Commits

Thomas Waldmann committed d3090fb Draft

make taintfilename more secure

Comments (0)

Files changed (1)

MoinMoin/wikiutil.py

     @rtype: string
     @return: (safer) filename
     """
-    for x in (os.pardir, ':', '/', '\\', '<', '>'):
-        basename = basename.replace(x, '_')
-
+    # note: filenames containing ../ (or ..\) are made safe by replacing
+    # the / (or the \). the .. will be kept, but is harmless then.
+    basename = re.sub('[\x00-\x1f:/\\\\<>"*?%|]', '_', basename)
     return basename