From 10cb40ffa6ffbcc58611af9e8c723357d12d7af3 Mon Sep 17 00:00:00 2001
From: Stefano Maggiolo <s.maggiolo@gmail.com>
Date: Wed, 7 Dec 2016 20:46:53 +0000
Subject: [PATCH] Do not allow users to submit zip files when we need language
 detection

It is not the use case (it was done mostly for output only), and I
think it's broken now as we look for files called "filename.%l" when
the files in the zip are obviously called something like
"filename.cpp".
---
 cms/server/contest/handlers/tasksubmission.py | 18 +++++++++++++--
 cms/server/contest/handlers/taskusertest.py   | 23 +++++++++++++++----
 .../contest/templates/task_submissions.html   |  2 +-
 .../contest/templates/test_interface.html     |  2 ++
 4 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/cms/server/contest/handlers/tasksubmission.py b/cms/server/contest/handlers/tasksubmission.py
index b401c80931..dcaf194953 100644
--- a/cms/server/contest/handlers/tasksubmission.py
+++ b/cms/server/contest/handlers/tasksubmission.py
@@ -160,6 +160,9 @@ def post(self, task_name):
             self.redirect("/tasks/%s/submissions" % quote(task.name, safe=''))
             return
 
+        # Required files from the user.
+        required = set([sfe.filename for sfe in task.submission_format])
+
         # Ensure that the user did not submit multiple files with the
         # same name.
         if any(len(filename) != 1 for filename in self.request.files.values()):
@@ -173,9 +176,21 @@ def post(self, task_name):
             return
 
         # If the user submitted an archive, extract it and use content
-        # as request.files.
+        # as request.files. But only valid for "output only" (i.e.,
+        # not for submissions requiring a programming language
+        # identification).
         if len(self.request.files) == 1 and \
                 self.request.files.keys()[0] == "submission":
+            if any(filename.endswith(".%l") for filename in required):
+                self.application.service.add_notification(
+                    participation.user.username,
+                    self.timestamp,
+                    self._("Invalid submission format!"),
+                    self._("Please select the correct files."),
+                    NOTIFICATION_ERROR)
+                self.redirect(
+                    "/tasks/%s/submissions" % quote(task.name, safe=''))
+                return
             archive_data = self.request.files["submission"][0]
             del self.request.files["submission"]
 
@@ -209,7 +224,6 @@ def post(self, task_name):
         # submission format and no more. Less is acceptable if task
         # type says so.
         task_type = get_task_type(dataset=task.active_dataset)
-        required = set([sfe.filename for sfe in task.submission_format])
         provided = set(self.request.files.keys())
         if not (required == provided or (task_type.ALLOW_PARTIAL_SUBMISSION
                                          and required.issuperset(provided))):
diff --git a/cms/server/contest/handlers/taskusertest.py b/cms/server/contest/handlers/taskusertest.py
index 94802553de..665909e22e 100644
--- a/cms/server/contest/handlers/taskusertest.py
+++ b/cms/server/contest/handlers/taskusertest.py
@@ -3,7 +3,7 @@
 
 # Contest Management System - http://cms-dev.github.io/
 # Copyright © 2010-2014 Giovanni Mascellani <mascellani@poisson.phc.unipi.it>
-# Copyright © 2010-2015 Stefano Maggiolo <s.maggiolo@gmail.com>
+# Copyright © 2010-2016 Stefano Maggiolo <s.maggiolo@gmail.com>
 # Copyright © 2010-2012 Matteo Boscariol <boscarim@hotmail.com>
 # Copyright © 2012-2014 Luca Wehrstedt <luca.wehrstedt@gmail.com>
 # Copyright © 2013 Bernard Blackham <bernard@largestprime.net>
@@ -228,6 +228,11 @@ def post(self, task_name):
             self.redirect("/testing?%s" % quote(task.name, safe=''))
             return
 
+        # Required files from the user.
+        required = set([sfe.filename for sfe in task.submission_format] +
+                       task_type.get_user_managers(task.submission_format) +
+                       ["input"])
+
         # Ensure that the user did not submit multiple files with the
         # same name.
         if any(len(filename) != 1 for filename in self.request.files.values()):
@@ -241,9 +246,20 @@ def post(self, task_name):
             return
 
         # If the user submitted an archive, extract it and use content
-        # as request.files.
+        # as request.files. But only valid for "output only" (i.e.,
+        # not for submissions requiring a programming language
+        # identification).
         if len(self.request.files) == 1 and \
                 self.request.files.keys()[0] == "submission":
+            if any(filename.endswith(".%l") for filename in required):
+                self.application.service.add_notification(
+                    participation.user.username,
+                    self.timestamp,
+                    self._("Invalid test format!"),
+                    self._("Please select the correct files."),
+                    NOTIFICATION_ERROR)
+                self.redirect("/testing?%s" % quote(task.name, safe=''))
+                return
             archive_data = self.request.files["submission"][0]
             del self.request.files["submission"]
 
@@ -275,9 +291,6 @@ def post(self, task_name):
         # This ensure that the user sent one file for every name in
         # submission format and no more. Less is acceptable if task
         # type says so.
-        required = set([sfe.filename for sfe in task.submission_format] +
-                       task_type.get_user_managers(task.submission_format) +
-                       ["input"])
         provided = set(self.request.files.keys())
         if not (required == provided or (task_type.ALLOW_PARTIAL_SUBMISSION
                                          and required.issuperset(provided))):
diff --git a/cms/server/contest/templates/task_submissions.html b/cms/server/contest/templates/task_submissions.html
index 83d7f19683..af733ecd57 100644
--- a/cms/server/contest/templates/task_submissions.html
+++ b/cms/server/contest/templates/task_submissions.html
@@ -116,7 +116,7 @@ <h2 style="margin-bottom: 10px">{{ _("Submit a solution") }}</h2>
             </fieldset>
         </form>
     </div>
-{% if len(task.submission_format) > 1 %}
+{% if len(task.submission_format) > 1 and not any(x.filename.endswith(".%l") for x in task.submission_format) %}
     <div class="span4">
         <form class="form-horizontal" enctype="multipart/form-data" action="{{ url_root }}/tasks/{{ encode_for_url(task.name) }}/submit" method="POST">
             <fieldset>
diff --git a/cms/server/contest/templates/test_interface.html b/cms/server/contest/templates/test_interface.html
index ee9a9890ec..3874ed5bfd 100644
--- a/cms/server/contest/templates/test_interface.html
+++ b/cms/server/contest/templates/test_interface.html
@@ -123,6 +123,7 @@ <h2 style="margin-bottom: 10px">{{ _("Submit a test") }}</h2>
             </fieldset>
         </form>
     </div>
+{% if not any(x.filename.endswith(".%l") for x in task.submission_format) %}
     <div class="span4">
         <form class="form-horizontal" enctype="multipart/form-data" action="{{ url_root }}/tasks/{{ encode_for_url(task.name) }}/test" method="POST">
             <fieldset>
@@ -141,6 +142,7 @@ <h2 style="margin-bottom: 10px">{{ _("Submit a test") }}</h2>
             </fieldset>
         </form>
     </div>
+{% end %}
 </div>