Mercurial > hg > uploader
changeset 14:916d45d4f921
dont just die on questionable filenames
author | Jeff Hammel <jhammel@mozilla.com> |
---|---|
date | Tue, 12 Jul 2011 09:08:18 -0700 |
parents | b8c636b0b567 |
children | 1ee374416987 |
files | setup.py uploader/handlers.py |
diffstat | 2 files changed, 4 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/setup.py Tue Jul 05 23:37:52 2011 -0700 +++ b/setup.py Tue Jul 12 09:08:18 2011 -0700 @@ -1,7 +1,7 @@ from setuptools import setup, find_packages import sys, os -version = "0.2.4" +version = "0.2.5" setup(name='uploader', version=version,
--- a/uploader/handlers.py Tue Jul 05 23:37:52 2011 -0700 +++ b/uploader/handlers.py Tue Jul 12 09:08:18 2011 -0700 @@ -47,15 +47,15 @@ return request.method == 'POST' def write(self, fin, path): - assert os.sep not in fin.filename - assert '..' not in fin.filename fout = file(path, 'w') fout.write(fin.file.read()) fout.close() def __call__(self): fin = self.request.POST['file'] - _path = os.path.join(self.app.directory, fin.filename) + _path = fin.filename.replace('..', '_') + _path = _path.replace(os.path.sep, '_') + _path = os.path.join(self.app.directory, _path) self.write(fin, _path) return self.redirect(self.link('/?uploaded=' + fin.filename))