climate-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jo...@apache.org
Subject svn commit: r1563514 - /incubator/climate/trunk/ocw-ui/backend/directory_helpers.py
Date Sat, 01 Feb 2014 23:57:04 GMT
Author: joyce
Date: Sat Feb  1 23:57:03 2014
New Revision: 1563514

URL: http://svn.apache.org/r1563514
Log:
CLIMATE-326 - Add directory helper for cleaning directory paths.

Modified:
    incubator/climate/trunk/ocw-ui/backend/directory_helpers.py

Modified: incubator/climate/trunk/ocw-ui/backend/directory_helpers.py
URL: http://svn.apache.org/viewvc/incubator/climate/trunk/ocw-ui/backend/directory_helpers.py?rev=1563514&r1=1563513&r2=1563514&view=diff
==============================================================================
--- incubator/climate/trunk/ocw-ui/backend/directory_helpers.py (original)
+++ incubator/climate/trunk/ocw-ui/backend/directory_helpers.py Sat Feb  1 23:57:03 2014
@@ -105,3 +105,22 @@ def getPathLeader():
         return "%s(%s)" % (request.query.callback, returnJSON)
     else:
         return returnJSON
+
+def _get_clean_directory_path(path_leader, dir_path):
+    ''''''
+    dir_path = re.sub('/\.\./|/\.\.|/\./|/\.', '/', dir_path)
+
+    # Prevents the directory path from being a substring of the path leader.
+    # os.path.join('/usr/local/rcmes', '/usr/local') gives '/usr/local'
+    # which could allow access to unacceptable paths.
+    if path_leader.startswith(dir_path):
+        cur_frame = sys._getframe().f_code
+        err = "{}.{}: Path leader {} cannot start with passed directory {}".format(
+            cur_frame.co_filename,
+            cur_frame.co_name,
+            path_leader,
+            dir_path
+        )
+        raise ValueError(err)
+
+    return os.path.join(path_leader, dir_path)



Mime
View raw message