escape some string

2012-10-16 08:00:10 +02:00 · 2012-10-16 08:00:10 +02:00 · b593b0cfb7
parent f715dcfeaf
commit b593b0cfb7
2 changed files with 43 additions and 3 deletions
--- a/lg.py
+++ b/lg.py
@ -29,7 +29,9 @@ from urllib import quote, unquote
 import json
 import random

-from toolbox import mask_is_valid, ipv6_is_valid, ipv4_is_valid, resolve, save_cache_pickle, load_cache_pickle, get_asn_from_as
+from toolbox import mask_is_valid, ipv6_is_valid, ipv4_is_valid, resolve, save_cache_pickle, load_cache_pickle, get_asn_from_as, unescape
+from xml.sax.saxutils import escape
+

 import pydot
 from flask import Flask, render_template, jsonify, redirect, session, request, abort, Response
@ -175,9 +177,12 @@ def incorrect_request(e):
 def page_not_found(e):
        return render_template('error.html', warning="The requested URL was not found on the server."), 404

+def sanitized(*args):
+    return tuple( unescape(s) for s in args)

@app.route("/whois/<query>")
 def whois(query):
+    query = sanitized(query)
    if not query.strip():
        abort(400)

@ -200,6 +205,8 @@ SUMMARY_RE_MATCH = r"(?P<name>[\w_]+)\s+(?P<proto>\w+)\s+(?P<table>\w+)\s+(?P<st
@app.route("/summary/<hosts>")
@app.route("/summary/<hosts>/<proto>")
 def summary(hosts, proto="ipv4"):
+    hosts, proto = sanitized(hosts, proto)
+
    set_session("summary", hosts, proto, "")
    command = "show protocols"

@ -229,6 +236,9 @@ def summary(hosts, proto="ipv4"):
@app.route("/detail/<hosts>/<proto>")
 def detail(hosts, proto):
    name = request.args.get('q', '').strip()
+
+    hosts, proto, name= sanitized(hosts, proto, name)
+
    if not name:
        abort(400)

@ -251,6 +261,8 @@ def detail(hosts, proto):
@app.route("/traceroute/<hosts>/<proto>")
 def traceroute(hosts, proto):
    q = request.args.get('q', '').strip()
+    hosts, proto, q = sanitized(hosts, proto, q)
+
    if not q:
        abort(400)

@ -344,6 +356,7 @@ def show_bgpmap():
    """return a bgp map in a png file, from the json tree in q argument"""

    data = request.args.get('q', '').strip()
+    #data = sanitized(data)
    if not data:
        abort(400)

@ -501,7 +514,8 @@ def build_as_tree_from_raw_bird_ouput(host, proto, text):


 def show_route(request_type, hosts, proto):
-    expression = unquote(request.args.get('q', '')).strip()
+    expression = request.args.get('q', '').strip()
+    request_type, hosts, proto, expression = sanitized(request_type, hosts, proto, expression)
    if not expression:
        abort(400)

--- a/toolbox.py
+++ b/toolbox.py
@ -22,7 +22,7 @@
 from dns import resolver
 import socket
 import pickle
-
+import xml.parsers.expat

 def resolve(n, q):
 	return str(resolver.query(n,q)[0])
@ -71,3 +71,29 @@ def load_cache_pickle(filename, default = None):
 	pkl_file.close()
 	return data

+def unescape(s):
+    want_unicode = False
+    if isinstance(s, unicode):
+        s = s.encode("utf-8")
+        want_unicode = True
+
+    # the rest of this assumes that `s` is UTF-8
+    list = []
+
+    # create and initialize a parser object
+    p = xml.parsers.expat.ParserCreate("utf-8")
+    p.buffer_text = True
+    p.returns_unicode = want_unicode
+    p.CharacterDataHandler = list.append
+
+    # parse the data wrapped in a dummy element
+    # (needed so the "document" is well-formed)
+    p.Parse("<e>", 0)
+    p.Parse(s, 0)
+    p.Parse("</e>", 1)
+
+    # join the extracted strings and return
+    es = ""
+    if want_unicode:
+        es = u""
+    return es.join(list)