Python has a suite of facilities exactly for this very kind of problem.
Literally, the solution is "os.path.abspath(filename).startswith(os.path.abspath(dlfolder))"
This should, in all cases, return true if the filename is within the download folder directory, and false for any other case.
def translate_path(self, path):
"""Translate a /-separated PATH to the local filename syntax.
Components that mean special things to the local file system
(e.g. drive or directory names) are ignored. (XXX They should
probably be diagnosed.)
# abandon query parameters
path = path.split('?',1)
path = path.split('#',1)
path = posixpath.normpath(urllib.unquote(path))
words = path.split('/')
words = filter(None, words)
path = os.getcwd()
for word in words:
drive, word = os.path.splitdrive(word)
head, word = os.path.split(word)
if word in (os.curdir, os.pardir): continue
path = os.path.join(path, word)
Apparently this code was copied from stdlib, including a different directory traversal bug on Windows:
I asssumed that the script would not be restarted, but you're totally right.
Thanks for the comment :)
I have a feeling that only works on python2 because of absolute imports on python3.
However, you're right that overwriting the source is a possible attack vector.
thanks for commenting!
I had cronjobs in mind, but as you said, they are not writeable.
I also thought about uploading a .py file with an import's name, but wouldn't that require a __init__.py (in a subdirectory?) to be regarded as a valid module/import by python?
I thought the the amount of forks and stars warrants a short writeup.