prevents path escaping with '..'

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@9772 20353a03-c40f-0410-a6d1-a30d3c3de9de

prevents path escaping with '..'
git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@9772 20353a03-c40f-0410-a6d1-a30d3c3de9de
203a4fa4 · Alexandre Boeglin · c0f07076 · 203a4fa4
Commit 203a4fa4 authored Sep 08, 2006 by Alexandre Boeglin
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 4 deletions

product/ERP5Subversion/Tool/SubversionTool.py product/ERP5Subversion/Tool/SubversionTool.py +6 -4

No files found.
--- a/product/ERP5Subversion/Tool/SubversionTool.py
+++ b/product/ERP5Subversion/Tool/SubversionTool.py
@@ -733,10 +733,12 @@ class SubversionTool(BaseTool, UniqueObject, Folder):
  def _getWorkingPath(self, path):
    """ Check if the given path is reachable (allowed)
    """
-    if not path.startswith(self.top_working_path) and \
-        not path.startswith(gettempdir()):
-      raise UnauthorizedAccessToPath, 'Unauthorized access to path %s. It is NOT in your Zope home instance.' % path
-    return path
+    real_path = os.path.abspath(path)
+    if not real_path.startswith(self.top_working_path) and \
+        not real_path.startswith(gettempdir()):
+      raise UnauthorizedAccessToPath, 'Unauthorized access to path %s. It is '
+        'NOT in your Zope home instance.' % real_path
+    return real_path
    
  security.declareProtected('Import/Export objects', 'update')
  def update(self, business_template):