Fix: Check 0x00 in string fields. (Redmine issue: #7572)

fab73a82 · Rajmund Hruška · 6f2533eb · fab73a82 · fab73a82 · fab73a82
Commit fab73a82 authored 2 years ago by Rajmund Hruška
--- a/lib/hawat/blueprints/auth_dev/forms.py
+++ b/lib/hawat/blueprints/auth_dev/forms.py
@@ -76,7 +76,8 @@ class RegisterUserAccountForm(BaseUserAccountForm):
            wtforms.validators.DataRequired(),
            wtforms.validators.Length(min=3, max=50),
            check_login,
-            check_unique_login
+            check_unique_login,
+            hawat.forms.check_null_character
        ]
    )
    memberships_wanted = QuerySelectMultipleField(

--- a/lib/hawat/blueprints/auth_pwd/forms.py
+++ b/lib/hawat/blueprints/auth_pwd/forms.py
@@ -20,7 +20,7 @@ import flask_wtf
 from wtforms.ext.sqlalchemy.fields import QuerySelectMultipleField
 from flask_babel import lazy_gettext

-from hawat.forms import check_login, check_unique_login, get_available_groups
+from hawat.forms import check_login, check_unique_login, get_available_groups, check_null_character
 from hawat.blueprints.users.forms import BaseUserAccountForm


@@ -33,7 +33,8 @@ class LoginForm(flask_wtf.FlaskForm):
        validators=[
            wtforms.validators.DataRequired(),
            wtforms.validators.Length(min=3, max=50),
-            check_login
+            check_login,
+            check_null_character
        ]
    )
    password = wtforms.PasswordField(
@@ -58,7 +59,8 @@ class RegisterUserAccountForm(BaseUserAccountForm):
            wtforms.validators.DataRequired(),
            wtforms.validators.Length(min=3, max=50),
            check_login,
-            check_unique_login
+            check_unique_login,
+            check_null_character
        ]
    )
    memberships_wanted = QuerySelectMultipleField(

--- a/lib/hawat/blueprints/events/forms.py
+++ b/lib/hawat/blueprints/events/forms.py
@@ -258,7 +258,8 @@ class SimpleEventSearchForm(hawat.forms.BaseSearchForm):
    description = wtforms.StringField(
        lazy_gettext('Description:'),
        validators=[
-            wtforms.validators.Optional()
+            wtforms.validators.Optional(),
+            hawat.forms.check_null_character
        ],
        description=lazy_gettext(
            'Specification of event description. Each event may be optionally assigned short descriptive string.')

--- a/lib/hawat/blueprints/filters/forms.py
+++ b/lib/hawat/blueprints/filters/forms.py
@@ -88,7 +88,8 @@ class BaseFilterForm(hawat.forms.BaseItemForm):
        lazy_gettext('Name:'),
        validators=[
            wtforms.validators.DataRequired(),
-            wtforms.validators.Length(min=3, max=250)
+            wtforms.validators.Length(min=3, max=250),
+            hawat.forms.check_null_character
        ]
    )
    type = wtforms.SelectField(
@@ -221,7 +222,8 @@ class FilterSearchForm(hawat.forms.BaseSearchForm):
        lazy_gettext('Netname, network, description:'),
        validators=[
            wtforms.validators.Optional(),
-            wtforms.validators.Length(min=3, max=100)
+            wtforms.validators.Length(min=3, max=100),
+            hawat.forms.check_null_character
        ],
        description=lazy_gettext(
            'Filter`s name, content or description. Search is performed even in the middle of the strings.')

--- a/lib/hawat/blueprints/groups/forms.py
+++ b/lib/hawat/blueprints/groups/forms.py
@@ -91,7 +91,8 @@ class BaseGroupForm(hawat.forms.BaseItemForm):
    description = wtforms.StringField(
        lazy_gettext('Description:'),
        validators=[
-            wtforms.validators.DataRequired()
+            wtforms.validators.DataRequired(),
+            hawat.forms.check_null_character
        ],
        description=lazy_gettext('Additional and more extensive group description.')
    )
@@ -194,7 +195,8 @@ class AdminUpdateGroupForm(AdminBaseGroupForm):
        validators=[
            wtforms.validators.DataRequired(),
            wtforms.validators.Length(min=3, max=100),
-            hawat.forms.check_unique_group
+            hawat.forms.check_unique_group,
+            hawat.forms.check_null_character
        ],
        description=lazy_gettext('System-wide unique name for the group.')
    )
@@ -215,7 +217,8 @@ class GroupSearchForm(hawat.forms.BaseSearchForm):
        lazy_gettext('Name, description:'),
        validators=[
            wtforms.validators.Optional(),
-            wtforms.validators.Length(min=3, max=100)
+            wtforms.validators.Length(min=3, max=100),
+            hawat.forms.check_null_character
        ],
        description=lazy_gettext(
            'Group`s full name or description. Search is performed even in the middle of the strings.')

--- a/lib/hawat/blueprints/networks/forms.py
+++ b/lib/hawat/blueprints/networks/forms.py
@@ -53,7 +53,8 @@ class BaseNetworkForm(hawat.forms.BaseItemForm):
        lazy_gettext('Netname:'),
        validators=[
            wtforms.validators.DataRequired(),
-            wtforms.validators.Length(min=3, max=250)
+            wtforms.validators.Length(min=3, max=250),
+            hawat.forms.check_null_character
        ]
    )
    source = wtforms.HiddenField(
@@ -107,7 +108,8 @@ class NetworkSearchForm(hawat.forms.BaseSearchForm):
        lazy_gettext('Netname, network, description:'),
        validators=[
            wtforms.validators.Optional(),
-            wtforms.validators.Length(min=3, max=100)
+            wtforms.validators.Length(min=3, max=100),
+            hawat.forms.check_null_character
        ],
        description=lazy_gettext(
            'Network`s name, address or description. Search is performed even in the middle of the strings.')

--- a/lib/hawat/blueprints/reports/forms.py
+++ b/lib/hawat/blueprints/reports/forms.py
@@ -77,7 +77,8 @@ class EventReportSearchForm(hawat.forms.BaseSearchForm):
    label = wtforms.StringField(
        lazy_gettext('Label:'),
        validators=[
-            wtforms.validators.Optional()
+            wtforms.validators.Optional(),
+            hawat.forms.check_null_character
        ]
    )
    groups = QuerySelectMultipleField(

--- a/lib/hawat/blueprints/timeline/forms.py
+++ b/lib/hawat/blueprints/timeline/forms.py
@@ -258,7 +258,8 @@ class SimpleTimelineSearchForm(flask_wtf.FlaskForm):
    description = wtforms.StringField(
        lazy_gettext('Description:'),
        validators=[
-            wtforms.validators.Optional()
+            wtforms.validators.Optional(),
+            hawat.forms.check_null_character
        ],
        description=lazy_gettext(
            'Specification of event description. Each event may be optionally assigned short descriptive string.')

--- a/lib/hawat/blueprints/users/forms.py
+++ b/lib/hawat/blueprints/users/forms.py
@@ -64,7 +64,8 @@ class BaseUserAccountForm(hawat.forms.BaseItemForm):
        lazy_gettext('Full name:'),
        validators=[
            wtforms.validators.DataRequired(),
-            wtforms.validators.Length(min=3, max=100)
+            wtforms.validators.Length(min=3, max=100),
+            hawat.forms.check_null_character
        ]
    )
    email = wtforms.StringField(
@@ -79,7 +80,8 @@ class BaseUserAccountForm(hawat.forms.BaseItemForm):
        lazy_gettext('Home organization:'),
        validators=[
            wtforms.validators.DataRequired(),
-            wtforms.validators.Length(min=3, max=250)
+            wtforms.validators.Length(min=3, max=250),
+            hawat.forms.check_null_character
        ]
    )
    locale = hawat.forms.SelectFieldWithNone(
@@ -178,7 +180,8 @@ class CreateUserAccountForm(AdminUserAccountForm):
            wtforms.validators.DataRequired(),
            wtforms.validators.Length(min=3, max=50),
            check_login,
-            check_id_existence
+            check_id_existence,
+            hawat.forms.check_null_character
        ]
    )

@@ -199,7 +202,8 @@ class AdminUpdateUserAccountForm(AdminUserAccountForm):
            wtforms.validators.DataRequired(),
            wtforms.validators.Length(min=3, max=50),
            hawat.forms.check_login,
-            check_id_uniqueness
+            check_id_uniqueness,
+            hawat.forms.check_null_character
        ]
    )

@@ -223,7 +227,8 @@ class UserSearchForm(hawat.forms.BaseSearchForm):
        lazy_gettext('Login, name, email:'),
        validators=[
            wtforms.validators.Optional(),
-            wtforms.validators.Length(min=3, max=100)
+            wtforms.validators.Length(min=3, max=100),
+            hawat.forms.check_null_character
        ],
        description=lazy_gettext(
            'User`s login, full name or email address. Search is performed even in the middle of the strings, so for example you may lookup by domain.')

--- a/lib/hawat/forms.py
+++ b/lib/hawat/forms.py
@@ -349,6 +349,19 @@ def check_int_list(_form, field):  # pylint: disable=locally-disabled,unused-arg
            )


+def check_null_character(_form, field):  # pylint: disable=locally-disabled,unused-argument
+    """
+    Callback for validating string fields which should not contain 0x00.
+    """
+    if '\x00' in field.data:
+        raise wtforms.validators.ValidationError(
+            gettext(
+                'The "%(val)s" value cannot contain NUL (0x00) characters.',
+                val=str(field.data)
+            )
+        )
+
+
 def get_available_groups():
    """
    Query the database for list of all available groups.