Repository : http://git.fedorahosted.org/cgit/copr.git On branch : master commit 8d83ed0326209aa67138a403717e706cc46560a0 Author: Adam Samalik <asamalik(a)redhat.com&gt; Date: Tue Apr 8 15:37:59 2014 +0200 validate chroots in POST requests with API .../coprs/views/api_ns/api_general.py | 20 ++++++++++++++++++-- 1 files changed, 18 insertions(+), 2 deletions(-) diff --git a/frontend/coprs_frontend/coprs/views/api_ns/api_general.py b/frontend/coprs_frontend/coprs/views/api_ns/api_general.py index 0a5cd9f..c5b43eb 100644 --- a/frontend/coprs_frontend/coprs/views/api_ns/api_general.py +++ b/frontend/coprs_frontend/coprs/views/api_ns/api_general.py @@ -68,7 +68,15 @@ def api_new_copr(username): form = forms.CoprFormFactory.create_form_cls()(csrf_enabled=False) httpcode = 200 - if form.validate_on_submit(): + + # are there any arguments in POST which our form doesn't know? + if sum([1 for post_key in flask.request.form.keys() \ + if post_key not in form.__dict__.keys()]): + output = {"output": "notok", "error": + "Unknown arguments passed (non-existing chroot probably)"} + httpcode = 500 + + elif form.validate_on_submit(): infos = [] try: copr = coprs_logic.CoprsLogic.add( @@ -209,7 +217,15 @@ def copr_new_build(username, coprname): else: form = forms.BuildFormFactory.create_form_cls( copr.active_chroots)(csrf_enabled=False) - if form.validate_on_submit() and flask.g.user.can_build_in(copr): + + # are there any arguments in POST which our form doesn't know? + if sum([1 for post_key in flask.request.form.keys() \ + if post_key not in form.__dict__.keys()]): + output = {"output": "notok", "error": + "Unknown arguments passed (non-existing chroot probably)"} + httpcode = 500 + + elif form.validate_on_submit() and flask.g.user.can_build_in(copr): # we're checking authorization above for now # and also creating separate build for each package pkgs=form.pkgs.data.replace('\n', ' ').split(" ")