|
 |
85b5f8 |
diff --git a/babel/localedata.py b/babel/localedata.py
|
|
|
85b5f8 |
index 4b6d3b6..080b723 100644
|
|
|
85b5f8 |
--- a/babel/localedata.py
|
|
|
85b5f8 |
+++ b/babel/localedata.py
|
|
|
85b5f8 |
@@ -13,6 +13,8 @@
|
|
|
85b5f8 |
"""
|
|
|
85b5f8 |
|
|
|
85b5f8 |
import os
|
|
|
85b5f8 |
+import re
|
|
|
85b5f8 |
+import sys
|
|
|
85b5f8 |
import threading
|
|
|
85b5f8 |
from collections import MutableMapping
|
|
|
85b5f8 |
from itertools import chain
|
|
|
85b5f8 |
@@ -33,6 +35,7 @@ def get_base_dir():
|
|
|
85b5f8 |
_cache = {}
|
|
|
85b5f8 |
_cache_lock = threading.RLock()
|
|
|
85b5f8 |
_dirname = os.path.join(get_base_dir(), 'locale-data')
|
|
|
85b5f8 |
+_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I)
|
|
|
85b5f8 |
|
|
|
85b5f8 |
|
|
|
85b5f8 |
def normalize_locale(name):
|
|
|
85b5f8 |
@@ -49,6 +52,22 @@ def normalize_locale(name):
|
|
|
85b5f8 |
return locale_id
|
|
|
85b5f8 |
|
|
|
85b5f8 |
|
|
|
85b5f8 |
+def resolve_locale_filename(name):
|
|
|
85b5f8 |
+ """
|
|
|
85b5f8 |
+ Resolve a locale identifier to a `.dat` path on disk.
|
|
|
85b5f8 |
+ """
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
+ # Clean up any possible relative paths.
|
|
|
85b5f8 |
+ name = os.path.basename(name)
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
+ # Ensure we're not left with one of the Windows reserved names.
|
|
|
85b5f8 |
+ if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]):
|
|
|
85b5f8 |
+ raise ValueError("Name %s is invalid on Windows" % name)
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
+ # Build the path.
|
|
|
85b5f8 |
+ return os.path.join(_dirname, '%s.dat' % name)
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
def exists(name):
|
|
|
85b5f8 |
"""Check whether locale data is available for the given locale.
|
|
|
85b5f8 |
|
|
|
85b5f8 |
@@ -60,7 +79,7 @@ def exists(name):
|
|
|
85b5f8 |
return False
|
|
|
85b5f8 |
if name in _cache:
|
|
|
85b5f8 |
return True
|
|
|
85b5f8 |
- file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
|
|
|
85b5f8 |
+ file_found = os.path.exists(resolve_locale_filename(name))
|
|
|
85b5f8 |
return True if file_found else bool(normalize_locale(name))
|
|
|
85b5f8 |
|
|
|
85b5f8 |
|
|
|
85b5f8 |
@@ -102,6 +121,7 @@ def load(name, merge_inherited=True):
|
|
|
85b5f8 |
:raise `IOError`: if no locale data file is found for the given locale
|
|
|
85b5f8 |
identifer, or one of the locales it inherits from
|
|
|
85b5f8 |
"""
|
|
|
85b5f8 |
+ name = os.path.basename(name)
|
|
|
85b5f8 |
_cache_lock.acquire()
|
|
|
85b5f8 |
try:
|
|
|
85b5f8 |
data = _cache.get(name)
|
|
|
85b5f8 |
@@ -119,7 +139,7 @@ def load(name, merge_inherited=True):
|
|
|
85b5f8 |
else:
|
|
|
85b5f8 |
parent = '_'.join(parts[:-1])
|
|
|
85b5f8 |
data = load(parent).copy()
|
|
|
85b5f8 |
- filename = os.path.join(_dirname, '%s.dat' % name)
|
|
|
85b5f8 |
+ filename = resolve_locale_filename(name)
|
|
|
85b5f8 |
with open(filename, 'rb') as fileobj:
|
|
|
85b5f8 |
if name != 'root' and merge_inherited:
|
|
|
85b5f8 |
merge(data, pickle.load(fileobj))
|
|
|
85b5f8 |
diff --git a/tests/test_localedata.py b/tests/test_localedata.py
|
|
|
85b5f8 |
index 3599b21..173e7a3 100644
|
|
|
85b5f8 |
--- a/tests/test_localedata.py
|
|
|
85b5f8 |
+++ b/tests/test_localedata.py
|
|
|
85b5f8 |
@@ -11,12 +11,18 @@
|
|
|
85b5f8 |
# individuals. For the exact contribution history, see the revision
|
|
|
85b5f8 |
# history and logs, available at http://babel.edgewall.org/log/.
|
|
|
85b5f8 |
|
|
|
85b5f8 |
+import os
|
|
|
85b5f8 |
+import pickle
|
|
|
85b5f8 |
+import sys
|
|
|
85b5f8 |
+import tempfile
|
|
|
85b5f8 |
import unittest
|
|
|
85b5f8 |
import random
|
|
|
85b5f8 |
from operator import methodcaller
|
|
|
85b5f8 |
import sys
|
|
|
85b5f8 |
|
|
|
85b5f8 |
-from babel import localedata, numbers
|
|
|
85b5f8 |
+import pytest
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
+from babel import localedata, Locale, UnknownLocaleError, numbers
|
|
|
85b5f8 |
|
|
|
85b5f8 |
class MergeResolveTestCase(unittest.TestCase):
|
|
|
85b5f8 |
|
|
|
85b5f8 |
@@ -117,3 +123,33 @@ def test_locale_argument_acceptance():
|
|
|
85b5f8 |
assert normalized_locale == None
|
|
|
85b5f8 |
locale_exist = localedata.exists(['en_us', None])
|
|
|
85b5f8 |
assert locale_exist == False
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
+def test_locale_name_cleanup():
|
|
|
85b5f8 |
+ """
|
|
|
85b5f8 |
+ Test that locale identifiers are cleaned up to avoid directory traversal.
|
|
|
85b5f8 |
+ """
|
|
|
85b5f8 |
+ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
|
|
|
85b5f8 |
+ with open(no_exist_name, "wb") as f:
|
|
|
85b5f8 |
+ pickle.dump({}, f)
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
+ try:
|
|
|
85b5f8 |
+ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
|
|
|
85b5f8 |
+ except ValueError:
|
|
|
85b5f8 |
+ if sys.platform == "win32":
|
|
|
85b5f8 |
+ pytest.skip("unable to form relpath")
|
|
|
85b5f8 |
+ raise
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
+ assert not localedata.exists(name)
|
|
|
85b5f8 |
+ with pytest.raises(IOError):
|
|
|
85b5f8 |
+ localedata.load(name)
|
|
|
85b5f8 |
+ with pytest.raises(UnknownLocaleError):
|
|
|
85b5f8 |
+ Locale(name)
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
+
|
|
|
85b5f8 |
+@pytest.mark.skipif(sys.platform != "win32", reason="windows-only test")
|
|
|
85b5f8 |
+def test_reserved_locale_names():
|
|
|
85b5f8 |
+ for name in ("con", "aux", "nul", "prn", "com8", "lpt5"):
|
|
|
85b5f8 |
+ with pytest.raises(ValueError):
|
|
|
85b5f8 |
+ localedata.load(name)
|
|
|
85b5f8 |
+ with pytest.raises(ValueError):
|
|
|
85b5f8 |
+ Locale(name)
|