>>>>> "VN" == Vladislav Naumov <vn...@vnaum.com> writes:
VN> On a second thought, checking filenames for safety with a regular VN> expression doesn't work very well: [...] VN> Of course, user can download new .bashrc in his homedir and break VN> it. He could do this with wget as well: that's not a problem of a VN> software, it's just user doing stupid things (downloading something VN> in a homedir). FWIW, I second the opinion. Note also that the unpatched version disallows both ‘/’ and ‘\’ in the file names, which prevents distributing whole directories when using BitTornado, and it doesn't feel sensible to me. The patch seems to resolve the problem. VN> Patch attached. At a superficial scan, a slightly different patch is needed as of bittornado 0.3.18-8 (note the last hunk.) I haven't tested it thoroughly, though. -- FSF associate member #7257
--- BitTornado/BT1/btformats.py.~1~ 2004-05-25 23:00:58.000000000 +0700 +++ BitTornado/BT1/btformats.py 2010-03-22 20:37:58.000000000 +0600 @@ -3,11 +3,14 @@ from types import StringType, LongType, IntType, ListType, DictType from re import compile - -reg = compile(r'^[^/\\.~][^/\\]*$') +from os.path import abspath ints = (LongType, IntType) +def is_safe(name): + # check if name is within current directory + return abspath(name).startswith(abspath('.')) + def check_info(info): if type(info) != DictType: raise ValueError, 'bad metainfo - not a dictionary' @@ -20,7 +23,7 @@ name = info.get('name') if type(name) != StringType: raise ValueError, 'bad metainfo - bad name' - if not reg.match(name): + if not is_safe(name): raise ValueError, 'name %s disallowed for security reasons' % name if info.has_key('files') == info.has_key('length'): raise ValueError, 'single/multiple file mix' @@ -44,7 +47,7 @@ for p in path: if type(p) != StringType: raise ValueError, 'bad metainfo - bad path dir' - if not reg.match(p): + if not is_safe(p): raise ValueError, 'path %s disallowed for security reasons' % p for i in xrange(len(files)): for j in xrange(i):
pgpdrHMaDew0F.pgp
Description: PGP signature