Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
This is for version 0.16.0 (which I cannot select from JIRA's "Affects Version/s" list).
Description
The local storage driver libcloud.storage.drivers.local.LocalStorageDriver uses object names as filenames without any escaping. In fact, it uses os.path.join to combine the object name, the container name and the base directory to an object's storage location on disk (see for example, its get_object_cdn_url method). If the object name is not a valid file name this will fail. More seriously, if the object name is an absolute path, then os.path.join will return it unmodified, which will cause the local storage driver to access that file instead of the intended object file in the container's directory:
import tempfile from libcloud.storage.drivers.local import LocalStorageDriver driver = LocalStorageDriver(tempdir.mkdtemp()) container = driver.create_container('container') obj = container.get_object('/etc/fstab') print ''.join(obj.as_stream()) # Prints content of /etc/fstab container.upload_object_via_stream('foo', '/tmp/test') # Writes 'foo' to /tmp/test
A possible solution would be to encode object names to BASE64 before using them to construct file names. This could also be done for container names (currently, the driver simply checks that these do not contain slashes or backslashes).