ensure the path transferred lies within the configured files directory

author: Richard Jones <richard@mechanicalcat.net> 2013-02-06 19:35:39 +1100
committer: Richard Jones <richard@mechanicalcat.net> 2013-02-06 19:35:39 +1100
commit: e6b785159550896b817ef40e32cbf2651e253047 (patch)
tree: 01db584a4ae05ca3c964e4459307bce078b34d3e
parent: 293edd483ac5554ebd90035398732dc5acb4a028 (diff)
download: decorator-e6b785159550896b817ef40e32cbf2651e253047.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/gae.py b/gae.py
index c01ddbb..434cee0 100644
--- a/gae.py
+++ b/gae.py
@@ -32,13 +32,16 @@ def doit(host, secret, srcdir):
         return
     path,url = x.read().splitlines()
     host, session = urlparse.urlsplit(url)[1:3]
+
     try:
-        data = open(srcdir+"/"+path).read()
-        presence = "present"
+        file_path = os.path.abspath(os.path.join(srcdir, path))
+        if not file_path.startswith(srcdir):
+            data = ''
+        else:
+            data = open(file_path).read()
     except IOError, e:
         if e.errno == errno.ENOENT:
             # file has been deleted
-            presence = "deleted"
             data = ''
         else:
             # some other problem with file. GAE will request transfer
author	Richard Jones <richard@mechanicalcat.net>	2013-02-06 19:35:39 +1100
committer	Richard Jones <richard@mechanicalcat.net>	2013-02-06 19:35:39 +1100
commit	e6b785159550896b817ef40e32cbf2651e253047 (patch)
tree	01db584a4ae05ca3c964e4459307bce078b34d3e
parent	293edd483ac5554ebd90035398732dc5acb4a028 (diff)
download	decorator-e6b785159550896b817ef40e32cbf2651e253047.tar.gz