GitHub/Anki
1
0
Fork 0
mirror of https://github.com/ankitects/anki.git synced 2025-09-20 15:02:21 -04:00
Code Issues Projects Releases Packages 1 Wiki Activity Actions

catch attempts to write outside the media folder

Browse source 
big thanks to David Bailey for discovering this
This commit is contained in:
Damien Elmes 2017-08-16 21:08:46 +10:00
parent 194c02ed16
commit 375c071a26
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
anki/importing/apkg.py
View file

@ -19,16 +19,20 @@ class AnkiPackageImporter(Anki2Importer):
# we need the media dict in advance, and we'll need a map of fname -> # we need the media dict in advance, and we'll need a map of fname ->
# number to use during the import # number to use during the import
self.nameToNum = {} self.nameToNum = {}
dir = self.col.media.dir()
for k, v in list(json.loads(z.read("media").decode("utf8")).items()): for k, v in list(json.loads(z.read("media").decode("utf8")).items()):
self.nameToNum[v] = k path = os.path.abspath(os.path.join(dir, v))
if os.path.commonprefix([path, dir]) != dir:
raise Exception("Invalid file")
self.nameToNum[v] = unicodedata.normalize("NFC", k)
# run anki2 importer # run anki2 importer
Anki2Importer.run(self) Anki2Importer.run(self)
# import static media # import static media
for file, c in list(self.nameToNum.items()): for file, c in list(self.nameToNum.items()):
if not file.startswith("_") and not file.startswith("latex-"): if not file.startswith("_") and not file.startswith("latex-"):
continue continue
path = os.path.join(self.col.media.dir(), path = os.path.join(self.col.media.dir(), file)
unicodedata.normalize("NFC", file))
if not os.path.exists(path): if not os.path.exists(path):
open(path, "wb").write(z.read(c)) open(path, "wb").write(z.read(c))