From ee81ba4a41198c7798f4116ad6bd701e1c537d53 Mon Sep 17 00:00:00 2001
From: "W. Trevor King" <wking@drexel.edu>
Date: Wed, 21 Jul 2010 14:28:54 -0400
Subject: [PATCH] Sanitize input tags

---
 cookbook/server.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/cookbook/server.py b/cookbook/server.py
index 81f8208..839afa2 100644
--- a/cookbook/server.py
+++ b/cookbook/server.py
@@ -20,6 +20,7 @@
 
 import os
 import random
+import re
 import types
 from xml.sax import saxutils
 
@@ -34,6 +35,7 @@ class Server (object):
         self.cookbook = cookbook
         self.cookbook.make_index()
         self.env = Environment(loader=FileSystemLoader(template_root))
+        self.tag_regexp = re.compile('[a-zA-Z./ ].*')  # allowed characters
 
     def cleanup(self):
         #self.cookbook.save('new-recipe')
@@ -73,6 +75,9 @@ class Server (object):
         recipe = self.cookbook.index[name]
         if recipe.tags == None:
             recipe.tags = []
+        tag = self._clean_tag(tag)
+        if tag == None:
+            return
         if tag not in recipe.tags:
             recipe.tags.append(tag)
             with open(recipe.path, 'w') as f:
@@ -88,6 +93,9 @@ class Server (object):
         recipe = self.cookbook.index[name]
         if recipe.tags == None:
             return
+        tag = self._clean_tag(tag)
+        if tag == None:
+            return
         if tag in recipe.tags:
             recipe.tags.remove(tag)
             with open(recipe.path, 'w') as f:
@@ -95,6 +103,14 @@ class Server (object):
         raise cherrypy.HTTPRedirect(
             'recipe?name=%s' % recipe.clean_name(), status=302)
 
+    def _clean_tag(self, tag):
+        """Sanitize tag."""
+        tags = []
+        m = self.tag_regexp.match(t)
+        if m != None:
+            return m.group()
+        return None
+
 
 def test():
     import doctest
-- 
2.26.2