Mercurial > kallithea
diff rhodecode/controllers/files.py @ 3559:328eb707fe3f beta
added more strict checks for file path in add file controller
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Thu, 21 Mar 2013 22:01:52 +0100 |
| parents | b7f489714639 |
| children | 8d8c4dddd174 |
line wrap: on
line diff
--- a/rhodecode/controllers/files.py Thu Mar 21 21:12:03 2013 +0100 +++ b/rhodecode/controllers/files.py Thu Mar 21 22:01:52 2013 +0100 @@ -356,17 +356,14 @@ content = convert_line_endings(r_post.get('content'), unix_mode) message = r_post.get('message') or c.default_message + filename = r_post.get('filename') location = r_post.get('location') - filename = r_post.get('filename') file_obj = r_post.get('upload_file', None) if file_obj is not None and hasattr(file_obj, 'filename'): filename = file_obj.filename content = file_obj.file - node_path = os.path.join(location, filename) - author = self.rhodecode_user.full_contact - if not content: h.flash(_('No content'), category='warning') return redirect(url('changeset_home', repo_name=c.repo_name, @@ -375,6 +372,15 @@ h.flash(_('No filename'), category='warning') return redirect(url('changeset_home', repo_name=c.repo_name, revision='tip')) + if location.startswith('/') or location.startswith('.') or '../' in location: + h.flash(_('location must be relative path and must not ' + 'contain .. in path'), category='warning') + return redirect(url('changeset_home', repo_name=c.repo_name, + revision='tip')) + location = os.path.normpath(location) + filename = os.path.basename(filename) + node_path = os.path.join(location, filename) + author = self.rhodecode_user.full_contact try: self.scm_model.create_node(repo=c.rhodecode_repo, @@ -384,7 +390,7 @@ content=content, f_path=node_path) h.flash(_('Successfully committed to %s') % node_path, category='success') - except NodeAlreadyExistsError, e: + except (NodeError, NodeAlreadyExistsError), e: h.flash(_(e), category='error') except Exception: log.error(traceback.format_exc())