From 400099394dc0b933eb2be0ea78574bbd4cb49ca0 Mon Sep 17 00:00:00 2001 From: Wang Huan Date: Thu, 25 Jan 2024 06:44:43 +0000 Subject: [PATCH 1/7] fix download security problem --- python/paddle/dataset/common.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python/paddle/dataset/common.py b/python/paddle/dataset/common.py index 4695b633ffa0f..1ee6ce880e337 100644 --- a/python/paddle/dataset/common.py +++ b/python/paddle/dataset/common.py @@ -18,6 +18,7 @@ import importlib import os import pickle +import re import shutil import sys import tempfile @@ -71,6 +72,7 @@ def md5file(fname): def download(url, module_name, md5sum, save_name=None): + module_name = re.match("^[a-zA-Z0-9_-]+$", module_name) dirname = os.path.join(DATA_HOME, module_name) if not os.path.exists(dirname): os.makedirs(dirname) From 4b51b51a220d1f529c30b69953db1a4cc7795138 Mon Sep 17 00:00:00 2001 From: Wang Huan Date: Mon, 29 Jan 2024 07:17:20 +0000 Subject: [PATCH 2/7] refine --- python/paddle/dataset/common.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/paddle/dataset/common.py b/python/paddle/dataset/common.py index 1ee6ce880e337..29284bb494477 100644 --- a/python/paddle/dataset/common.py +++ b/python/paddle/dataset/common.py @@ -72,7 +72,7 @@ def md5file(fname): def download(url, module_name, md5sum, save_name=None): - module_name = re.match("^[a-zA-Z0-9_-]+$", module_name) + module_name = re.match("^[a-zA-Z0-9_-]+$", module_name).group() dirname = os.path.join(DATA_HOME, module_name) if not os.path.exists(dirname): os.makedirs(dirname) From 0317b0aa27d8b7241b06bd9ea11adfa4dd2fabf7 Mon Sep 17 00:00:00 2001 From: Wang Huan Date: Mon, 29 Jan 2024 11:28:59 +0000 Subject: [PATCH 3/7] refine --- python/paddle/dataset/common.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/python/paddle/dataset/common.py b/python/paddle/dataset/common.py index 29284bb494477..566202f083a31 100644 --- a/python/paddle/dataset/common.py +++ b/python/paddle/dataset/common.py @@ -72,7 +72,8 @@ def md5file(fname): def download(url, module_name, md5sum, save_name=None): - module_name = re.match("^[a-zA-Z0-9_-]+$", module_name).group() + module_name = re.match("^[a-zA-Z0-9_/\\-]+$", module_name).group() + save_name = re.match("^[a-zA-Z0-9_/\\-]+$", save_name).group() dirname = os.path.join(DATA_HOME, module_name) if not os.path.exists(dirname): os.makedirs(dirname) From 8fdefa0bd3ec0bed5f047b59b180fda8b6634733 Mon Sep 17 00:00:00 2001 From: Wang Huan Date: Tue, 30 Jan 2024 01:54:37 +0000 Subject: [PATCH 4/7] refine --- python/paddle/dataset/common.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python/paddle/dataset/common.py b/python/paddle/dataset/common.py index 566202f083a31..90c95a390c229 100644 --- a/python/paddle/dataset/common.py +++ b/python/paddle/dataset/common.py @@ -73,6 +73,8 @@ def md5file(fname): def download(url, module_name, md5sum, save_name=None): module_name = re.match("^[a-zA-Z0-9_/\\-]+$", module_name).group() + if isinstance(save_name, str): + save_name = re.match("^[a-zA-Z0-9_/\\-]+$", save_name).group() save_name = re.match("^[a-zA-Z0-9_/\\-]+$", save_name).group() dirname = os.path.join(DATA_HOME, module_name) if not os.path.exists(dirname): From eba561ba7f79058e348cfa09e9b136ee13f757f7 Mon Sep 17 00:00:00 2001 From: Wang Huan Date: Tue, 30 Jan 2024 03:00:13 +0000 Subject: [PATCH 5/7] refine --- python/paddle/dataset/common.py | 1 - 1 file changed, 1 deletion(-) diff --git a/python/paddle/dataset/common.py b/python/paddle/dataset/common.py index 90c95a390c229..d7ed6139f020e 100644 --- a/python/paddle/dataset/common.py +++ b/python/paddle/dataset/common.py @@ -75,7 +75,6 @@ def download(url, module_name, md5sum, save_name=None): module_name = re.match("^[a-zA-Z0-9_/\\-]+$", module_name).group() if isinstance(save_name, str): save_name = re.match("^[a-zA-Z0-9_/\\-]+$", save_name).group() - save_name = re.match("^[a-zA-Z0-9_/\\-]+$", save_name).group() dirname = os.path.join(DATA_HOME, module_name) if not os.path.exists(dirname): os.makedirs(dirname) From 7c4331aa863e8f6195e4395f685da9fcec06369f Mon Sep 17 00:00:00 2001 From: Wang Huan Date: Tue, 30 Jan 2024 05:57:47 +0000 Subject: [PATCH 6/7] refine --- python/paddle/dataset/common.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/paddle/dataset/common.py b/python/paddle/dataset/common.py index d7ed6139f020e..a830af502a946 100644 --- a/python/paddle/dataset/common.py +++ b/python/paddle/dataset/common.py @@ -74,7 +74,7 @@ def md5file(fname): def download(url, module_name, md5sum, save_name=None): module_name = re.match("^[a-zA-Z0-9_/\\-]+$", module_name).group() if isinstance(save_name, str): - save_name = re.match("^[a-zA-Z0-9_/\\-]+$", save_name).group() + save_name = re.match("^[a-zA-Z0-9_/\\/.-]+$", save_name).group() dirname = os.path.join(DATA_HOME, module_name) if not os.path.exists(dirname): os.makedirs(dirname) From 3ba234af98cc7f4889f97f390b5197a74bc01890 Mon Sep 17 00:00:00 2001 From: Wang Huan Date: Tue, 30 Jan 2024 06:39:29 +0000 Subject: [PATCH 7/7] refine --- python/paddle/dataset/common.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/python/paddle/dataset/common.py b/python/paddle/dataset/common.py index a830af502a946..35155a2de2d22 100644 --- a/python/paddle/dataset/common.py +++ b/python/paddle/dataset/common.py @@ -74,7 +74,9 @@ def md5file(fname): def download(url, module_name, md5sum, save_name=None): module_name = re.match("^[a-zA-Z0-9_/\\-]+$", module_name).group() if isinstance(save_name, str): - save_name = re.match("^[a-zA-Z0-9_/\\/.-]+$", save_name).group() + save_name = re.match( + "^(?:(?!\\.\\.)[a-zA-Z0-9_/\\.-])+$", save_name + ).group() dirname = os.path.join(DATA_HOME, module_name) if not os.path.exists(dirname): os.makedirs(dirname)