Ignore:
Timestamp:
14 Jun 2016, 00:42:14 (9 years ago)
Author:
uli
Message:

Create safety belt for CSV upload data.

This is the bare minimum we can do to protect from evil files, but
it might do for starters.

Location:
main/waeup.kofa/branches/uli-scores-upload/src/waeup/kofa/students
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • main/waeup.kofa/branches/uli-scores-upload/src/waeup/kofa/students/browser.py

    r13933 r13934  
    31463146        formvals = dict(zip(form['sids'], form['scores']))
    31473147        if form['uploadfile']:
    3148             formvals = self._extract_uploadfile(form['uploadfile'])
     3148            try:
     3149                formvals = self._extract_uploadfile(form['uploadfile'])
     3150            except:
     3151                self.flash(
     3152                    _('Uploaded file contains illegal data. Ignored'),
     3153                    type="danger")
    31493154        for ticket in editable_tickets:
    31503155            score = ticket.score
  • main/waeup.kofa/branches/uli-scores-upload/src/waeup/kofa/students/tests/test_browser.py

    r13933 r13934  
     1# -*- coding: utf-8 -*-
    12## $Id$
    23##
     
    40724073        upload_ctrl.add_file(upload_file, 'text/csv', 'myscores.csv')
    40734074        self.browser.getControl("Update scores").click()
     4075        # value changed
    40744076        self.assertEqual(
    40754077            self.student['studycourse']['100']['COURSE1'].score, 65)
     4078
     4079    def test_scores_csv_upload_ignored(self):
     4080        # for many type of file contents we simply ignore uploaded data
     4081        self.login_as_lecturer()
     4082        self.student['studycourse']['100']['COURSE1'].score = 55
     4083        self.browser.open(self.edit_scores_url)
     4084        for content, mimetype, name in (
     4085                # empty file
     4086                ('', 'text/foo', 'my.foo'),
     4087                # plain ASCII text, w/o comma
     4088                ('abcdef' * 200, 'text/plain', 'my.txt'),
     4089                # plain UTF-8 text, with umlauts
     4090                ('umlauts: äöü', 'text/plain', 'my.txt'),
     4091                # csv file with only a header row
     4092                ('student_id,score', 'text/csv', 'my.csv'),
     4093                # csv with student_id column missing
     4094                ('foo,score\r\nbar,66\r\n', 'text/csv', 'my.csv'),
     4095                # csv with score column missing
     4096                ('student_id,foo\r\nK1000000,bar\r\n', 'text/csv', 'my.csv'),
     4097                # csv with non number as score value
     4098                (UPLOAD_CSV_TEMPLATE % 'not-a-number', 'text/csv', 'my.csv'),
     4099                ):
     4100            upload_ctrl = self.browser.getControl(name='uploadfile:file')
     4101            upload_ctrl.add_file(StringIO(content), mimetype, name)
     4102            self.browser.getControl("Update scores").click()
     4103            self.assertEqual(
     4104                self.student['studycourse']['100']['COURSE1'].score, 55)
     4105            self.assertFalse(
     4106                'Uploaded file contains illegal data' in self.browser.contents)
     4107
     4108    def test_scores_csv_upload_warn_illegal_chars(self):
     4109        # for some types of files we issue a warning if upload data
     4110        # contains illegal chars (and ignore the data)
     4111        self.login_as_lecturer()
     4112        self.student['studycourse']['100']['COURSE1'].score = 55
     4113        self.browser.open(self.edit_scores_url)
     4114        for content, mimetype, name in (
     4115                # plain ASCII text, commas, control chars
     4116                ('abv,qwe\n\r\r\t\b\n' * 20, 'text/plain', 'my.txt'),
     4117                # image data (like a JPEG image)
     4118                (open(SAMPLE_IMAGE, 'rb').read(), 'image/jpg', 'my.jpg'),
     4119                ):
     4120            upload_ctrl = self.browser.getControl(name='uploadfile:file')
     4121            upload_ctrl.add_file(StringIO(content), mimetype, name)
     4122            self.browser.getControl("Update scores").click()
     4123            self.assertEqual(
     4124                self.student['studycourse']['100']['COURSE1'].score, 55)
     4125            self.assertTrue(
     4126                'Uploaded file contains illegal data' in self.browser.contents)
Note: See TracChangeset for help on using the changeset viewer.