Commit cd4b3352 authored by Jérome Perrin's avatar Jérome Perrin Committed by Arnaud Fontaine

DCWorkflowGraph: do not pass request params to os.system for security reasons.

Also, remove copy and paste code from DCWorkflowGraph in ERP5Workflow and
allow to override getPOT() like ERP5Workflow does.
Signed-off-by: Arnaud Fontaine's avatarArnaud Fontaine <arnaud.fontaine@nexedi.com>
parent 40d9891d
...@@ -77,6 +77,7 @@ DCWorkflowGraph.getObjectTitle = getObjectTitle ...@@ -77,6 +77,7 @@ DCWorkflowGraph.getObjectTitle = getObjectTitle
from Products.DCWorkflowGraph.config import bin_search_path, DOT_EXE from Products.DCWorkflowGraph.config import bin_search_path, DOT_EXE
from tempfile import NamedTemporaryFile from tempfile import NamedTemporaryFile
from zLOG import LOG, WARNING from zLOG import LOG, WARNING
import subprocess
def getGraph(self, wf_id="", format="png", REQUEST=None): def getGraph(self, wf_id="", format="png", REQUEST=None):
"""show a workflow as a graph, copy from: """show a workflow as a graph, copy from:
...@@ -91,10 +92,10 @@ def getGraph(self, wf_id="", format="png", REQUEST=None): ...@@ -91,10 +92,10 @@ def getGraph(self, wf_id="", format="png", REQUEST=None):
match Japanese font or to use Unifont which supports many code points. match Japanese font or to use Unifont which supports many code points.
""" """
try: try:
pot = DCWorkflowGraph.getPOT(self, wf_id, REQUEST) pot = self.getPOT(wf_id, REQUEST)
except TypeError: except TypeError:
# DCWorkflowGraph < 0.4 # DCWorkflowGraph < 0.4
pot = DCWorkflowGraph.getPOT(self, wf_id) pot = self.getPOT(wf_id)
try: try:
encoding = self.portal_properties.site_properties.getProperty( encoding = self.portal_properties.site_properties.getProperty(
'default_charset', 'utf-8') 'default_charset', 'utf-8')
...@@ -113,10 +114,15 @@ def getGraph(self, wf_id="", format="png", REQUEST=None): ...@@ -113,10 +114,15 @@ def getGraph(self, wf_id="", format="png", REQUEST=None):
if format != 'dot': if format != 'dot':
with NamedTemporaryFile(suffix='.%s' % format) as outfile: with NamedTemporaryFile(suffix='.%s' % format) as outfile:
os.system('%s -Nfontname="IPAexGothic" -Nfontsize=10 ' subprocess.call((DCWorkflowGraph.bin_search(DOT_EXE),
'-Efontname="IPAexGothic" -Efontsize=10 -T%s ' '-Nfontname="IPAexGothic"',
'-o %s %s' % (DCWorkflowGraph.bin_search(DOT_EXE), '-Nfontsize=10',
format, outfile, infile)) '-Efontname="IPAexGothic"',
'-Efontsize=10',
'-T%s' % format,
'-o',
outfile.name,
infile.name))
result = outfile.read() result = outfile.read()
...@@ -134,5 +140,8 @@ def getGraph(self, wf_id="", format="png", REQUEST=None): ...@@ -134,5 +140,8 @@ def getGraph(self, wf_id="", format="png", REQUEST=None):
return result return result
DCWorkflowGraph.getGraph = getGraph
from Products.DCWorkflow.DCWorkflow import DCWorkflowDefinition from Products.DCWorkflow.DCWorkflow import DCWorkflowDefinition
DCWorkflowDefinition.getGraph = getGraph DCWorkflowDefinition.getGraph = getGraph
DCWorkflowDefinition.getPOT = DCWorkflowGraph.getPOT
...@@ -34,7 +34,7 @@ from Products.ERP5Type.XMLObject import XMLObject ...@@ -34,7 +34,7 @@ from Products.ERP5Type.XMLObject import XMLObject
from tempfile import mktemp from tempfile import mktemp
import os import os
from Products.DCWorkflowGraph.config import DOT_EXE from Products.DCWorkflowGraph.config import DOT_EXE
from Products.DCWorkflowGraph.DCWorkflowGraph import bin_search from Products.DCWorkflowGraph.DCWorkflowGraph import bin_search, getGraph
from Globals import PersistentMapping from Globals import PersistentMapping
from Acquisition import aq_base from Acquisition import aq_base
...@@ -143,26 +143,9 @@ class Workflow(XMLObject): ...@@ -143,26 +143,9 @@ class Workflow(XMLObject):
## Graph ## ## Graph ##
############ ############
def getGraph(self, format="gif", REQUEST=None, *args, **kw): getGraph = getGraph
"""
show a workflow as a graph, copy from: def getPOT(self, *args, **kwargs):
"OpenFlowEditor":http://www.openflow.it/wwwopenflow/Download/OpenFlowEditor_0_4.tgz
"""
pot = self.getPOT()
infile = mktemp('.dot')
f = open(infile, 'w')
f.write(pot)
f.close()
outfile = mktemp('.%s' % format)
os.system('%s -T%s -o %s %s' % (bin_search(DOT_EXE), format, outfile, infile))
out = open(outfile, 'rb')
result = out.read()
out.close()
os.remove(infile)
os.remove(outfile)
return result
def getPOT(self):
""" """
get the pot, copy from: get the pot, copy from:
"dcworkfow2dot.py":http://awkly.org/Members/sidnei/weblog_storage/blog_27014 "dcworkfow2dot.py":http://awkly.org/Members/sidnei/weblog_storage/blog_27014
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment