You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@libcloud.apache.org by "torf (JIRA)" <ji...@apache.org> on 2014/12/30 19:37:13 UTC
[jira] [Created] (LIBCLOUD-648) Local storage driver fails to
escape object names
torf created LIBCLOUD-648:
-----------------------------
Summary: Local storage driver fails to escape object names
Key: LIBCLOUD-648
URL: https://issues.apache.org/jira/browse/LIBCLOUD-648
Project: Libcloud
Issue Type: Bug
Components: Storage
Environment: This is for version 0.16.0 (which I cannot select from JIRA's "Affects Version/s" list).
Reporter: torf
The local storage driver {{libcloud.storage.drivers.local.LocalStorageDriver}} uses object names as filenames without any escaping. In fact, it uses {{os.path.join}} to combine the object name, the container name and the base directory to an object's storage location on disk (see for example, its {{get_object_cdn_url}} method). If the object name is not a valid file name this will fail. More seriously, if the object name is an absolute path, then {{os.path.join}} will return it unmodified, which will cause the local storage driver to access that file instead of the intended object file in the container's directory:
{code}
import tempfile
from libcloud.storage.drivers.local import LocalStorageDriver
driver = LocalStorageDriver(tempdir.mkdtemp())
container = driver.create_container('container')
obj = container.get_object('/etc/fstab')
print ''.join(obj.as_stream()) # Prints content of /etc/fstab
container.upload_object_via_stream('foo', '/tmp/test') # Writes 'foo' to /tmp/test
{code}
A possible solution would be to encode object names to BASE64 before using them to construct file names. This could also be done for container names (currently, the driver simply checks that these do not contain slashes or backslashes).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)