Add basename for file name in download manager
Added getting the basename for the output file name in
download manager. This is to prevent any security holes
that would let the user out of the FLASH_DOWNLOAD_PATH dir.
(e.g. passing a file name of ../etc/shadow)
Resolves openbmc/openbmc#1898
Change-Id: Ie33fe56599e86c29da4b2eae8ef070f0866d054c
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
diff --git a/pydownloadmgr/download_manager.py b/pydownloadmgr/download_manager.py
index 3cc9f28..7ba80ca 100644
--- a/pydownloadmgr/download_manager.py
+++ b/pydownloadmgr/download_manager.py
@@ -1,5 +1,6 @@
#!/usr/bin/env python
+import os
import gobject
import dbus
import dbus.service
@@ -40,7 +41,7 @@
try:
filename = str(filename)
print "Downloading: "+filename+" from "+ip
- outfile = FLASH_DOWNLOAD_PATH+"/"+filename
+ outfile = FLASH_DOWNLOAD_PATH+"/"+os.path.basename(filename)
rc = subprocess.call(
["tftp", "-l", outfile, "-r", filename, "-g", ip])
if (rc == 0):
@@ -58,7 +59,7 @@
try:
filename = str(filename)
print "Downloading: "+filename+" from "+url
- outfile = FLASH_DOWNLOAD_PATH+"/"+filename
+ outfile = FLASH_DOWNLOAD_PATH+"/"+os.path.basename(filename)
subprocess.call(
["tftp", "-l", outfile, "-r", filename, "-g", url])
obj = bus.get_object("org.openbmc.control.Flash", path)