From cccd6c23aae5a9c7264c3e8f48c38a8abab79b7e Mon Sep 17 00:00:00 2001
From: z4yx <z4yx@users.noreply.github.com>
Date: Fri, 6 Mar 2020 22:56:36 +0800
Subject: [PATCH] ensure safe file name

---
 github-release.py | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/github-release.py b/github-release.py
index 57ba66e..00e0ed5 100755
--- a/github-release.py
+++ b/github-release.py
@@ -71,6 +71,16 @@ def create_workers(n):
     return task_queue
 
 
+def ensure_safe_name(filename):
+    filename = filename.replace('\0', ' ')
+    if filename == '.':
+        return ' .'
+    elif filename == '..':
+        return '. .'
+    else:
+        return filename.replace('/', '\\')
+
+
 def main():
     import argparse
     parser = argparse.ArgumentParser()
@@ -110,7 +120,7 @@ def main():
             print("Error: No release version found")
             continue
 
-        name = latest['name'] or latest['tag_name']
+        name = ensure_safe_name(latest['name'] or latest['tag_name'])
         if len(name) == 0:
             print("Error: Unnamed release")
             continue
@@ -128,12 +138,9 @@ def main():
                 task_queue.put((url, dst_file, working_dir, updated))
 
         for asset in latest['assets']:
-            if '/' in asset['name'] or '\\' in asset['name']:
-                print(f"Error: Invalid file name {asset['name']}")
-                continue
             url = asset['browser_download_url']
             updated = datetime.strptime(asset['updated_at'], '%Y-%m-%dT%H:%M:%SZ').timestamp()
-            dst_file = repo_local / name / asset['name']
+            dst_file = repo_local / name / ensure_safe_name(asset['name'])
             remote_filelist.append(dst_file.relative_to(working_dir))
 
             if dst_file.is_file():