Check filenames for --save-* for forbidden characters

[mimedecode.git] / mimedecode.py

diff --git a/mimedecode.py b/mimedecode.py
index 01f650563060eb085b6811295a8ee8ce267c2744..da63350485e7981713b88257bbccc12bb711efd2 100755 (executable)
--- a/mimedecode.py
+++ b/mimedecode.py
@@ -270,6 +270,12 @@ def _save_message(msg, outstring, save_headers=False, save_body=False):
     ):
         fname = msg.get_param(param, header=header)
         if fname:
+            try:
+                    for forbidden in chr(0), '/', '\\':
+                        if forbidden in fname:
+                            raise ValueError
+            except ValueError:
+                continue
             fname = '-' + fname
             break
     else:
@@ -279,7 +285,7 @@ def _save_message(msg, outstring, save_headers=False, save_body=False):
 
     global output
     save_output = output
-    outfile = open(os.path.join(g.destination_dir, fname), 'w')
+    outfile = open_output_file(fname)
     output = outfile.write
     if save_headers:
         output_headers(msg)
@@ -395,6 +401,19 @@ def decode_message(msg):
         output(msg.as_string())
 
 
+def open_output_file(filename):
+    fullpath = os.path.abspath(os.path.join(g.destination_dir, filename))
+    full_dir = os.path.dirname(fullpath)
+    create = not os.path.isdir(full_dir)
+    if create:
+        os.makedirs(full_dir)
+    try:
+        return open(fullpath, 'w')
+    except:
+        if create:
+            os.removedirs(full_dir)
+
+
 class GlobalOptions:
     from m_lib.defenc import default_encoding
     recode_charset = 1 # recode charset of message body
@@ -521,7 +540,7 @@ if __name__ == "__main__":
         g.input_filename = '-'
         infile = sys.stdin
         if g.output_filename:
-            outfile = open(os.path.join(g.destination_dir, g.output_filename), 'w')
+            outfile = open_output_file(g.output_filename)
         else:
             g.output_filename = '-'
             outfile = sys.stdout
@@ -534,7 +553,7 @@ if __name__ == "__main__":
             infile = open(arguments[0], 'r')
         if la == 1:
             if g.output_filename:
-                outfile = open(os.path.join(g.destination_dir, g.output_filename), 'w')
+                outfile = open_output_file(g.output_filename)
             else:
                 g.output_filename = '-'
                 outfile = sys.stdout
@@ -546,7 +565,7 @@ if __name__ == "__main__":
                 outfile = sys.stdout
             else:
                 g.output_filename = arguments[1]
-                outfile = open(os.path.join(g.destination_dir, g.output_filename), 'w')
+                outfile = open_output_file(g.output_filename)
     else:
         usage(1, 'Too many arguments')