From 4851ab786896f4cc34e63ac6508bd2dcb5d6d0c8 Mon Sep 17 00:00:00 2001 From: Aarni Koskela Date: Wed, 28 Apr 2021 10:33:40 +0300 Subject: [PATCH] Run locale identifiers through `os.path.basename()` --- babel/localedata.py | 2 ++ tests/test_localedata.py | 24 +++++++++++++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/babel/localedata.py b/babel/localedata.py index f4771d1fd..11085490a 100644 --- a/babel/localedata.py +++ b/babel/localedata.py @@ -47,6 +47,7 @@ def exists(name): """ if not name or not isinstance(name, string_types): return False + name = os.path.basename(name) if name in _cache: return True file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) @@ -102,6 +103,7 @@ def load(name, merge_inherited=True): :raise `IOError`: if no locale data file is found for the given locale identifer, or one of the locales it inherits from """ + name = os.path.basename(name) _cache_lock.acquire() try: data = _cache.get(name) diff --git a/tests/test_localedata.py b/tests/test_localedata.py index 83cd66994..353bb6237 100644 --- a/tests/test_localedata.py +++ b/tests/test_localedata.py @@ -11,11 +11,16 @@ # individuals. For the exact contribution history, see the revision # history and logs, available at http://babel.edgewall.org/log/. +import os +import pickle +import tempfile import unittest import random from operator import methodcaller -from babel import localedata +import pytest + +from babel import localedata, Locale, UnknownLocaleError class MergeResolveTestCase(unittest.TestCase): @@ -131,3 +136,20 @@ def listdir_spy(*args): localedata.locale_identifiers.cache = None assert localedata.locale_identifiers() assert len(listdir_calls) == 2 + + +def test_locale_name_cleanup(): + """ + Test that locale identifiers are cleaned up to avoid directory traversal. + """ + no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999)) + with open(no_exist_name, "wb") as f: + pickle.dump({}, f) + + name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0] + + assert not localedata.exists(name) + with pytest.raises(IOError): + localedata.load(name) + with pytest.raises(UnknownLocaleError): + Locale(name)