Fix validating uploads post-"storify" removal.

Refactoring out the old "storify" function and duplicated request data params changed the semantics of file uploads. Uploads are now presented as cgi.FieldStorage values to our validators, and need to be referenced by their `.value` property to get the data.
2026-01-28 00:07:57 -05:00 · 2013-09-30 16:09:46 -07:00
parent e692b01b01
commit b547a11d00
3 changed files with 17 additions and 3 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -1728,7 +1728,7 @@ class ApiController(RedditController, OAuth2ResourceController):
    @require_oauth2_scope("modconfig")
    @validate(VSrModerator(perms='config'),
              VModhash(),
-              file = VLength('file', max_length=1024*500),
+              file = VUploadLength('file', max_length=1024*500),
              name = VCssName("name"),
              img_type = VImageType('img_type'),
              form_id = VLength('formid', max_length = 100), 
--- a/r2/r2/controllers/promotecontroller.py
+++ b/r2/r2/controllers/promotecontroller.py
@@ -87,6 +87,7 @@ from r2.lib.validator import (
    VSponsorAdminOrAdminSecret,
    VSubmitSR,
    VTitle,
+    VUploadLength,
    VUrl,
 )
 from r2.models import (
@@ -775,7 +776,7 @@ class PromoteController(ListingController):

    @validate(VSponsor("link_id"),
              link=VByName('link_id'),
-              file=VLength('file', 500 * 1024),
+              file=VUploadLength('file', 500*1024),
              img_type=VImageType('img_type'))
    def POST_link_thumb(self, link=None, file=None, img_type='jpg'):
        if link and (not promote.is_promoted(link) or
--- a/r2/r2/lib/validator/validator.py
+++ b/r2/r2/lib/validator/validator.py
@@ -20,6 +20,7 @@
 # Inc. All Rights Reserved.
 ###############################################################################

+import cgi
 import json

 from pylons import c, g, request, response
@@ -112,7 +113,11 @@ class Validator(object):
        a = []
        if self.param:
            for p in utils.tup(self.param):
-                if self.post and request.POST.get(p):
+                # cgi.FieldStorage is falsy even if it has a filled value
+                # property. :(
+                post_val = request.POST.get(p)
+                if self.post and (post_val or
+                                  isinstance(post_val, cgi.FieldStorage)):
                    val = request.POST[p]
                elif self.get and request.GET.get(p):
                    val = request.GET[p]
@@ -553,6 +558,14 @@ class VLength(Validator):
        else:
            return text

+class VUploadLength(VLength):
+    def run(self, upload, text2=''):
+        # upload is expected to be a FieldStorage object
+        if isinstance(upload, cgi.FieldStorage):
+            return VLength.run(self, upload.value, text2)
+        else:
+            self.set_error(self.empty_error, code=400)
+
 class VPrintable(VLength):
    def run(self, text, text2 = ''):
        text = VLength.run(self, text, text2)