# HG changeset patch
# User Jeff Hammel <jhammel@mozilla.com>
# Date 1310486898 25200
# Node ID 916d45d4f9218cb8fab17c2841f765c484a69c84
# Parent  b8c636b0b567883c08d921734bdb8c1caa481f4e
dont just die on questionable filenames

diff -r b8c636b0b567 -r 916d45d4f921 setup.py
--- a/setup.py	Tue Jul 05 23:37:52 2011 -0700
+++ b/setup.py	Tue Jul 12 09:08:18 2011 -0700
@@ -1,7 +1,7 @@
 from setuptools import setup, find_packages
 import sys, os
 
-version = "0.2.4"
+version = "0.2.5"
 
 setup(name='uploader',
       version=version,
diff -r b8c636b0b567 -r 916d45d4f921 uploader/handlers.py
--- a/uploader/handlers.py	Tue Jul 05 23:37:52 2011 -0700
+++ b/uploader/handlers.py	Tue Jul 12 09:08:18 2011 -0700
@@ -47,15 +47,15 @@
         return request.method == 'POST'
 
     def write(self, fin, path):
-        assert os.sep not in fin.filename
-        assert '..' not in fin.filename
         fout = file(path, 'w')
         fout.write(fin.file.read())
         fout.close()
 
     def __call__(self):
         fin = self.request.POST['file']
-        _path = os.path.join(self.app.directory, fin.filename)
+        _path = fin.filename.replace('..', '_')
+        _path = _path.replace(os.path.sep, '_')
+        _path = os.path.join(self.app.directory, _path)
         self.write(fin, _path)
         return self.redirect(self.link('/?uploaded=' + fin.filename))