Commits

Richard Jones  committed 9cc86ea

ensure the path transferred lies within the configured files directory

  • Participants
  • Parent commits 2bcd9fd

Comments (0)

Files changed (1)

         return
     path,url = x.read().splitlines()
     host, session = urlparse.urlsplit(url)[1:3]
+
     try:
-        data = open(srcdir+"/"+path).read()
-        presence = "present"
+        file_path = os.path.abspath(os.path.join(srcdir, path))
+        if not file_path.startswith(srcdir):
+            data = ''
+        else:
+            data = open(file_path).read()
     except IOError, e:
         if e.errno == errno.ENOENT:
             # file has been deleted
-            presence = "deleted"
             data = ''
         else:
             # some other problem with file. GAE will request transfer