.tags['comment']=closecomment
+          # in case closecomment has chars not allowed in xml
+          cs.tags = strip_non_xml_chars cs.tags
          cs.save_with_tags!
        end
      end
@ -206,7 +213,11 @@ class AmfController < ApplicationController
        cs = Changeset.new
        cs.tags = cstags
        cs.user_id = user.id
-        if !closecomment.empty? then cs.tags['comment']=closecomment end
+        if !closecomment.empty? 
+          cs.tags['comment']=closecomment 
+          # in case closecomment has chars not allowed in xml
+          cs.tags = strip_non_xml_chars cs.tags
+        end
        # smsm1 doesn't like the next two lines and thinks they need to be abstracted to the model more/better
        cs.created_at = Time.now.getutc
        cs.closed_at = cs.created_at + Changeset::IDLE_TIMEOUT
--- a/test/functional/amf_controller_test.rb
+++ b/test/functional/amf_controller_test.rb
@ -529,6 +529,24 @@ class AmfControllerTest < ActionController::TestCase
    
  end

+  def test_startchangeset_invalid_xmlchar_comment
+    invalid = "\035\022"
+    comment = "foo#{invalid}bar"
+      
+    amf_content "startchangeset", "/1", ["test@example.com:test", Hash.new, nil, comment, 1]
+    post :amf_write
+    assert_response :success
+    amf_parse_response
+    result = amf_result("/1")
+
+    assert_equal 3, result.size, result.inspect
+    assert_equal 0, result[0]
+    new_cs_id = result[2]
+
+    cs = Changeset.find(new_cs_id)
+    assert_equal "foobar", cs.tags["comment"]
+  end
+
  # ************************************************************
  # AMF Helper functions