# HG changeset patch # User Jeff Hammel # Date 1310486898 25200 # Node ID 916d45d4f9218cb8fab17c2841f765c484a69c84 # Parent b8c636b0b567883c08d921734bdb8c1caa481f4e dont just die on questionable filenames diff -r b8c636b0b567 -r 916d45d4f921 setup.py --- a/setup.py Tue Jul 05 23:37:52 2011 -0700 +++ b/setup.py Tue Jul 12 09:08:18 2011 -0700 @@ -1,7 +1,7 @@ from setuptools import setup, find_packages import sys, os -version = "0.2.4" +version = "0.2.5" setup(name='uploader', version=version, diff -r b8c636b0b567 -r 916d45d4f921 uploader/handlers.py --- a/uploader/handlers.py Tue Jul 05 23:37:52 2011 -0700 +++ b/uploader/handlers.py Tue Jul 12 09:08:18 2011 -0700 @@ -47,15 +47,15 @@ return request.method == 'POST' def write(self, fin, path): - assert os.sep not in fin.filename - assert '..' not in fin.filename fout = file(path, 'w') fout.write(fin.file.read()) fout.close() def __call__(self): fin = self.request.POST['file'] - _path = os.path.join(self.app.directory, fin.filename) + _path = fin.filename.replace('..', '_') + _path = _path.replace(os.path.sep, '_') + _path = os.path.join(self.app.directory, _path) self.write(fin, _path) return self.redirect(self.link('/?uploaded=' + fin.filename))