From 9ef9c061c8ea16a61c73e8942aa4f3c3432b4577 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 11 Apr 2014 18:20:32 -0400 Subject: [PATCH] Validate Service Provider names We use the name to construct the admin page path, avoid odd characters Signed-off-by: Simo Sorce --- ipsilon/providers/saml2/admin.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/ipsilon/providers/saml2/admin.py b/ipsilon/providers/saml2/admin.py index 8a0a511..c6c1a7d 100755 --- a/ipsilon/providers/saml2/admin.py +++ b/ipsilon/providers/saml2/admin.py @@ -22,6 +22,10 @@ from ipsilon.util.page import Page from ipsilon.providers.saml2.provider import ServiceProvider from ipsilon.providers.saml2.provider import ServiceProviderCreator from ipsilon.providers.saml2.provider import InvalidProviderId +import re + + +VALID_IN_NAME = r'[^\ a-zA-Z0-9]' class NewSPAdminPage(Page): @@ -62,6 +66,12 @@ class NewSPAdminPage(Page): cherrypy.request.content_type,)) for key, value in kwargs.iteritems(): if key == 'name': + if re.search(VALID_IN_NAME, value): + message = "Invalid name!" \ + " Use only numbers and letters" + message_type = "error" + return self.form_new(message, message_type) + name = value elif key == 'meta': if hasattr(value, 'content_type'): @@ -132,6 +142,12 @@ class SPAdminPage(Page): if key == 'name': if value != self.sp.name: if self.user.is_admin or self.user.name == self.sp.owner: + if re.search(VALID_IN_NAME, value): + message = "Invalid name!" \ + " Use only numbers and letters" + message_type = "error" + return self.form_standard(message, message_type) + self._debug("Replacing %s: %s -> %s" % (key, self.sp.name, value)) self.sp.name = value -- 2.20.1