# HG changeset patch # User Jeff Hammel # Date 1310863313 25200 # Node ID cc5f567ce840281dfdb82a33100de401734d2c47 # Parent d15f85eb2ab9abbb1c26f138ad30d3f815312bf2 make it safe diff -r d15f85eb2ab9 -r cc5f567ce840 uploader/handlers.py --- a/uploader/handlers.py Sat Jul 16 10:48:33 2011 -0700 +++ b/uploader/handlers.py Sat Jul 16 17:41:53 2011 -0700 @@ -60,12 +60,21 @@ fout.close() def __call__(self): + + # get the file fin = self.request.POST['file'] try: - _path = fin.filename.replace('..', '_') + _path = fin.filename: except AttributeError: # no file uploaded return self.redirect(self.link('/')) - _path = _path.replace(os.path.sep, '_') + + # don't allow bad filenames + illegal = ['..', '<', '&', '>'] + illegal.append(os.path.sep) + for i in illegal: + _path = _path.replace(i, '_') + + # write the file + redirect _path = os.path.join(self.app.directory, _path) self.write(fin, _path) return self.redirect(self.link('/?uploaded=' + fin.filename))