Add a binding to shred. Rudimentary protection against shell injection.

author: jvoisin 2011-06-25 19:06:55 +0200
committer: jvoisin 2011-06-25 19:06:55 +0200
commit: 321b024daee08992495a80e2f998a5913c5b0a49 (patch)
tree: e2a26b8e3c411764b1aadb1878b2ee60103a5e0c /lib/mat.py
parent: 9ebc62273ec8abfc4520660597fa80fe3de40203 (diff)
1 files changed, 3 insertions, 6 deletions
diff --git a/lib/mat.py b/lib/mat.py
index 156c683..732dc25 100644
--- a/lib/mat.py
+++ b/lib/mat.py
@@ -31,20 +31,17 @@ def is_secure(filename):
    '''
        Prevent shell injection
    '''
-    if not(os.path.isfile(name)): #check if the file exist
+    if not(os.path.isfile(filename)): #check if the file exist
        print("Error: %s is not a valid file" % name)
        sys.exit(1)
-    filename.strip('\s') #separations
-    filename.strip('`') #injection `rm / -Rf`
-    filename.strip('\$(.*)')#injection $(rm / -Rf)
-    filename.strip(';')#injection $filename;rm / -Rf
 def create_class_file(name, backup):
    '''
        return a $FILETYPEStripper() class,
        corresponding to the filetype of the given file
    '''
-    #is_secure(name)
+    is_secure(name)
    filename = ""
    realname = name
author	jvoisin	2011-06-25 19:06:55 +0200
committer	jvoisin	2011-06-25 19:06:55 +0200
commit	321b024daee08992495a80e2f998a5913c5b0a49 (patch)
tree	e2a26b8e3c411764b1aadb1878b2ee60103a5e0c /lib/mat.py
parent	9ebc62273ec8abfc4520660597fa80fe3de40203 (diff)

diff --git a/lib/mat.py b/lib/mat.py index 156c683..732dc25 100644 --- a/lib/mat.py +++ b/lib/mat.py
@@ -31,20 +31,17 @@ def is_secure(filename):
31	'''	31	'''
32	Prevent shell injection	32	Prevent shell injection
33	'''	33	'''
34	if not(os.path.isfile(name)): #check if the file exist	34
		35	if not(os.path.isfile(filename)): #check if the file exist
35	print("Error: %s is not a valid file" % name)	36	print("Error: %s is not a valid file" % name)
36	sys.exit(1)	37	sys.exit(1)
37	filename.strip('\s') #separations
38	filename.strip('`') #injection `rm / -Rf`
39	filename.strip('\$(.*)')#injection $(rm / -Rf)
40	filename.strip(';')#injection $filename;rm / -Rf
41		38
42	def create_class_file(name, backup):	39	def create_class_file(name, backup):
43	'''	40	'''
44	return a $FILETYPEStripper() class,	41	return a $FILETYPEStripper() class,
45	corresponding to the filetype of the given file	42	corresponding to the filetype of the given file
46	'''	43	'''
47	#is_secure(name)	44	is_secure(name)
48		45
49	filename = ""	46	filename = ""
50	realname = name	47	realname = name