From 84ff2e13d4007247b07ce20b8a12a9cb64d9ee2f Mon Sep 17 00:00:00 2001
From: Thomas Kriechbaumer <thomas@kriechbaumer.name>
Date: Sat, 4 Jan 2020 13:19:43 +0100
Subject: [PATCH] sanitize filename and forbid certain characters

---
 CHANGELOG.md                     |  3 +++
 DuetRRFOutputDevice.py           | 18 ++++++++++++++++--
 plugin.json                      |  2 +-
 resources/qml/UploadFilename.qml |  4 ++--
 4 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 37c8b8e..cb5b3b2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog of Cura-DuetRRFPlugin
 
+## v1.0.5: 2019-11-10
+  * sanitize filename and forbid certain characters
+
 ## v1.0.4: 2019-11-10
   * bump compatibility for Cura 4.4 / API 7.0
 
diff --git a/DuetRRFOutputDevice.py b/DuetRRFOutputDevice.py
index e2fae61..e80445b 100644
--- a/DuetRRFOutputDevice.py
+++ b/DuetRRFOutputDevice.py
@@ -131,11 +131,25 @@ def requestWrite(self, node, fileName=None, *args, **kwargs):
         self._dialog.findChild(QObject, "nameField").setProperty('focus', True)
 
     def onFilenameChanged(self):
-        fileName = self._dialog.findChild(QObject, "nameField").property('text')
+        fileName = self._dialog.findChild(QObject, "nameField").property('text').strip()
+
+        forbidden_characters = "\"'´`<>()[]?*\,;:&%#$!"
+        for forbidden_character in forbidden_characters:
+            if forbidden_character in fileName:
+                self._dialog.setProperty('validName', False)
+                self._dialog.setProperty('validationError', 'Filename cannot contain {}'.format(forbidden_characters))
+                return
+
+        if fileName == '.' or fileName == '..':
+            self._dialog.setProperty('validName', False)
+            self._dialog.setProperty('validationError', 'Filename cannot be "." or ".."')
+            return
+
         self._dialog.setProperty('validName', len(fileName) > 0)
+        self._dialog.setProperty('validationError', 'Filename too short')
 
     def onFilenameAccepted(self):
-        self._fileName = self._dialog.findChild(QObject, "nameField").property('text')
+        self._fileName = self._dialog.findChild(QObject, "nameField").property('text').strip()
         if not self._fileName.endswith('.gcode') and '.' not in self._fileName:
             self._fileName += '.gcode'
         Logger.log("d", self._name_id + " | Filename set to: " + self._fileName)
diff --git a/plugin.json b/plugin.json
index a76e573..2a91a12 100644
--- a/plugin.json
+++ b/plugin.json
@@ -2,6 +2,6 @@
     "name": "DuetRRF",
     "author": "Thomas Kriechbaumer",
     "description": "Upload and Print to DuetWifi / DuetEthernet / Duet Maestro with RepRapFirmware.",
-    "version": "1.0.4",
+    "version": "1.0.5",
     "api": "7.0.0"
 }
diff --git a/resources/qml/UploadFilename.qml b/resources/qml/UploadFilename.qml
index 5552b41..74e9005 100644
--- a/resources/qml/UploadFilename.qml
+++ b/resources/qml/UploadFilename.qml
@@ -39,8 +39,8 @@ UM.Dialog
             text: base.object;
             maximumLength: 100;
             onTextChanged: base.textChanged(text);
-            Keys.onReturnPressed: base.accept();
-            Keys.onEnterPressed: base.accept();
+            Keys.onReturnPressed: { if (base.validName) base.accept(); }
+            Keys.onEnterPressed: { if (base.validName) base.accept(); }
             Keys.onEscapePressed: base.reject();
         }