Listing folders - how to improve this code

0 views
Skip to first unread message

rikl...@gmail.com

unread,
Dec 29, 2006, 6:25:33 PM12/29/06
to Django users
I have a initial view which works as a folder browser for url:

(r'^f/(?P<path>.*?)/$', 'drcsm.views.list_rcs')
####################
def list_rcs(request, path):
path = '/' + path
# workdir prevents ../ chets but... no cheating
if path.find('..') != -1 or path.find('./') != -1:
raise Exception, 'No cheating'
workdir = settings.RCS_ROOT + normpath(path)
if isdir(workdir):
content = listdir(workdir)
files = []
dirs = []
#from dive into python :)
#print [f for f in listdir(workdir) if isfile(join(workdir, f))]
#print [f for f in listdir(workdir) if isdir(join(workdir, f))]
for c in content:
if not c.startswith('.'):
if isdir(workdir + '/' + c):
dirs.append(c)
else:
files.append(c)
return render_to_response('drcsm/' + settings.ENGINE + '/list.html',
{'files': files, 'dirs': dirs, 'path': path, 'theme': settings.THEME,
'engine': settings.ENGINE})
else:
return render_to_response('drcsm/' + settings.ENGINE + '/error.html',
{'error': 'Zly Katalog', 'theme': settings.THEME, 'engine':
settings.ENGINE})
################################

Can this be improved or has some security holes ?

limodou

unread,
Dec 29, 2006, 8:09:31 PM12/29/06
to django...@googlegroups.com
On 12/30/06, rikl...@gmail.com <rikl...@gmail.com> wrote:
>
> I have a initial view which works as a folder browser for url:
>
> (r'^f/(?P<path>.*?)/$', 'drcsm.views.list_rcs')
> ####################
> def list_rcs(request, path):
> path = '/' + path
> # workdir prevents ../ chets but... no cheating
> if path.find('..') != -1 or path.find('./') != -1:
> raise Exception, 'No cheating'
> workdir = settings.RCS_ROOT + normpath(path)

you can use

os.path.join(settings.RCS_ROOT , normpath(path))


> if isdir(workdir):
> content = listdir(workdir)
> files = []
> dirs = []
> #from dive into python :)
> #print [f for f in listdir(workdir) if isfile(join(workdir, f))]
> #print [f for f in listdir(workdir) if isdir(join(workdir, f))]
> for c in content:
> if not c.startswith('.'):
> if isdir(workdir + '/' + c):
> dirs.append(c)
> else:
> files.append(c)
> return render_to_response('drcsm/' + settings.ENGINE + '/list.html',
> {'files': files, 'dirs': dirs, 'path': path, 'theme': settings.THEME,
> 'engine': settings.ENGINE})

you can see os.walk() I think it's better for these things.


> else:
> return render_to_response('drcsm/' + settings.ENGINE + '/error.html',
> {'error': 'Zly Katalog', 'theme': settings.THEME, 'engine':
> settings.ENGINE})
> ################################
>
> Can this be improved or has some security holes ?
>

--
I like python!
UliPad <<The Python Editor>>: http://wiki.woodpecker.org.cn/moin/UliPad
My Blog: http://www.donews.net/limodou

rikl...@gmail.com

unread,
Dec 30, 2006, 11:42:58 AM12/30/06
to Django users
lol

from os.path import join........
print join(settings.RCS_ROOT , normpath(path))

returns /dev :)

Reply all
Reply to author
Forward
0 new messages