From 0181086d0f940cdd18e0b1083425cdc80792087d Mon Sep 17 00:00:00 2001 From: Tim Abbott Date: Mon, 28 Jan 2019 22:02:16 -0800 Subject: [PATCH] streams: Improve validation for arguments to stream creation. This doesn't have any security impact, since we overwrote any other fields in any case, and also this step happens before the security part of input validation for stream creation. But this does improve error messages if one tries to specify other arguments, and also makes more clear that the `description` argument is supported here. --- zerver/views/streams.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/zerver/views/streams.py b/zerver/views/streams.py index c1ae576b66..e9da7b6a5c 100644 --- a/zerver/views/streams.py +++ b/zerver/views/streams.py @@ -29,7 +29,7 @@ from zerver.lib.streams import access_stream_by_id, access_stream_by_name, \ list_to_streams, access_stream_for_delete_or_update, access_default_stream_group_by_id from zerver.lib.topic import get_topic_history_for_stream from zerver.lib.validator import check_string, check_int, check_list, check_dict, \ - check_bool, check_variable_type, check_capped_string, check_color + check_bool, check_variable_type, check_capped_string, check_color, check_dict_only from zerver.models import UserProfile, Stream, Realm, Subscription, \ Recipient, get_recipient, get_stream, \ get_system_bot, get_active_user @@ -279,8 +279,12 @@ def you_were_just_subscribed_message(acting_user: UserProfile, def add_subscriptions_backend( request: HttpRequest, user_profile: UserProfile, streams_raw: Iterable[Mapping[str, str]]=REQ( - "subscriptions", validator=check_list(check_dict( - [('name', check_string)], optional_keys=[('color', check_color)]))), + "subscriptions", validator=check_list(check_dict_only( + [('name', check_string)], optional_keys=[ + ('color', check_color), + ('description', check_capped_string(Stream.MAX_DESCRIPTION_LENGTH)), + ]) + )), invite_only: bool=REQ(validator=check_bool, default=False), is_announcement_only: bool=REQ(validator=check_bool, default=False), history_public_to_subscribers: Optional[bool]=REQ(validator=check_bool, default=None),