/api/delete_sr_image: Ensure valid name submitted.

Previously, if an invalid image name were passed to this endpoint, it would fail because VCssName would return an empty string and we'd never check for the validity of the value. Fixes reddit/reddit#883.
2026-01-28 08:17:58 -05:00 · 2013-08-21 15:31:34 -07:00
parent 8d4ba3971b
commit fac84e86c3
1 changed files with 4 additions and 0 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -1655,6 +1655,10 @@ class ApiController(RedditController, OAuth2ResourceController):
        # just in case we need to kill this feature from XSS
        if g.css_killswitch:
            return self.abort(403,'forbidden')
+
+        if form.has_errors("img_name", errors.BAD_CSS_NAME):
+            return
+
        wiki.ImagesByWikiPage.delete_image(c.site, "config/stylesheet", name)
        ModAction.create(c.site, c.user, action='editsettings', 
                         details='del_image', description=name)