From 15ca25f187d80962e00e0977d7e34b008acd50bd Mon Sep 17 00:00:00 2001
From: lijiejie <my@lijiejie.com>
Date: Thu, 16 Jun 2022 10:22:00 +0800
Subject: [PATCH] add is_valid_name

---
 ds_store_exp.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/ds_store_exp.py b/ds_store_exp.py
index 1885dd9..2be047c 100644
--- a/ds_store_exp.py
+++ b/ds_store_exp.py
@@ -22,6 +22,19 @@ def __init__(self, start_url):
         self.processed_url = set()
         self.lock = threading.Lock()
         self.working_thread = 0
+        self.dest_dir = os.path.abspath('.')
+
+    def is_valid_name(self, entry_name):
+        if entry_name.find('..') >= 0 or \
+                entry_name.startswith('/') or \
+                entry_name.startswith('\\') or \
+                not os.path.abspath(entry_name).startswith(self.dest_dir):
+            try:
+                print('[ERROR] Invalid entry name: %s' % entry_name)
+            except Exception as e:
+                pass
+            return False
+        return True
 
     def process(self):
         while True:
@@ -45,7 +58,7 @@ def process(self):
                     url = 'http://%s' % url
                 schema, netloc, path, _, _, _ = urlparse(url, 'http')
                 try:
-                    response = requests.get(url)
+                    response = requests.get(url, allow_redirects=False)
                 except Exception as e:
                     self.lock.acquire()
                     print('[ERROR] %s' % str(e))
@@ -68,7 +81,8 @@ def process(self):
 
                         dirs_files = set()
                         for x in d._traverse(None):
-                            dirs_files.add(x.filename)
+                            if self.is_valid_name(x.filename):
+                                dirs_files.add(x.filename)
                         for name in dirs_files:
                             if name != '.':
                                 self.queue.put(base_url + name)