Add missing checks for safe fileystem components
Currently it's not possible to exploit these.
This commit is contained in:
parent
dc501d5dc5
commit
5dbf9df876
@ -584,6 +584,8 @@ class Collection(BaseCollection):
|
||||
"""
|
||||
fs = []
|
||||
for href, item in vobject_items.items():
|
||||
if not is_safe_filesystem_path_component(href):
|
||||
raise UnsafePathError(href)
|
||||
path = path_to_filesystem(self._filesystem_path, href)
|
||||
fs.append(open(path, "w", encoding=self.encoding, newline=""))
|
||||
fs[-1].write(item.serialize())
|
||||
@ -595,6 +597,8 @@ class Collection(BaseCollection):
|
||||
|
||||
@classmethod
|
||||
def move(cls, item, to_collection, to_href):
|
||||
if not is_safe_filesystem_path_component(to_href):
|
||||
raise UnsafePathError(to_href)
|
||||
os.replace(
|
||||
path_to_filesystem(item.collection._filesystem_path, item.href),
|
||||
path_to_filesystem(to_collection._filesystem_path, to_href))
|
||||
|
Loading…
Reference in New Issue
Block a user