changeset 14:916d45d4f921

dont just die on questionable filenames
author Jeff Hammel <jhammel@mozilla.com>
date Tue, 12 Jul 2011 09:08:18 -0700
parents b8c636b0b567
children 1ee374416987
files setup.py uploader/handlers.py
diffstat 2 files changed, 4 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/setup.py
+++ b/setup.py
@@ -1,12 +1,12 @@
 from setuptools import setup, find_packages
 import sys, os
 
-version = "0.2.4"
+version = "0.2.5"
 
 setup(name='uploader',
       version=version,
       description="a file uploader app",
       long_description="",
       classifiers=[], # Get strings from http://www.python.org/pypi?%3Aaction=list_classifiers
       author='Ethan Jucovy',
       author_email='',
--- a/uploader/handlers.py
+++ b/uploader/handlers.py
@@ -42,25 +42,25 @@ class Get(Handler):
 
 class Post(Handler):
 
     @classmethod
     def match(cls, app, request):
         return request.method == 'POST'
 
     def write(self, fin, path):
-        assert os.sep not in fin.filename
-        assert '..' not in fin.filename
         fout = file(path, 'w')
         fout.write(fin.file.read())
         fout.close()
 
     def __call__(self):
         fin = self.request.POST['file']
-        _path = os.path.join(self.app.directory, fin.filename)
+        _path = fin.filename.replace('..', '_')
+        _path = _path.replace(os.path.sep, '_')
+        _path = os.path.join(self.app.directory, _path)
         self.write(fin, _path)
         return self.redirect(self.link('/?uploaded=' + fin.filename))
 
 def path(directory, request):
     if os.sep == '/':
         return os.path.join(directory, request.path_info.strip('/'))
     return os.path.join(directory, *request.path_info.strip('/').split('/'))