Check injections in PythonLayer

I also modified Makefile to link boost_regex for PythonLayer
BVLC · Mar 2, 2015 · 431585b · 431585b
1 parent 40dc686
commit 431585b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -164,7 +164,7 @@ endif
 LIBRARIES += glog gflags protobuf leveldb snappy \
 	lmdb boost_system hdf5_hl hdf5 m \
 	opencv_core opencv_highgui opencv_imgproc
-PYTHON_LIBRARIES := boost_python python2.7
+PYTHON_LIBRARIES := boost_python python2.7 boost_regex
 WARNINGS := -Wall -Wno-sign-compare
 
 ##############################

diff --git a/src/caffe/layer_factory.cpp b/src/caffe/layer_factory.cpp
@@ -6,6 +6,7 @@
 #include "caffe/vision_layers.hpp"
 
 #ifdef WITH_PYTHON_LAYER
+#include <boost/regex.hpp>
 #include "caffe/python_layer.hpp"
 #endif
 
@@ -162,6 +163,12 @@ template <typename Dtype>
 shared_ptr<Layer<Dtype> > GetPythonLayer(const LayerParameter& param) {
   string module_name = param.python_param().module();
   string layer_name = param.python_param().layer();
+  // Check injection. This doesn't allow nested importing.
+  boost::regex expression("[a-zA-Z_][a-zA-Z0-9_]*");
+  CHECK(boost::regex_match(module_name, expression))
+    << "Module name is invalid: " << module_name;
+  CHECK(boost::regex_match(layer_name, expression))
+    << "Layer name is invalid: " << layer_name;
   Py_Initialize();
   try {
     bp::object globals = bp::import("__main__").attr("__dict__");