Commit 203a4fa4 authored by Alexandre Boeglin's avatar Alexandre Boeglin

prevents path escaping with '..'


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@9772 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent c0f07076
...@@ -733,10 +733,12 @@ class SubversionTool(BaseTool, UniqueObject, Folder): ...@@ -733,10 +733,12 @@ class SubversionTool(BaseTool, UniqueObject, Folder):
def _getWorkingPath(self, path): def _getWorkingPath(self, path):
""" Check if the given path is reachable (allowed) """ Check if the given path is reachable (allowed)
""" """
if not path.startswith(self.top_working_path) and \ real_path = os.path.abspath(path)
not path.startswith(gettempdir()): if not real_path.startswith(self.top_working_path) and \
raise UnauthorizedAccessToPath, 'Unauthorized access to path %s. It is NOT in your Zope home instance.' % path not real_path.startswith(gettempdir()):
return path raise UnauthorizedAccessToPath, 'Unauthorized access to path %s. It is '
'NOT in your Zope home instance.' % real_path
return real_path
security.declareProtected('Import/Export objects', 'update') security.declareProtected('Import/Export objects', 'update')
def update(self, business_template): def update(self, business_template):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment