changeset 5898:d3090fb6624f

make taintfilename more secure
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 08 Dec 2012 21:20:24 +0100
parents 20a27e94a7f9
children d0567fba754e
files MoinMoin/wikiutil.py
diffstat 1 files changed, 3 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/wikiutil.py	Fri Sep 28 15:04:15 2012 +0200
+++ b/MoinMoin/wikiutil.py	Sat Dec 08 21:20:24 2012 +0100
@@ -2266,9 +2266,9 @@
     @rtype: string
     @return: (safer) filename
     """
-    for x in (os.pardir, ':', '/', '\\', '<', '>'):
-        basename = basename.replace(x, '_')
-
+    # note: filenames containing ../ (or ..\) are made safe by replacing
+    # the / (or the \). the .. will be kept, but is harmless then.
+    basename = re.sub('[\x00-\x1f:/\\\\<>"*?%|]', '_', basename)
     return basename