Mercurial > libervia-backend
changeset 1926:55a7328fafb6
jp (blog/edit): do not remove files if they are not in the temporary dir hierarchy
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 25 Mar 2016 11:45:57 +0100 |
| parents | 53b51866747f |
| children | 03f780b60d5d |
| files | frontends/src/jp/cmd_blog.py |
| diffstat | 1 files changed, 6 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/frontends/src/jp/cmd_blog.py Thu Mar 24 18:38:04 2016 +0100 +++ b/frontends/src/jp/cmd_blog.py Fri Mar 25 11:45:57 2016 +0100 @@ -116,6 +116,9 @@ """ if not os.path.isfile(path): raise OSError(u"path must link to a regular file") + if not path.startswith(self.getTmpDir(sat_conf)): + self.disp(u"File {} is not in blog temporary hierarchy, we do not remove it".format(path.decode('utf-8')), 2) + return backup_dir = self.getTmpDir(sat_conf, SECURE_UNLINK_DIR) if not os.path.exists(backup_dir): os.makedirs(backup_dir) @@ -311,6 +314,9 @@ if len(content) == 0: self.disp(u"Content is empty, cancelling the blog edition") + if not content_file_path.startswith(self.getTmpDir(sat_conf)): + self.disp(u"File are not in blog temporary hierarchy, we do not remove it", 2) + self.host.quit() self.disp(u"Deletion of {}".format(content_file_path.decode('utf-8')), 2) os.unlink(content_file_path) self.disp(u"Deletion of {}".format(meta_file_path.decode('utf-8')), 2)