diff options
| -rw-r--r-- | mediagoblin/storage.py | 12 | ||||
| -rw-r--r-- | mediagoblin/tests/test_storage.py | 9 |
2 files changed, 20 insertions, 1 deletions
diff --git a/mediagoblin/storage.py b/mediagoblin/storage.py index c06cb3a8..805be84c 100644 --- a/mediagoblin/storage.py +++ b/mediagoblin/storage.py @@ -18,6 +18,10 @@ from werkzeug.utils import secure_filename +class Error(Exception): pass +class InvalidFilepath(Error): pass + + def clean_listy_filepath(listy_filepath): """ Take a listy filepath (like ['dir1', 'dir2', 'filename.jpg']) and @@ -34,8 +38,14 @@ def clean_listy_filepath(listy_filepath): Returns: A cleaned list of unicode objects. """ - return [ + cleaned_filepath = [ unicode(secure_filename(filepath)) for filepath in listy_filepath] + if u'' in cleaned_filepath: + raise InvalidFilepath( + "A filename component could not be resolved into a usable name.") + + return cleaned_filepath + diff --git a/mediagoblin/tests/test_storage.py b/mediagoblin/tests/test_storage.py index b7da467c..cdcddf09 100644 --- a/mediagoblin/tests/test_storage.py +++ b/mediagoblin/tests/test_storage.py @@ -30,3 +30,12 @@ def test_clean_listy_filepath(): expected = [u'etc', u'passwd'] assert storage.clean_listy_filepath( ['../../../etc/', 'passwd']) == expected + + try: + storage.clean_listy_filepath( + ['../../', 'linooks.jpg']) + except storage.InvalidFilepath: + # Yes, this error should be raise + pass + else: + assert "success" == "failboat" |