From abfa5d90a2c7ae6d92b58813afa2d0fb258ca320 Mon Sep 17 00:00:00 2001 From: Lucas Di Pentima Date: Fri, 23 Jun 2017 17:59:06 -0300 Subject: [PATCH] 11789: Path exclude patterns validation and fixes. Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima --- sdk/python/arvados/commands/put.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/sdk/python/arvados/commands/put.py b/sdk/python/arvados/commands/put.py index 048e4125f3..7e961b7ddd 100644 --- a/sdk/python/arvados/commands/put.py +++ b/sdk/python/arvados/commands/put.py @@ -907,7 +907,8 @@ _machine_format = "{} {}: {{}} written {{}} total\n".format(sys.argv[0], # so instead we're using it on every path component. def pathname_match(pathname, pattern): name = pathname.split(os.sep) - pat = pattern.split(os.sep) + # Fix patterns like 'some/subdir/' or 'some//subdir' + pat = [x for x in pattern.split(os.sep) if x != ''] if len(name) != len(pat): return False for i in range(len(name)): @@ -996,15 +997,23 @@ def main(arguments=None, stdout=sys.stdout, stderr=sys.stderr): exclude_names = None if len(args.exclude) > 0: # We're supporting 2 kinds of exclusion patterns: - # 1) --exclude '*.jpg' (file/dir name patterns, will only match the name) - # 2) --exclude 'foo/bar' (file/dir path patterns, will match the entire path, - # and should be relative to any input dir argument) + # 1) --exclude '*.jpg' (file/dir name patterns, will only match + # the name) + # 2) --exclude 'foo/bar' (file/dir path patterns, will match the + # entire path, and should be relative to + # any input dir argument) for p in args.exclude: # Only relative paths patterns allowed if p.startswith(os.sep): logger.error("Cannot use absolute paths with --exclude") sys.exit(1) if os.path.dirname(p): + # We don't support of path patterns with '.' or '..' + p_parts = p.split(os.sep) + if '.' in p_parts or '..' in p_parts: + logger.error( + "Cannot use path patterns that include '.' or '..") + sys.exit(1) # Path search pattern exclude_paths.append(p) else: -- 2.30.2