Mercurial > moin > 1.9
changeset 5898:d3090fb6624f
make taintfilename more secure
author | Thomas Waldmann <tw AT waldmann-edv DOT de> |
---|---|
date | Sat, 08 Dec 2012 21:20:24 +0100 |
parents | 20a27e94a7f9 |
children | d0567fba754e |
files | MoinMoin/wikiutil.py |
diffstat | 1 files changed, 3 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/MoinMoin/wikiutil.py Fri Sep 28 15:04:15 2012 +0200 +++ b/MoinMoin/wikiutil.py Sat Dec 08 21:20:24 2012 +0100 @@ -2266,9 +2266,9 @@ @rtype: string @return: (safer) filename """ - for x in (os.pardir, ':', '/', '\\', '<', '>'): - basename = basename.replace(x, '_') - + # note: filenames containing ../ (or ..\) are made safe by replacing + # the / (or the \). the .. will be kept, but is harmless then. + basename = re.sub('[\x00-\x1f:/\\\\<>"*?%|]', '_', basename) return basename