Check injections in PythonLayer

* Modified Makefile to link boost_regex for PythonLayer. * Travis installs boost_regex * Add a note of a new dependency boost_regex on Makefile.config.example
BVLC · Mar 2, 2015 · 6d4f992 · 6d4f992
1 parent 40dc686
commit 6d4f992
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -164,7 +164,7 @@ endif
 LIBRARIES += glog gflags protobuf leveldb snappy \
 	lmdb boost_system hdf5_hl hdf5 m \
 	opencv_core opencv_highgui opencv_imgproc
-PYTHON_LIBRARIES := boost_python python2.7
+PYTHON_LIBRARIES := boost_python python2.7 boost_regex
 WARNINGS := -Wall -Wno-sign-compare
 
 ##############################

diff --git a/Makefile.config.example b/Makefile.config.example
@@ -58,6 +58,7 @@ PYTHON_LIB := /usr/lib
 # PYTHON_LIB := $(ANACONDA_HOME)/lib
 
 # Uncomment to support layers written in Python (will link against Python libs)
+# This will require an additional dependency boost_regex provided by boost.
 # WITH_PYTHON_LAYER := 1
 
 # Whatever else you find you need goes here.

diff --git a/scripts/travis/travis_install.sh b/scripts/travis/travis_install.sh
@@ -15,6 +15,7 @@ apt-get install \
     python-dev python-numpy \
     libleveldb-dev libsnappy-dev libopencv-dev \
     libboost-dev libboost-system-dev libboost-python-dev libboost-thread-dev \
+    libboost-regex-dev \
     libprotobuf-dev protobuf-compiler \
     libatlas-dev libatlas-base-dev \
     libhdf5-serial-dev libgflags-dev libgoogle-glog-dev \

diff --git a/src/caffe/layer_factory.cpp b/src/caffe/layer_factory.cpp
@@ -6,6 +6,7 @@
 #include "caffe/vision_layers.hpp"
 
 #ifdef WITH_PYTHON_LAYER
+#include <boost/regex.hpp>
 #include "caffe/python_layer.hpp"
 #endif
 
@@ -162,6 +163,12 @@ template <typename Dtype>
 shared_ptr<Layer<Dtype> > GetPythonLayer(const LayerParameter& param) {
   string module_name = param.python_param().module();
   string layer_name = param.python_param().layer();
+  // Check injection. This doesn't allow nested importing.
+  boost::regex expression("[a-zA-Z_][a-zA-Z0-9_]*");
+  CHECK(boost::regex_match(module_name, expression))
+    << "Module name is invalid: " << module_name;
+  CHECK(boost::regex_match(layer_name, expression))
+    << "Layer name is invalid: " << layer_name;
   Py_Initialize();
   try {
     bp::object globals = bp::import("__main__").attr("__dict__");