changeset 18:cc5f567ce840

make it safe
author Jeff Hammel <jhammel@mozilla.com>
date Sat, 16 Jul 2011 17:41:53 -0700
parents d15f85eb2ab9
children 4da97e040145
files uploader/handlers.py
diffstat 1 files changed, 11 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/uploader/handlers.py
+++ b/uploader/handlers.py
@@ -55,22 +55,31 @@ class Post(Handler):
         return request.method == 'POST'
 
     def write(self, fin, path):
         fout = file(path, 'w')
         fout.write(fin.file.read())
         fout.close()
 
     def __call__(self):
+
+        # get the file
         fin = self.request.POST['file']
         try:
-            _path = fin.filename.replace('..', '_')
+            _path = fin.filename:
         except AttributeError: # no file uploaded
             return self.redirect(self.link('/'))
-        _path = _path.replace(os.path.sep, '_')
+
+        # don't allow bad filenames
+        illegal = ['..', '<', '&', '>']
+        illegal.append(os.path.sep)
+        for i in illegal:
+            _path = _path.replace(i, '_')
+
+        # write the file + redirect
         _path = os.path.join(self.app.directory, _path)
         self.write(fin, _path)
         return self.redirect(self.link('/?uploaded=' + fin.filename))
 
 def path(directory, request):
     if os.sep == '/':
         return os.path.join(directory, request.path_info.strip('/'))
     return os.path.join(directory, *request.path_info.strip('/').split('/'))