galaxy-dist commit 7c60d74ba2df: Aggressively sanitize metadata parameter values when provided on the upload form and which are subsequently used for filename substitution.

20 Nov 2010

# HG changeset patch -- Bitbucket.org
# Project galaxy-dist
# URL http://bitbucket.org/galaxy/galaxy-dist/overview
# User Daniel Blankenberg <dan@bx.psu.edu>
# Date 1289329026 18000
# Node ID 7c60d74ba2df4488df90d08ed0ae9c7cc3871222
# Parent  9ee40043b826b3bc1e29f84996f9fe14dd119a45
Aggressively sanitize metadata parameter values when provided on the upload form and which are subsequently used for filename substitution.

--- a/lib/galaxy/util/__init__.py
+++ b/lib/galaxy/util/__init__.py
@@ -155,6 +155,26 @@ def sanitize_param(value):
         print value
         raise Exception, 'Unknown parameter type (%s)' % ( type( value ) )
 
+valid_filename_chars = set( string.ascii_letters + string.digits + '_.' )
+invalid_filenames = [ '', '.', '..' ]
+def sanitize_for_filename( text, default=None ):
+    """
+    Restricts the characters that are allowed in a filename portion; Returns default value or a unique id string if result is not a valid name.
+    Method is overly aggressive to minimize possible complications, but a maximum length is not considered.
+    """
+    out = []
+    for c in text:
+        if c in valid_filename_chars:
+            out.append( c )
+        else:
+            out.append( '_' )
+    out = ''.join( out )
+    if out in invalid_filenames:
+        if default is None:
+            return sanitize_for_filename( str( unique_id() ) )
+        return default
+    return out
+
 class Params:
     """
     Stores and 'sanitizes' parameters. Alphanumeric characters and the  

--- a/lib/galaxy/tools/parameters/grouping.py
+++ b/lib/galaxy/tools/parameters/grouping.py
@@ -12,7 +12,7 @@ import StringIO, os, urllib
 from galaxy.datatypes import sniff
 from galaxy.util.bunch import Bunch
 from galaxy.util.odict import odict
-from galaxy.util import json, relpath
+from galaxy.util import json, relpath, sanitize_for_filename
 
 class Group( object ):
     def __init__( self ):
@@ -335,10 +335,14 @@ class UploadDataset( Group ):
             dataset.composite_files = {}
             #load metadata
             files_metadata = context.get( self.metadata_ref, {} )
+            metadata_name_substition_default_dict = dict( [ ( composite_file.substitute_name_with_metadata, d_type.metadata_spec[ composite_file.substitute_name_with_metadata ].default ) for composite_file in d_type.composite_files.values() if composite_file.substitute_name_with_metadata ] )
             for meta_name, meta_spec in d_type.metadata_spec.iteritems():
                 if meta_spec.set_in_upload:
                     if meta_name in files_metadata:
-                        dataset.metadata[ meta_name ] = files_metadata[ meta_name ]
+                        meta_value = files_metadata[ meta_name ]
+                        if meta_name in metadata_name_substition_default_dict:
+                            meta_value = sanitize_for_filename( meta_value, default = metadata_name_substition_default_dict[ meta_name ] )
+                        dataset.metadata[ meta_name ] = meta_value
             dataset.precreated_name = dataset.name = self.get_composite_dataset_name( context )
             if dataset.datatype.composite_type == 'auto_primary_file':
                 #replace sniff here with just creating an empty file

    

commits-noreply＠bitbucket.org

tags

participants (1)