From fac84e86c3ed36305aae18c4c6d0c5a4e3a00b24 Mon Sep 17 00:00:00 2001 From: Neil Williams Date: Wed, 21 Aug 2013 15:31:34 -0700 Subject: [PATCH] /api/delete_sr_image: Ensure valid name submitted. Previously, if an invalid image name were passed to this endpoint, it would fail because VCssName would return an empty string and we'd never check for the validity of the value. Fixes reddit/reddit#883. --- r2/r2/controllers/api.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py index 4f446ad38..8b332871f 100755 --- a/r2/r2/controllers/api.py +++ b/r2/r2/controllers/api.py @@ -1655,6 +1655,10 @@ class ApiController(RedditController, OAuth2ResourceController): # just in case we need to kill this feature from XSS if g.css_killswitch: return self.abort(403,'forbidden') + + if form.has_errors("img_name", errors.BAD_CSS_NAME): + return + wiki.ImagesByWikiPage.delete_image(c.site, "config/stylesheet", name) ModAction.create(c.site, c.user, action='editsettings', details='del_image', description=name)