changeset 18:cc5f567ce840

make it safe
author Jeff Hammel <jhammel@mozilla.com>
date Sat, 16 Jul 2011 17:41:53 -0700
parents d15f85eb2ab9
children 4da97e040145
files uploader/handlers.py
diffstat 1 files changed, 11 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/uploader/handlers.py	Sat Jul 16 10:48:33 2011 -0700
+++ b/uploader/handlers.py	Sat Jul 16 17:41:53 2011 -0700
@@ -60,12 +60,21 @@
         fout.close()
 
     def __call__(self):
+
+        # get the file
         fin = self.request.POST['file']
         try:
-            _path = fin.filename.replace('..', '_')
+            _path = fin.filename:
         except AttributeError: # no file uploaded
             return self.redirect(self.link('/'))
-        _path = _path.replace(os.path.sep, '_')
+
+        # don't allow bad filenames
+        illegal = ['..', '<', '&', '>']
+        illegal.append(os.path.sep)
+        for i in illegal:
+            _path = _path.replace(i, '_')
+
+        # write the file + redirect
         _path = os.path.join(self.app.directory, _path)
         self.write(fin, _path)
         return self.redirect(self.link('/?uploaded=' + fin.filename))