Created
March 27, 2012 00:20
-
-
Save stevage/2210943 to your computer and use it in GitHub Desktop.
Checking for unsafe filename paths
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Version 1: | |
def is_evil(filename): | |
import re | |
return re.search("^/|\.\./|:|//", filename) | |
if is_evil(filename): | |
filename = path.basename(filename) | |
copyto = path.join(dataset_path, filename) | |
Version 2: | |
copyto = path.join(dataset_path, filename) | |
if not copyto.startswith(dataset_path): | |
copyto = path.join(dataset_path, path.basename(filename)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment