More validation for script names

larigira/audioform_script.py

@@ -1,5 +1,5 @@
 from flask_wtf import Form
-from wtforms import StringField, validators, SubmitField
+from wtforms import StringField, validators, SubmitField, ValidationError
 
 
 class ScriptAudioForm(Form):
@@ -11,6 +11,11 @@ class ScriptAudioForm(Form):
                        description='arguments, separated by spaces')
     submit = SubmitField(u'Submit')
 
+    def validate_name(form, field):
+        if '/' in field.data:
+            raise ValidationError("Name cannot have slashes: "
+                                  "it's a name, not a path")
+
 
 def scriptaudio_receive(form):
     return {

larigira/audiogen_script.py

@@ -35,6 +35,9 @@ def generate(spec):
         if attr not in spec:
             raise ValueError("Malformed audiospec: missing '%s'" % attr)
 
+    if '/' in spec['name']:
+        raise ValueError("Script name is a filename, not a path ({} provided)"
+                         .format(spec['name']))
     scriptpath = os.path.join(conf['SCRIPTS_PATH'], spec['name'])
     if not os.path.exists(scriptpath):
         raise ValueError("Script %s not found", spec['name'])