changeset 14:916d45d4f921

dont just die on questionable filenames
author Jeff Hammel <jhammel@mozilla.com>
date Tue, 12 Jul 2011 09:08:18 -0700
parents b8c636b0b567
children 1ee374416987
files setup.py uploader/handlers.py
diffstat 2 files changed, 4 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/setup.py	Tue Jul 05 23:37:52 2011 -0700
+++ b/setup.py	Tue Jul 12 09:08:18 2011 -0700
@@ -1,7 +1,7 @@
 from setuptools import setup, find_packages
 import sys, os
 
-version = "0.2.4"
+version = "0.2.5"
 
 setup(name='uploader',
       version=version,
--- a/uploader/handlers.py	Tue Jul 05 23:37:52 2011 -0700
+++ b/uploader/handlers.py	Tue Jul 12 09:08:18 2011 -0700
@@ -47,15 +47,15 @@
         return request.method == 'POST'
 
     def write(self, fin, path):
-        assert os.sep not in fin.filename
-        assert '..' not in fin.filename
         fout = file(path, 'w')
         fout.write(fin.file.read())
         fout.close()
 
     def __call__(self):
         fin = self.request.POST['file']
-        _path = os.path.join(self.app.directory, fin.filename)
+        _path = fin.filename.replace('..', '_')
+        _path = _path.replace(os.path.sep, '_')
+        _path = os.path.join(self.app.directory, _path)
         self.write(fin, _path)
         return self.redirect(self.link('/?uploaded=' + fin.filename))