From 0bb7d715a7f4a863c3103cd771014593c8c96fdc Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Mon, 2 May 2011 19:18:28 +0000 Subject: [PATCH] more user friendliness/handiness for users which mix Linux and Windows paths where they shouldn't do that --- plugins/generic/filesystem.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/plugins/generic/filesystem.py b/plugins/generic/filesystem.py index 71a92917d..2da67b998 100644 --- a/plugins/generic/filesystem.py +++ b/plugins/generic/filesystem.py @@ -10,6 +10,7 @@ See the file 'doc/COPYING' for copying permission import binascii import codecs import os +import re from lib.core.agent import agent from lib.core.common import dataToOutFile @@ -21,7 +22,9 @@ from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger from lib.core.enums import DBMS +from lib.core.enums import OS from lib.core.enums import PAYLOAD +from lib.core.exception import sqlmapFilePathException from lib.core.exception import sqlmapUndefinedMethod from lib.request import inject @@ -263,6 +266,12 @@ class Filesystem: self.checkDbmsOs() + if Backend.isOs(OS.WINDOWS) and not re.search(r'\A[A-Z]:\\', rFile, re.I) or\ + Backend.isOs(OS.LINUX) and not rFile.startswith('/'): + errMsg = "invalid file path used for the underlying operating " + errMsg += "system '%s' of the back-end '%s' server ('%s')" % (Backend.getOs(), Backend.getDbms(), rFile) + raise sqlmapFilePathException, errMsg + if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED): if isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED): debugMsg = "going to read the file with stacked query SQL "