80 lines
2.5 KiB
Diff
80 lines
2.5 KiB
Diff
From 3a700b5b8b53606fd98ef8294a56f9510f7290f8 Mon Sep 17 00:00:00 2001
|
|
From: Aarni Koskela <akx@iki.fi>
|
|
Date: Wed, 28 Apr 2021 10:33:40 +0300
|
|
Subject: [PATCH] Run locale identifiers through `os.path.basename()`
|
|
|
|
---
|
|
babel/localedata.py | 2 ++
|
|
tests/test_localedata.py | 30 +++++++++++++++++++++++++++++-
|
|
2 files changed, 31 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/babel/localedata.py b/babel/localedata.py
|
|
index f4771d1f..11085490 100644
|
|
--- a/babel/localedata.py
|
|
+++ b/babel/localedata.py
|
|
@@ -47,6 +47,7 @@ def exists(name):
|
|
"""
|
|
if not name or not isinstance(name, string_types):
|
|
return False
|
|
+ name = os.path.basename(name)
|
|
if name in _cache:
|
|
return True
|
|
file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
|
|
@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
|
|
:raise `IOError`: if no locale data file is found for the given locale
|
|
identifer, or one of the locales it inherits from
|
|
"""
|
|
+ name = os.path.basename(name)
|
|
_cache_lock.acquire()
|
|
try:
|
|
data = _cache.get(name)
|
|
diff --git a/tests/test_localedata.py b/tests/test_localedata.py
|
|
index 83cd6699..9cb4282e 100644
|
|
--- a/tests/test_localedata.py
|
|
+++ b/tests/test_localedata.py
|
|
@@ -11,11 +11,17 @@
|
|
# individuals. For the exact contribution history, see the revision
|
|
# history and logs, available at http://babel.edgewall.org/log/.
|
|
|
|
+import os
|
|
+import pickle
|
|
+import sys
|
|
+import tempfile
|
|
import unittest
|
|
import random
|
|
from operator import methodcaller
|
|
|
|
-from babel import localedata
|
|
+import pytest
|
|
+
|
|
+from babel import localedata, Locale, UnknownLocaleError
|
|
|
|
|
|
class MergeResolveTestCase(unittest.TestCase):
|
|
@@ -131,3 +137,25 @@ def listdir_spy(*args):
|
|
localedata.locale_identifiers.cache = None
|
|
assert localedata.locale_identifiers()
|
|
assert len(listdir_calls) == 2
|
|
+
|
|
+
|
|
+def test_locale_name_cleanup():
|
|
+ """
|
|
+ Test that locale identifiers are cleaned up to avoid directory traversal.
|
|
+ """
|
|
+ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
|
|
+ with open(no_exist_name, "wb") as f:
|
|
+ pickle.dump({}, f)
|
|
+
|
|
+ try:
|
|
+ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
|
|
+ except ValueError:
|
|
+ if sys.platform == "win32":
|
|
+ pytest.skip("unable to form relpath")
|
|
+ raise
|
|
+
|
|
+ assert not localedata.exists(name)
|
|
+ with pytest.raises(IOError):
|
|
+ localedata.load(name)
|
|
+ with pytest.raises(UnknownLocaleError):
|
|
+ Locale(name)
|