check-mirrors return-mirrorlist.py,1.2,1.3

[Seth Vidal (skvidal)]

Author: skvidal

Update of /cvs/fedora/check-mirrors
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv662

Modified Files:
	return-mirrorlist.py 
Log Message:

- sanitize some of the input from the get strings - just for safety's sake -
thanks to Konstantin Ryabitsev for the suggestion of using
os.path.realpath()




Index: return-mirrorlist.py
===================================================================
RCS file: /cvs/fedora/check-mirrors/return-mirrorlist.py,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- return-mirrorlist.py	10 Jul 2006 21:09:22 -0000	1.2
+++ return-mirrorlist.py	11 Jul 2006 15:05:42 -0000	1.3
@@ -15,11 +15,17 @@
 # written by seth vidal - skvidal at fedoraproject.org
 
 
+debug = False
+
 # prettier errors
 print 'Content-type: text/plain'
 print
-import cgitb
-cgitb.enable()
+
+# the errors might be in broken html - but at least you aren't chasing
+# through logs for them.
+if debug:
+    import cgitb
+    cgitb.enable()
 
 __revision__ = '$Id$'
 CONFIG = '/etc/return-mirrorlist.conf'
@@ -114,6 +120,12 @@
         country = 'global'
 
     return_file = '%s/%s-%s-%s.txt' % (lists_path, repo, country, arch)
+    rp = os.path.realpath(return_file)
+    
+    if not rp.startswith(lists_path):
+        print "# someone is messing with the path via get-string %s not inside %s" % (rp, lists_path)
+        sys.exit()
+        
     if not os.path.exists(return_file):
         print '# no file found for repo = %s, country = %s, arch = %s' % (repo, country,arch)