Code

2nd try: Dots are a security hole in file names
authorSven Velt <sven@velt.de>
Thu, 27 May 2010 13:29:29 +0000 (15:29 +0200)
committerSven Velt <sven@velt.de>
Thu, 27 May 2010 13:29:29 +0000 (15:29 +0200)
Signed-off-by: Sven Velt <sven@velt.de>
nagixsc_conf2http.py

index 8738d044452471eebc855210e1334df50f4c02b7..1c5d28ff137af6c64218c6eb4bfb138d80bbdde0 100755 (executable)
@@ -102,7 +102,7 @@ class Conf2HTTPHandler(MyHTTPRequestHandler):
                if re.search('\.\.', configfile):
                        self.http_error(500, 'Found ".." in config file name')
                        return
-               if not re.search('^[a-zA-Z0-9-_]+$', configfile):
+               if not re.search('^[a-zA-Z0-9-_]+.conf$', configfile):
                        self.http_error(500, 'Config file name contains invalid characters')
                        return