gpg, #106: adjusted from rebase onto master.

2024-11-09 16:45:51 +01:00 · 2016-01-19 09:02:46 -06:00 · 2016-01-19 09:02:46 -06:00 · 7da927fd6e
commit 7da927fd6e
parent 64d0f3aef7
1 changed files with 16 additions and 13 deletions
--- a/pypiserver/_app.py
+++ b/pypiserver/_app.py
@ -148,17 +148,6 @@ def update():
                core.guess_pkgname_and_version(content.raw_filename) is None):
        raise HTTPError(400, "Bad filename: %s" % content.raw_filename)

-    try:
-        gpg_signature = request.files['gpg_signature']
-    except KeyError:
-        gpg_signature = None
-
-    if "/" in content.filename:
-        raise HTTPError(400, output="bad filename")
-
-    if gpg_signature is not None and "/" in gpg_signature.filename:
-        raise HTTPError(400, output="bad filename")
-
    if not config.overwrite and core.exists(packages.root, content.filename):
        log.warn("Cannot upload package(%s) since it already exists! \n" +
                 "  You may use `--overwrite` option when starting server to disable this check. ",
@ -166,12 +155,26 @@ def update():
        msg = "Package already exists! Start server with `--overwrite` option?"
        raise HTTPError(409, msg)

+    try:
+        gpg_signature = request.files['gpg_signature']
+    except KeyError:
+        gpg_signature = None
+
+    if (gpg_signature is not None and
+            (not is_valid_pkg_filename(gpg_signature.raw_filename)
+             or core.guess_pkgname_and_version(content.raw_filename) is None)):
+        raise HTTPError(400, "Bad gpg signature name: %s" %
+                        gpg_signature.raw_filename)
+
+
    if not config.overwrite and core.exists(packages.root,
                                            gpg_signature.filename):
        log.warn("Cannot upload package(%s) because its signature already "
                 "exists! \n  You may use the `--overwrite` option when"
                 "starting the server to disable this check.")
-        raise HTTPError(409, outut="signature file already exists")
+        msg = ("Signature file already exists! Start server with "
+               "`--overwrite` option?")
+        raise HTTPError(409, msg)

    if gpg_signature is None:
        core.store(packages.root, content.filename, content.save)