From 0bc6d60fbe903d2a7052ee7f73b16701bda75a2a Mon Sep 17 00:00:00 2001
From: mdipierro <massimo.dipierro@gmail.com>
Date: Sat, 28 Jul 2012 20:19:15 -0500
Subject: [PATCH] increased security in appadmin

---
 Makefile                                      | 10 +++----
 VERSION                                       |  2 +-
 applications/admin/controllers/appadmin.py    | 27 ++++++++++++-------
 applications/admin/views/appadmin.html        |  5 +---
 applications/examples/controllers/appadmin.py | 27 ++++++++++++-------
 applications/examples/views/appadmin.html     |  5 +---
 applications/welcome/controllers/appadmin.py  | 27 ++++++++++++-------
 applications/welcome/views/appadmin.html      |  5 +---
 8 files changed, 63 insertions(+), 45 deletions(-)

diff --git a/Makefile b/Makefile
index cc599250..c433d751 100644
--- a/Makefile
+++ b/Makefile
@@ -43,11 +43,11 @@ src:
 	rm -f applications/admin/uploads/*                 
 	rm -f applications/welcome/uploads/*               
 	rm -f applications/examples/uploads/*             
-	### make admin layout and appadmin the default
-	cp applications/admin/views/appadmin.html applications/welcome/views
-	cp applications/admin/views/appadmin.html applications/examples/views
-	cp applications/admin/controllers/appadmin.py applications/welcome/controllers
-	cp applications/admin/controllers/appadmin.py applications/examples/controllers	
+	### make welcome layout and appadmin the default
+	cp applications/welcome/views/appadmin.html applications/admin/views
+	cp applications/welcome/views/appadmin.html applications/examples/views
+	cp applications/welcome/controllers/appadmin.py applications/admin/controllers
+	cp applications/welcome/controllers/appadmin.py applications/examples/controllers	
 	### build web2py_src.zip
 	echo '' > NEWINSTALL
 	mv web2py_src.zip web2py_src_old.zip | echo 'no old'
diff --git a/VERSION b/VERSION
index c259e5c0..7cce570c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-Version 2.00.0 (2012-07-28 19:28:33) dev
+Version 2.00.0 (2012-07-28 20:19:12) dev
diff --git a/applications/admin/controllers/appadmin.py b/applications/admin/controllers/appadmin.py
index b8eccf9e..71ff7876 100644
--- a/applications/admin/controllers/appadmin.py
+++ b/applications/admin/controllers/appadmin.py
@@ -199,17 +199,8 @@ def select():
                 _class='delete', _type='checkbox', value=False), ''),
                 TR('', '', INPUT(_type='submit', _value=T('submit')))),
                 _action=URL(r=request,args=request.args))
-    if request.vars.csvfile != None:
-        try:
-            import_csv(db[request.vars.table],
-                       request.vars.csvfile.file)
-            response.flash = T('data uploaded')
-        except Exception, e:
-            response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
     if form.accepts(request.vars, formname=None):
-#         regex = re.compile(request.args[0] + '\.(?P<table>\w+)\.id\>0')
         regex = re.compile(request.args[0] + '\.(?P<table>\w+)\..+')
-
         match = regex.match(form.vars.query.strip())
         if match:
             table = match.group('table')
@@ -230,6 +221,23 @@ def select():
         except Exception, e:
             (rows, nrows) = ([], 0)
             response.flash = DIV(T('Invalid Query'),PRE(str(e)))
+    # begin handle upload csv
+    if table:
+        formcsv = FORM(str(T('or import from csv file'))+" ",
+                       INPUT(_type='file',_name='csvfile'),
+                       INPUT(_type='hidden',_value=table,_name='table'),
+                       INPUT(_type='submit',_value=T('import')))
+    else:
+        formcsv = None
+    if formcsv and formcsv.process().accepted and request.vars.csvfile:
+        try:
+            import_csv(db[request.vars.table],
+                       request.vars.csvfile.file)
+            response.flash = T('data uploaded')
+        except Exception, e:
+            response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
+    # end handle upload csv
+
     return dict(
         form=form,
         table=table,
@@ -238,6 +246,7 @@ def select():
         nrows=nrows,
         rows=rows,
         query=request.vars.query,
+        formcsv = formcsv,
         )
 
 
diff --git a/applications/admin/views/appadmin.html b/applications/admin/views/appadmin.html
index 73c4ae47..02c90b0e 100644
--- a/applications/admin/views/appadmin.html
+++ b/applications/admin/views/appadmin.html
@@ -62,10 +62,7 @@
     {{pass}}
     <br/><br/><h3>{{=T("Import/Export")}}</h3><br/>
     [ <a href="{{=URL('csv',args=request.args[0],vars=dict(query=query))}}">{{=T("export as csv file")}}</a> ]
-  {{if table:}}
-    {{=FORM(str(T('or import from csv file'))+" ",INPUT(_type='file',_name='csvfile'),INPUT(_type='hidden',_value=table,_name='table'),INPUT(_type='submit',_value=T('import')))}}
-  {{pass}}
-
+  {{=formcsv or ''}}
 
 {{elif request.function=='insert':}}  
   <h2>{{=T("database")}} {{=A(request.args[0],_href=URL('index'))}}
diff --git a/applications/examples/controllers/appadmin.py b/applications/examples/controllers/appadmin.py
index b8eccf9e..71ff7876 100644
--- a/applications/examples/controllers/appadmin.py
+++ b/applications/examples/controllers/appadmin.py
@@ -199,17 +199,8 @@ def select():
                 _class='delete', _type='checkbox', value=False), ''),
                 TR('', '', INPUT(_type='submit', _value=T('submit')))),
                 _action=URL(r=request,args=request.args))
-    if request.vars.csvfile != None:
-        try:
-            import_csv(db[request.vars.table],
-                       request.vars.csvfile.file)
-            response.flash = T('data uploaded')
-        except Exception, e:
-            response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
     if form.accepts(request.vars, formname=None):
-#         regex = re.compile(request.args[0] + '\.(?P<table>\w+)\.id\>0')
         regex = re.compile(request.args[0] + '\.(?P<table>\w+)\..+')
-
         match = regex.match(form.vars.query.strip())
         if match:
             table = match.group('table')
@@ -230,6 +221,23 @@ def select():
         except Exception, e:
             (rows, nrows) = ([], 0)
             response.flash = DIV(T('Invalid Query'),PRE(str(e)))
+    # begin handle upload csv
+    if table:
+        formcsv = FORM(str(T('or import from csv file'))+" ",
+                       INPUT(_type='file',_name='csvfile'),
+                       INPUT(_type='hidden',_value=table,_name='table'),
+                       INPUT(_type='submit',_value=T('import')))
+    else:
+        formcsv = None
+    if formcsv and formcsv.process().accepted and request.vars.csvfile:
+        try:
+            import_csv(db[request.vars.table],
+                       request.vars.csvfile.file)
+            response.flash = T('data uploaded')
+        except Exception, e:
+            response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
+    # end handle upload csv
+
     return dict(
         form=form,
         table=table,
@@ -238,6 +246,7 @@ def select():
         nrows=nrows,
         rows=rows,
         query=request.vars.query,
+        formcsv = formcsv,
         )
 
 
diff --git a/applications/examples/views/appadmin.html b/applications/examples/views/appadmin.html
index 73c4ae47..02c90b0e 100644
--- a/applications/examples/views/appadmin.html
+++ b/applications/examples/views/appadmin.html
@@ -62,10 +62,7 @@
     {{pass}}
     <br/><br/><h3>{{=T("Import/Export")}}</h3><br/>
     [ <a href="{{=URL('csv',args=request.args[0],vars=dict(query=query))}}">{{=T("export as csv file")}}</a> ]
-  {{if table:}}
-    {{=FORM(str(T('or import from csv file'))+" ",INPUT(_type='file',_name='csvfile'),INPUT(_type='hidden',_value=table,_name='table'),INPUT(_type='submit',_value=T('import')))}}
-  {{pass}}
-
+  {{=formcsv or ''}}
 
 {{elif request.function=='insert':}}  
   <h2>{{=T("database")}} {{=A(request.args[0],_href=URL('index'))}}
diff --git a/applications/welcome/controllers/appadmin.py b/applications/welcome/controllers/appadmin.py
index b8eccf9e..71ff7876 100644
--- a/applications/welcome/controllers/appadmin.py
+++ b/applications/welcome/controllers/appadmin.py
@@ -199,17 +199,8 @@ def select():
                 _class='delete', _type='checkbox', value=False), ''),
                 TR('', '', INPUT(_type='submit', _value=T('submit')))),
                 _action=URL(r=request,args=request.args))
-    if request.vars.csvfile != None:
-        try:
-            import_csv(db[request.vars.table],
-                       request.vars.csvfile.file)
-            response.flash = T('data uploaded')
-        except Exception, e:
-            response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
     if form.accepts(request.vars, formname=None):
-#         regex = re.compile(request.args[0] + '\.(?P<table>\w+)\.id\>0')
         regex = re.compile(request.args[0] + '\.(?P<table>\w+)\..+')
-
         match = regex.match(form.vars.query.strip())
         if match:
             table = match.group('table')
@@ -230,6 +221,23 @@ def select():
         except Exception, e:
             (rows, nrows) = ([], 0)
             response.flash = DIV(T('Invalid Query'),PRE(str(e)))
+    # begin handle upload csv
+    if table:
+        formcsv = FORM(str(T('or import from csv file'))+" ",
+                       INPUT(_type='file',_name='csvfile'),
+                       INPUT(_type='hidden',_value=table,_name='table'),
+                       INPUT(_type='submit',_value=T('import')))
+    else:
+        formcsv = None
+    if formcsv and formcsv.process().accepted and request.vars.csvfile:
+        try:
+            import_csv(db[request.vars.table],
+                       request.vars.csvfile.file)
+            response.flash = T('data uploaded')
+        except Exception, e:
+            response.flash = DIV(T('unable to parse csv file'),PRE(str(e)))
+    # end handle upload csv
+
     return dict(
         form=form,
         table=table,
@@ -238,6 +246,7 @@ def select():
         nrows=nrows,
         rows=rows,
         query=request.vars.query,
+        formcsv = formcsv,
         )
 
 
diff --git a/applications/welcome/views/appadmin.html b/applications/welcome/views/appadmin.html
index 73c4ae47..02c90b0e 100644
--- a/applications/welcome/views/appadmin.html
+++ b/applications/welcome/views/appadmin.html
@@ -62,10 +62,7 @@
     {{pass}}
     <br/><br/><h3>{{=T("Import/Export")}}</h3><br/>
     [ <a href="{{=URL('csv',args=request.args[0],vars=dict(query=query))}}">{{=T("export as csv file")}}</a> ]
-  {{if table:}}
-    {{=FORM(str(T('or import from csv file'))+" ",INPUT(_type='file',_name='csvfile'),INPUT(_type='hidden',_value=table,_name='table'),INPUT(_type='submit',_value=T('import')))}}
-  {{pass}}
-
+  {{=formcsv or ''}}
 
 {{elif request.function=='insert':}}  
   <h2>{{=T("database")}} {{=A(request.args[0],_href=URL('index'))}}