From a31bfa1533510afcdef6f8597cc6867bb8e5a402 Mon Sep 17 00:00:00 2001
From: Maciej Tronowski <mtro@man.poznan.pl>
Date: Tue, 21 Apr 2015 13:52:19 +0200
Subject: [PATCH] fix data validation for archive operations

---
 filex/forms.py |    3 +++
 filex/ftp.py   |   12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/filex/forms.py b/filex/forms.py
index e9b866f..17563b5 100644
--- a/filex/forms.py
+++ b/filex/forms.py
@@ -41,6 +41,9 @@ class HostPathForm(HostForm):
 class HostPathNameForm(HostPathForm):
     name = forms.CharField(label=u'Nazwa', max_length=256, validators=[name_validator])
 
+    def clean_name(self):
+        return clean_path(self.cleaned_data['name'])
+
 
 class HostItemsForm(HostForm):
     dirs = forms.MultipleChoiceField(label=u'Katalogi', required=False, widget=forms.MultipleHiddenInput())
diff --git a/filex/ftp.py b/filex/ftp.py
index 29c4598..4ed4e50 100644
--- a/filex/ftp.py
+++ b/filex/ftp.py
@@ -4,6 +4,7 @@ from itertools import chain
 import os
 import re
 from threading import Event
+from django.utils.http import urlunquote
 
 from django.utils.timezone import localtime, UTC
 from gridftp import FTPClient, Buffer, HandleAttr, OperationAttr
@@ -162,6 +163,8 @@ class FTPOperation:
         return False
 
     def compress(self, server, path, files, archive):
+        self._check_disk_stack_args(*([path, archive] + files))
+
         if self.match_ext(archive, '.tar.gz', '.tgz'):
             cmd, args = 'tar', ['cvzf', archive, '-C', path] + files
         elif self.match_ext(archive, '.tar.bz2', '.tbz'):
@@ -176,6 +179,8 @@ class FTPOperation:
         return self.get(server)
 
     def extract(self, server, archive, dst):
+        self._check_disk_stack_args(*[archive, dst])
+
         if self.match_ext(archive, '.tar.gz', '.tgz'):
             cmd, args = 'tar', ('xvzf', archive, '-C', dst)
         elif self.match_ext(archive, '.tar.bz2', '.tbz'):
@@ -188,3 +193,10 @@ class FTPOperation:
         self.op_attr.set_disk_stack('#'.join(("popen:argv=", cmd) + args))
 
         return self.get(server)
+
+    @staticmethod
+    def _check_disk_stack_args(*args):
+        for char in ['#', ',', ';', '%23', '%3B']:
+            for arg in args:
+                if char in arg:
+                    raise ValueError('Unsupported character `{}` in `{}`!'.format(urlunquote(char), urlunquote(arg)))
-- 
1.7.9.5