From: Oleg Broytman Date: Sat, 15 Mar 2014 17:43:16 +0000 (+0400) Subject: Check filenames for --save-* for forbidden characters X-Git-Tag: v2.5.0~9 X-Git-Url: https://git.phdru.name/?p=mimedecode.git;a=commitdiff_plain;h=d7aac25395b00e62c5c79160b81dbfcb58f14bcd Check filenames for --save-* for forbidden characters --- diff --git a/TODO b/TODO index 17dc389..70b4158 100644 --- a/TODO +++ b/TODO @@ -1,6 +1,3 @@ -Check filenames for --save-* for forbidden characters. - - Add tests for --save-*. diff --git a/mimedecode.docbook b/mimedecode.docbook index d61acae..02ee7a5 100644 --- a/mimedecode.docbook +++ b/mimedecode.docbook @@ -521,16 +521,18 @@ the program always uses the default decoding. - The 3 save list options (--save-headers/body/message) are similar. They make - the program to save every non-multipart subpart (only headers, or body, or - the entire subpart) that corresponds to the given mask to a file. Before - saving the message (or the subpart) is decoded according to all other options - and placed to the output stream as usual. Filename for the file is created - using "filename" parameter from the Content-Disposition header, or "name" - parameter from the Content-Type header if one of those exist; a serial + The 3 save options (--save-headers/body/message) are similar. They make the + program to save every non-multipart subpart (only headers, or body, or the + entire subpart: headers + body) that corresponds to the given mask to a file. + Before saving the message (or the subpart) is decoded according to all other + options and placed to the output stream as usual. Filename for the file is + created using "filename" parameter from the Content-Disposition header, or + "name" parameter from the Content-Type header if one of those exist; a serial counter is prepended to the filename to avoid collisions; if there are no - name/filename parameters, the filename is just the serial counter. The file - is saved in the directory set with -O (default is the current directory). + name/filename parameters, or the name/filename parameters contain forbidden + characters (null, slash, backslash) the filename is just the serial counter. + The file is saved in the directory set with -O (default is the current + directory). diff --git a/mimedecode.py b/mimedecode.py index c1731d6..da63350 100755 --- a/mimedecode.py +++ b/mimedecode.py @@ -270,6 +270,12 @@ def _save_message(msg, outstring, save_headers=False, save_body=False): ): fname = msg.get_param(param, header=header) if fname: + try: + for forbidden in chr(0), '/', '\\': + if forbidden in fname: + raise ValueError + except ValueError: + continue fname = '-' + fname break else: