Mercurial > hg > uploader
changeset 18:cc5f567ce840
make it safe
| author | Jeff Hammel <jhammel@mozilla.com> |
|---|---|
| date | Sat, 16 Jul 2011 17:41:53 -0700 |
| parents | d15f85eb2ab9 |
| children | 4da97e040145 |
| files | uploader/handlers.py |
| diffstat | 1 files changed, 11 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/uploader/handlers.py Sat Jul 16 10:48:33 2011 -0700 +++ b/uploader/handlers.py Sat Jul 16 17:41:53 2011 -0700 @@ -60,12 +60,21 @@ fout.close() def __call__(self): + + # get the file fin = self.request.POST['file'] try: - _path = fin.filename.replace('..', '_') + _path = fin.filename: except AttributeError: # no file uploaded return self.redirect(self.link('/')) - _path = _path.replace(os.path.sep, '_') + + # don't allow bad filenames + illegal = ['..', '<', '&', '>'] + illegal.append(os.path.sep) + for i in illegal: + _path = _path.replace(i, '_') + + # write the file + redirect _path = os.path.join(self.app.directory, _path) self.write(fin, _path) return self.redirect(self.link('/?uploaded=' + fin.filename))