diff options
| -rw-r--r-- | README.md | 6 | ||||
| -rwxr-xr-x | lorry.raw-file-importer | 18 |
2 files changed, 12 insertions, 12 deletions
@@ -289,8 +289,10 @@ will be tagged as 'bkai00mp.ttf') Lorry can store raw files in a git LFS repository, which may allow your git server to serve those files via its repository browser. -For convenience, raw file lorries can specify multiple sources to store in the same repository. -Each raw file will be stored under a subpath corresponding to the source name. +For convenience, raw file lorries can specify multiple sources to store in the +same repository. Each raw file will be stored under a subpath corresponding to +the source name, specify `.` to store the raw file at the root of the +repository. { "raw-file-repo": { diff --git a/lorry.raw-file-importer b/lorry.raw-file-importer index caaa8c9..bdb006e 100755 --- a/lorry.raw-file-importer +++ b/lorry.raw-file-importer @@ -60,10 +60,11 @@ def commit_lfs_file(raw_file, relative_path, last_commit, fast_import): # Commit the data to master commit_time = int(time.time()) basename = os.path.basename(raw_file) - if relative_path: - path = '{}/{}'.format(relative_path, basename) - else: - path = basename + # Ensure we don't allow directory traversal + path = os.path.relpath(os.path.join(relative_path, basename)) + if path[0:3] == "../": + print("error: unsafe path: {}".format(path), file=sys.stderr) + sys.exit(1) fromline = 'from {}\n'.format(last_commit) if last_commit else '' @@ -104,15 +105,12 @@ def get_last_commit(): def main(): - if len(sys.argv) < 2 or len(sys.argv) > 3: - print('usage:', sys.argv[0], '<file>', '[<relative path>]') + if len(sys.argv) != 3: + print('usage:', sys.argv[0], '<file>', '<relative path>') sys.exit(1) raw_file = sys.argv[1] - if len(sys.argv) < 3: - relpath = None - else: - relpath = sys.argv[2] + relpath = sys.argv[2] last_commit = get_last_commit() with subprocess.Popen('git fast-import --quiet', shell=True, |