Mercurial > hg > uploader
comparison uploader/handlers.py @ 18:cc5f567ce840
make it safe
| author | Jeff Hammel <jhammel@mozilla.com> |
|---|---|
| date | Sat, 16 Jul 2011 17:41:53 -0700 |
| parents | d15f85eb2ab9 |
| children | 4da97e040145 |
comparison
equal
deleted
inserted
replaced
| 17:d15f85eb2ab9 | 18:cc5f567ce840 |
|---|---|
| 58 fout = file(path, 'w') | 58 fout = file(path, 'w') |
| 59 fout.write(fin.file.read()) | 59 fout.write(fin.file.read()) |
| 60 fout.close() | 60 fout.close() |
| 61 | 61 |
| 62 def __call__(self): | 62 def __call__(self): |
| 63 | |
| 64 # get the file | |
| 63 fin = self.request.POST['file'] | 65 fin = self.request.POST['file'] |
| 64 try: | 66 try: |
| 65 _path = fin.filename.replace('..', '_') | 67 _path = fin.filename: |
| 66 except AttributeError: # no file uploaded | 68 except AttributeError: # no file uploaded |
| 67 return self.redirect(self.link('/')) | 69 return self.redirect(self.link('/')) |
| 68 _path = _path.replace(os.path.sep, '_') | 70 |
| 71 # don't allow bad filenames | |
| 72 illegal = ['..', '<', '&', '>'] | |
| 73 illegal.append(os.path.sep) | |
| 74 for i in illegal: | |
| 75 _path = _path.replace(i, '_') | |
| 76 | |
| 77 # write the file + redirect | |
| 69 _path = os.path.join(self.app.directory, _path) | 78 _path = os.path.join(self.app.directory, _path) |
| 70 self.write(fin, _path) | 79 self.write(fin, _path) |
| 71 return self.redirect(self.link('/?uploaded=' + fin.filename)) | 80 return self.redirect(self.link('/?uploaded=' + fin.filename)) |
| 72 | 81 |
| 73 def path(directory, request): | 82 def path(directory, request): |