From fec4a729cbb1f5788acd643d844709a639e87b44 Mon Sep 17 00:00:00 2001 From: AlexandreJunod Date: Wed, 13 Dec 2023 09:50:10 +0100 Subject: [PATCH] use get_valid_filename on parameters given to url --- geocity/apps/api/services.py | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/geocity/apps/api/services.py b/geocity/apps/api/services.py index 452fbaaf7..a5e0d6451 100644 --- a/geocity/apps/api/services.py +++ b/geocity/apps/api/services.py @@ -4,6 +4,7 @@ from django.conf import settings from django.db.models import Q +from django.utils.text import get_valid_filename from PIL import Image from unidecode import unidecode @@ -39,14 +40,19 @@ def can_image_be_displayed_for_agenda( - and FieldValue with - public_if_submission_public """ + safe_submission_id = get_valid_filename(submission_id) + safe_image_name = get_valid_filename(image_name) + submission_display_conditions = Submission.objects.filter( - Q(pk=submission_id) + Q(pk=safe_submission_id) & Q(selected_forms__form__agenda_visible=True) & Q(is_public_agenda=True) & Q(status__in=Submission.VISIBLE_IN_AGENDA_STATUSES) ).exists() - image_name_in_db = {"val": f"permit_requests_uploads/{submission_id}/{image_name}"} + image_name_in_db = { + "val": f"permit_requests_uploads/{safe_submission_id}/{safe_image_name}" + } fieldvalue_display_conditions = FieldValue.objects.filter( Q(value=image_name_in_db) & Q(field__public_if_submission_public=True) @@ -64,8 +70,11 @@ def get_image_dimensions(image_path): def get_image_path(submission_id, image_name): image_dir = settings.PRIVATE_MEDIA_ROOT + safe_submission_id = get_valid_filename(submission_id) + safe_image_name = get_valid_filename(image_name) + image_path = os.path.join( - image_dir, f"permit_requests_uploads/{submission_id}/{image_name}" + image_dir, f"permit_requests_uploads/{safe_submission_id}/{safe_image_name}" ) return image_path