diff options
| author | Aarni Koskela <akx@iki.fi> | 2021-04-28 10:33:40 +0300 |
|---|---|---|
| committer | Aarni Koskela <akx@iki.fi> | 2021-04-28 10:38:33 +0300 |
| commit | 3a700b5b8b53606fd98ef8294a56f9510f7290f8 (patch) | |
| tree | b434dd471169778995b7177a41b580935607155d | |
| parent | 5afe2b2f11dcdd6090c00231d342c2e9cd1bdaab (diff) | |
| download | babel-3a700b5b8b53606fd98ef8294a56f9510f7290f8.tar.gz | |
Run locale identifiers through `os.path.basename()`
| -rw-r--r-- | babel/localedata.py | 2 | ||||
| -rw-r--r-- | tests/test_localedata.py | 30 |
2 files changed, 31 insertions, 1 deletions
diff --git a/babel/localedata.py b/babel/localedata.py index f4771d1..1108549 100644 --- a/babel/localedata.py +++ b/babel/localedata.py @@ -47,6 +47,7 @@ def exists(name): """ if not name or not isinstance(name, string_types): return False + name = os.path.basename(name) if name in _cache: return True file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) @@ -102,6 +103,7 @@ def load(name, merge_inherited=True): :raise `IOError`: if no locale data file is found for the given locale identifer, or one of the locales it inherits from """ + name = os.path.basename(name) _cache_lock.acquire() try: data = _cache.get(name) diff --git a/tests/test_localedata.py b/tests/test_localedata.py index 83cd669..9cb4282 100644 --- a/tests/test_localedata.py +++ b/tests/test_localedata.py @@ -11,11 +11,17 @@ # individuals. For the exact contribution history, see the revision # history and logs, available at http://babel.edgewall.org/log/. +import os +import pickle +import sys +import tempfile import unittest import random from operator import methodcaller -from babel import localedata +import pytest + +from babel import localedata, Locale, UnknownLocaleError class MergeResolveTestCase(unittest.TestCase): @@ -131,3 +137,25 @@ def test_locale_identifiers_cache(monkeypatch): localedata.locale_identifiers.cache = None assert localedata.locale_identifiers() assert len(listdir_calls) == 2 + + +def test_locale_name_cleanup(): + """ + Test that locale identifiers are cleaned up to avoid directory traversal. + """ + no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999)) + with open(no_exist_name, "wb") as f: + pickle.dump({}, f) + + try: + name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0] + except ValueError: + if sys.platform == "win32": + pytest.skip("unable to form relpath") + raise + + assert not localedata.exists(name) + with pytest.raises(IOError): + localedata.load(name) + with pytest.raises(UnknownLocaleError): + Locale(name) |