# HG changeset patch
# User Jeff Hammel <jhammel@mozilla.com>
# Date 1310863313 25200
# Node ID cc5f567ce840281dfdb82a33100de401734d2c47
# Parent  d15f85eb2ab9abbb1c26f138ad30d3f815312bf2
make it safe

diff -r d15f85eb2ab9 -r cc5f567ce840 uploader/handlers.py
--- a/uploader/handlers.py	Sat Jul 16 10:48:33 2011 -0700
+++ b/uploader/handlers.py	Sat Jul 16 17:41:53 2011 -0700
@@ -60,12 +60,21 @@
         fout.close()
 
     def __call__(self):
+
+        # get the file
         fin = self.request.POST['file']
         try:
-            _path = fin.filename.replace('..', '_')
+            _path = fin.filename:
         except AttributeError: # no file uploaded
             return self.redirect(self.link('/'))
-        _path = _path.replace(os.path.sep, '_')
+
+        # don't allow bad filenames
+        illegal = ['..', '<', '&', '>']
+        illegal.append(os.path.sep)
+        for i in illegal:
+            _path = _path.replace(i, '_')
+
+        # write the file + redirect
         _path = os.path.join(self.app.directory, _path)
         self.write(fin, _path)
         return self.redirect(self.link('/?uploaded=' + fin.filename))