Secure is_safe_filesystem_path_component
On Windows 1/2 would be a safe filesystem path component, but it's not safe to pass it to path_to_filesystem. Currently only the get method can be called with a href like that and it checked for that. This just moves the check into the is_safe_filesystem_path_component function.
This commit is contained in:
parent
a4a6a62643
commit
a12ef69129
@ -142,7 +142,8 @@ def is_safe_path_component(path):
|
|||||||
|
|
||||||
|
|
||||||
def is_safe_filesystem_path_component(path):
|
def is_safe_filesystem_path_component(path):
|
||||||
"""Check if path is a single component of a filesystem path.
|
"""Check if path is a single component of a local and posix filesystem
|
||||||
|
path.
|
||||||
|
|
||||||
Check that the path is safe to join too.
|
Check that the path is safe to join too.
|
||||||
|
|
||||||
@ -150,7 +151,8 @@ def is_safe_filesystem_path_component(path):
|
|||||||
return (
|
return (
|
||||||
path and not os.path.splitdrive(path)[0] and
|
path and not os.path.splitdrive(path)[0] and
|
||||||
not os.path.split(path)[0] and path not in (os.curdir, os.pardir) and
|
not os.path.split(path)[0] and path not in (os.curdir, os.pardir) and
|
||||||
not path.startswith(".") and not path.endswith("~"))
|
not path.startswith(".") and not path.endswith("~") and
|
||||||
|
is_safe_path_component(path))
|
||||||
|
|
||||||
|
|
||||||
def path_to_filesystem(root, *paths):
|
def path_to_filesystem(root, *paths):
|
||||||
@ -628,7 +630,7 @@ class Collection(BaseCollection):
|
|||||||
def get(self, href):
|
def get(self, href):
|
||||||
if not href:
|
if not href:
|
||||||
return None
|
return None
|
||||||
href = href.strip("{}").replace("/", "_")
|
href = href.strip("{}")
|
||||||
if not is_safe_filesystem_path_component(href):
|
if not is_safe_filesystem_path_component(href):
|
||||||
self.logger.debug(
|
self.logger.debug(
|
||||||
"Can't translate name safely to filesystem: %s", href)
|
"Can't translate name safely to filesystem: %s", href)
|
||||||
|
Loading…
Reference in New Issue
Block a user