def translate_path(self, path):
"""Translate a /-separated PATH to the local filename syntax.
Components that mean special things to the local file system
(e.g. drive or directory names) are ignored. (XXX They should
probably be diagnosed.)
"""
# abandon query parameters
path = path.split('?',1)[0]
path = path.split('#',1)[0]
path = posixpath.normpath(urllib.unquote(path))
words = path.split('/')
words = filter(None, words)
path = os.getcwd()
for word in words:
drive, word = os.path.splitdrive(word)
head, word = os.path.split(word)
if word in (os.curdir, os.pardir): continue
path = os.path.join(path, word)
return path
Apparently the upload directory is the same as the script directory, which is not good. If you upload a file named "cgi.py", it will be imported next time someone runs the script. No directory traversal needed to exploit this.
>Upload a .py file to the untrusted directory that has the same name of one of the imports used in the Python script. It will be executed the next time Python is called by the script, so you don't need to wait for interactivity on the admins part
I have a feeling that only works on python2 because of absolute imports on python3.
I had cronjobs in mind, but as you said, they are not writeable.
I also thought about uploading a .py file with an import's name, but wouldn't that require a __init__.py (in a subdirectory?) to be regarded as a valid module/import by python?
..... WHAT?
Python has a suite of facilities exactly for this very kind of problem.
Literally, the solution is "os.path.abspath(filename).startswith(os.path.abspath(dlfolder))"
This should, in all cases, return true if the filename is within the download folder directory, and false for any other case.