I'm faced with the following problem:
The users have some files that need syncing so I'm writing a script that copies the encrypted files from a user's directory to a temporary directory in the server before it gets distributed in the other 5 servers.
The initial copy is done by creating a folder with the user's name and putting the files there.
The users are free to change usernames so if someone changes his username to something nasty the server(s) is/are owned
I have to use the usernames for folder names because the script that does the syncing is using the folder username for metadata of some sort.
So, is there any way to escape the usernames and make sure that everything is created under the master folder?
As nrathaus suggested you could use os.path.normpath to get "normalized" path and check for security issues
Related
I've built an application following the file upload process (more or less) along the lines of the Flask file upload documentation found here, https://flask.palletsprojects.com/en/1.1.x/patterns/fileuploads/.
In this portion of the code, UPLOAD_FOLDER = '/path/to/the/uploads', this points to one, single directory where file uploads will live. The problem I'm trying to solve is when I deploy my app to a server there will be multiple, simultaneous users. With a single upload directory, users will collide when they upload files with the same names--a situation that will occur in my app.
What I want to do is create a unique temp directory that is unique to each browser session. So, user 1 would have their own unique temp directory and user 2 would have their own unique temp directory and so on.
In this case, I think there would not be any user collision. Can anyone please suggest how I would create such unique temp directories associated with each browser session in the file upload process? Something along the lines of UPLOAD_FOLDER = '/path/to/the/uploads/user1_session', etc for each unique user?
Ok, so lacking further information and any sort of view on what your code/program looks like this is the what I would recommend at the moment.
I am relatively new to programming as well so this might not be the best answer. But in my experience you really,really do not want to be creating multiple directories per user/per session. That is a bad idea. This is where databases comes in handy.
Now in regards to your problem the easiest/fastest way to resolve this issue is to look into how password salt and hashing is done.
Just hash and salt your filenames.
Here is a link that provides a simple yet through explanation on how it is done.
Using the python drive api, I am attempting to remove any permissions a user has to a drive, folder, or file given their email. However, to do this it seems as though I must query all drives, then all files from all drives, then all permissions from all files. Only then can I comb every file permission to see if the id of the user on the permission matches the id of the user I want to remove permissions from. Is there an easier way to do this?
It's easy if you only want to deal with the files owned by a user, but to find all the objects that a user has permissions to access, that's not an easy thing to do: presumably you want specific writer/editor permissions, not "anyone in the organisation can edit" permissions. In our GSuite domain there are tens of millions of Drive files so this is an infeasible task.
A workaround for you is to move the user into an OU that does not have the Drive App enabled. That removes all drive access for the user, though it's not really what you asked for.
I'm using the following open source project, Svnplot:
https://bitbucket.org/nitinbhide/svnplot/wiki/Home
I'm getting a list of code reviewers. These usernames are supposed to be existing user names in svn. How can I actually check that?
Thanks
Simply: You can't. For a complete list of readers you need the config fileof the apache or svnserve config file.
This does not mean you have a complete list as this files modification is not versioned(as it is a file on a server).
You can get a list of all committers, though:
For this you just need to analyze all revisions and add the authors.
I am trying to serve up some user uploaded files with Flask, and have an odd problem, or at least one that I couldn't turn up any solutions for by searching. I need the files to retain their original filenames after being uploaded, so they will have the same name when the user downloads them. Originally I did not want to deal with databases at all, and solved the problem of filename conflicts by storing each file in a randomly named folder, and just pointing to that location for the download. However, stuff came up later that required me to use a database to store some info about the files, but I still kept my old method of handling filename conflicts. I have a model for my files now and storing the name would be as simple as just adding another field, so that shouldn't be a big problem. I decided, pretty foolishly after I had written the implmentation, on using Amazon S3 to store the files. Apparently S3 does not deal with folders in the way a traditional filesystem does, and I do not want to deal with the surely convoluted task of figuring out how to create folders programatically on S3, and in retrospect, this was a stupid way of dealing with this problem in the first place, when stuff like SQLalchemy exists that makes databases easy as pie. Anyway, I need a way to store multiple files with the same name on s3, without using folders. I thought of just renaming the files with a random UUID after they are uploaded, and then when they are downloaded (the user visits a page and presses a download button so I need not have the filename in the URL), telling the browser to save the file as its original name retrieved from the database. Is there a way to implement this in Python w/Flask? When it is deployed I am planning on having the web server handle the serving of files, will it be possible to do something like this with the server? Or is there a smarter solution?
I'm stupid. Right in the Flask API docs it says you can include the parameter attachment_filename in send_from_directory if it differs from the filename in the filesystem.
I have been testing out a little script for uploading drafts to a gmail address like so:
now = imap.Time2Internaldate(time.time())
conn.append('[Gmail]/Drafts', '', now, str(msg))
This all works just fine for account1#company.com.
I then go through authenticating with a second account, acc2#company.com, and uploading a draft fails with the following error:
30:08.43 < EMCK2 NO [TRYCREATE] Folder doesn't exist. (Failure)
30:08.43 NO response: [TRYCREATE] Folder doesn't exist. (Failure)
I can create folders, but not append to folders, not even the ones that I create.
Settings in both accounts are identical and both are on the same domain. I have no idea why or how this is happening, or where to look next to find out?
This is because Google uses localized folder names for these special folders. The correct way is making your application work without hardcoded folder names and not gmail-specific in the first place. One way of achieving that goal is via the RFC 6154.