Add basename for file name in download manager

Added getting the basename for the output file name in
download manager. This is to prevent any security holes
that would let the user out of the FLASH_DOWNLOAD_PATH dir.
(e.g. passing a file name of ../etc/shadow)

Resolves openbmc/openbmc#1898

Change-Id: Ie33fe56599e86c29da4b2eae8ef070f0866d054c
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/pydownloadmgr/download_manager.py b/pydownloadmgr/download_manager.py
index 3cc9f28..7ba80ca 100644
--- a/pydownloadmgr/download_manager.py
+++ b/pydownloadmgr/download_manager.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python
 
+import os
 import gobject
 import dbus
 import dbus.service
@@ -40,7 +41,7 @@ class DownloadManagerObject(dbus.service.Object):
         try:
             filename = str(filename)
             print "Downloading: "+filename+" from "+ip
-            outfile = FLASH_DOWNLOAD_PATH+"/"+filename
+            outfile = FLASH_DOWNLOAD_PATH+"/"+os.path.basename(filename)
             rc = subprocess.call(
                 ["tftp", "-l", outfile, "-r", filename, "-g", ip])
             if (rc == 0):
@@ -58,7 +59,7 @@ class DownloadManagerObject(dbus.service.Object):
         try:
             filename = str(filename)
             print "Downloading: "+filename+" from "+url
-            outfile = FLASH_DOWNLOAD_PATH+"/"+filename
+            outfile = FLASH_DOWNLOAD_PATH+"/"+os.path.basename(filename)
             subprocess.call(
                 ["tftp", "-l", outfile, "-r", filename, "-g", url])
             obj = bus.get_object("org.openbmc.control.Flash", path)