Bad handling of server-provided URLs containing ".." links to parent dir
afcady opened this issue · comments
This tool will write into ../
when the server gives an URL with /../
in it. This is a security flaw.
On the other hand, if ../whatever/
doesn't exist, it crashes the application with IOError: [Errno 2] No such file or directory:
. It doesn't create missing directories as needed. This is a separate bug, filed as #8.