Mercurial > hg > uploader
comparison uploader/handlers.py @ 18:cc5f567ce840
make it safe
author | Jeff Hammel <jhammel@mozilla.com> |
---|---|
date | Sat, 16 Jul 2011 17:41:53 -0700 |
parents | d15f85eb2ab9 |
children | 4da97e040145 |
comparison
equal
deleted
inserted
replaced
17:d15f85eb2ab9 | 18:cc5f567ce840 |
---|---|
58 fout = file(path, 'w') | 58 fout = file(path, 'w') |
59 fout.write(fin.file.read()) | 59 fout.write(fin.file.read()) |
60 fout.close() | 60 fout.close() |
61 | 61 |
62 def __call__(self): | 62 def __call__(self): |
63 | |
64 # get the file | |
63 fin = self.request.POST['file'] | 65 fin = self.request.POST['file'] |
64 try: | 66 try: |
65 _path = fin.filename.replace('..', '_') | 67 _path = fin.filename: |
66 except AttributeError: # no file uploaded | 68 except AttributeError: # no file uploaded |
67 return self.redirect(self.link('/')) | 69 return self.redirect(self.link('/')) |
68 _path = _path.replace(os.path.sep, '_') | 70 |
71 # don't allow bad filenames | |
72 illegal = ['..', '<', '&', '>'] | |
73 illegal.append(os.path.sep) | |
74 for i in illegal: | |
75 _path = _path.replace(i, '_') | |
76 | |
77 # write the file + redirect | |
69 _path = os.path.join(self.app.directory, _path) | 78 _path = os.path.join(self.app.directory, _path) |
70 self.write(fin, _path) | 79 self.write(fin, _path) |
71 return self.redirect(self.link('/?uploaded=' + fin.filename)) | 80 return self.redirect(self.link('/?uploaded=' + fin.filename)) |
72 | 81 |
73 def path(directory, request): | 82 def path(directory, request): |