Experiment: Remove character whitelist for tag names.

I have always felt bad about forbidding unicode in tag names, but I want to make sure I have a grip on sanitization / preventing abuse before allowing it. I think stripping control characters is enough and any abuse can be handled manually. Of course that's all fiction because there are no users except myself.
2020-09-17 18:52:00 -07:00 · 2020-09-17 18:52:00 -07:00 · 39b7f3cd98
parent 26b9371f26
commit 39b7f3cd98
3 changed files with 10 additions and 8 deletions
--- a/etiquette/constants.py
+++ b/etiquette/constants.py
@ -291,7 +291,7 @@ DEFAULT_CONFIGURATION = {
    'tag': {
        'min_length': 1,
        'max_length': 32,
-        'valid_chars': string.ascii_lowercase + string.digits + '_()',
+        # 'valid_chars': string.ascii_lowercase + string.digits + '_()',
    },

    'user': {
--- a/etiquette/objects.py
+++ b/etiquette/objects.py
@ -1206,17 +1206,19 @@ class Tag(ObjectBase, GroupableMixin):
        return description

    @staticmethod
-    def normalize_name(name, valid_chars=None, min_length=None, max_length=None):
+    def normalize_name(name, min_length=None, max_length=None):
        original_name = name
-        if valid_chars is None:
-            valid_chars = constants.DEFAULT_CONFIGURATION['tag']['valid_chars']
+        # if valid_chars is None:
+        #     valid_chars = constants.DEFAULT_CONFIGURATION['tag']['valid_chars']

-        name = name.lower().strip()
-        name = name.strip('.+')
+        name = name.lower()
+        name = helpers.remove_control_characters(name)
+        name = name.strip(' .+')
        name = name.split('+')[0].split('.')[-1]
        name = name.replace('-', '_')
        name = name.replace(' ', '_')
-        name = ''.join(c for c in name if c in valid_chars)
+        name = name.replace('=', '')
+        # name = ''.join(c for c in name if c in valid_chars)

        if min_length is not None and len(name) < min_length:
            raise exceptions.TagTooShort(original_name)
--- a/etiquette/photodb.py
+++ b/etiquette/photodb.py
@ -1192,7 +1192,7 @@ class PDBTagMixin:
    def normalize_tagname(self, tagname):
        tagname = objects.Tag.normalize_name(
            tagname,
-            valid_chars=self.config['tag']['valid_chars'],
+            # valid_chars=self.config['tag']['valid_chars'],
            min_length=self.config['tag']['min_length'],
            max_length=self.config['tag']['max_length'],
        )