From 79159a72de9943534893e7840ce9a93d5e36f310 Mon Sep 17 00:00:00 2001
From: "anthony.boulmier" <anthony.boulmier@hesge.ch>
Date: Tue, 20 Sep 2016 10:02:14 +0200
Subject: [PATCH] security update

---
 TP1/rest/rest-server.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/TP1/rest/rest-server.py b/TP1/rest/rest-server.py
index 56583a9..6686dd9 100644
--- a/TP1/rest/rest-server.py
+++ b/TP1/rest/rest-server.py
@@ -1,5 +1,6 @@
-from flask import Flask, request, jsonify
 import argparse
+import re
+from flask import Flask, request, jsonify
 from os.path import expanduser, join, isdir, abspath
 from os import listdir
 
@@ -10,6 +11,7 @@ main_directory = None
 @app.route('/list/<path:relative_directory>')
 def list(relative_directory):
     global main_directory
+    relative_directory = re.sub('\.+', '.', relative_directory)
     target_directory = join(main_directory, relative_directory) if relative_directory != '.' else main_directory
     dirs = listdir(target_directory)
     s = [d for d in dirs if isdir(d)]
@@ -19,17 +21,17 @@ def list(relative_directory):
 @app.route('/get/<path:relative_path>')
 def get(relative_path):
     global main_directory
+    relative_path = re.sub('\.+', '.', relative_path)
     with open(join(main_directory,relative_path), 'r') as f:
         data = f.read()
     return jsonify(dir=main_directory, file=relative_path, data=data)
 
 @app.route('/put', methods=['POST'])
 def put():
-    from pprint import pprint
-    
+    global main_directory
     relative_path = request.json['destination']
+    relative_path = re.sub('\.+', '.', relative_path)
     data          = request.json['data']
-    global main_directory
     new_file = join(main_directory, relative_path)
     try:
         with open(new_file, 'w+') as f:
-- 
GitLab