From 693aa576b492e18d209f93ccd6ae0deb96cffbed Mon Sep 17 00:00:00 2001
From: Alex Kocharin <alex@kocharin.ru>
Date: Mon, 16 Dec 2013 00:54:29 +0400
Subject: [PATCH] safeguard against bad tarball names

---
 lib/local-storage.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/local-storage.js b/lib/local-storage.js
index b48536d45..d5c59a1bf 100644
--- a/lib/local-storage.js
+++ b/lib/local-storage.js
@@ -1,6 +1,7 @@
 var fs = require('fs')
   , Path = require('path')
   , crypto = require('crypto')
+  , assert = require('assert')
   , fs_storage = require('./local-fs')
   , UError = require('./error').UserError
   , utils = require('./utils')
@@ -258,6 +259,7 @@ Storage.prototype.change_package = function(name, metadata, revision, callback)
 
 Storage.prototype.remove_tarball = function(name, filename, revision, callback) {
 	var self = this
+	assert(utils.validate_name(filename))
 
 	self.update_package(name, function updater(data, cb) {
 		if (data._attachments[filename]) {
@@ -276,6 +278,8 @@ Storage.prototype.remove_tarball = function(name, filename, revision, callback)
 }
 
 Storage.prototype.add_tarball = function(name, filename) {
+	assert(utils.validate_name(filename))
+
 	var stream = new mystreams.UploadTarballStream()
 	  , _transform = stream._transform
 	  , length = 0
@@ -355,6 +359,8 @@ Storage.prototype.add_tarball = function(name, filename) {
 }
 
 Storage.prototype.get_tarball = function(name, filename, callback) {
+	assert(utils.validate_name(filename))
+
 	var stream = new mystreams.ReadTarballStream()
 	stream.abort = function() {
 		rstream.close()