Bug#368604: [PATCH] Better safety check for file names in BitTornado

Mon, 22 Mar 2010 08:42:04 -0700 

>>>>> "VN" == Vladislav Naumov <vn...@vnaum.com> writes:

 VN> On a second thought, checking filenames for safety with a regular
 VN> expression doesn't work very well:

[...]

 VN> Of course, user can download new .bashrc in his homedir and break
 VN> it.  He could do this with wget as well: that's not a problem of a
 VN> software, it's just user doing stupid things (downloading something
 VN> in a homedir).

        FWIW, I second the opinion.

        Note also that the unpatched version disallows both ‘/’ and ‘\’
        in the file names, which prevents distributing whole directories
        when using BitTornado, and it doesn't feel sensible to me.  The
        patch seems to resolve the problem.

 VN> Patch attached.

        At a superficial scan, a slightly different patch is needed as
        of bittornado 0.3.18-8 (note the last hunk.)  I haven't tested
        it thoroughly, though.

-- 
FSF associate member #7257

--- BitTornado/BT1/btformats.py.~1~	2004-05-25 23:00:58.000000000 +0700
+++ BitTornado/BT1/btformats.py	2010-03-22 20:37:58.000000000 +0600
@@ -3,11 +3,14 @@
 
 from types import StringType, LongType, IntType, ListType, DictType
 from re import compile
-
-reg = compile(r'^[^/\\.~][^/\\]*$')
+from os.path import abspath
 
 ints = (LongType, IntType)
 
+def is_safe(name):
+    # check if name is within current directory
+    return abspath(name).startswith(abspath('.'))
+
 def check_info(info):
     if type(info) != DictType:
         raise ValueError, 'bad metainfo - not a dictionary'
@@ -20,7 +23,7 @@
     name = info.get('name')
     if type(name) != StringType:
         raise ValueError, 'bad metainfo - bad name'
-    if not reg.match(name):
+    if not is_safe(name):
         raise ValueError, 'name %s disallowed for security reasons' % name
     if info.has_key('files') == info.has_key('length'):
         raise ValueError, 'single/multiple file mix'
@@ -44,7 +47,7 @@
             for p in path:
                 if type(p) != StringType:
                     raise ValueError, 'bad metainfo - bad path dir'
-                if not reg.match(p):
+                if not is_safe(p):
                     raise ValueError, 'path %s disallowed for security reasons' % p
         for i in xrange(len(files)):
             for j in xrange(i):

Attachment: pgpdrHMaDew0F.pgp
Description: PGP signature

Reply via email to