From 5c50d1a8b97b310cbc36560ec36d8377d6f29d7c Mon Sep 17 00:00:00 2001
From: wanghuancoder <wanghuan29@baidu.com>
Date: Wed, 31 Jan 2024 14:25:50 +0800
Subject: [PATCH] [Security] fix download security problem (#61162)

* fix download security problem
---
 python/paddle/dataset/common.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/python/paddle/dataset/common.py b/python/paddle/dataset/common.py
index 4695b633ffa0f..35155a2de2d22 100644
--- a/python/paddle/dataset/common.py
+++ b/python/paddle/dataset/common.py
@@ -18,6 +18,7 @@
 import importlib
 import os
 import pickle
+import re
 import shutil
 import sys
 import tempfile
@@ -71,6 +72,11 @@ def md5file(fname):
 
 
 def download(url, module_name, md5sum, save_name=None):
+    module_name = re.match("^[a-zA-Z0-9_/\\-]+$", module_name).group()
+    if isinstance(save_name, str):
+        save_name = re.match(
+            "^(?:(?!\\.\\.)[a-zA-Z0-9_/\\.-])+$", save_name
+        ).group()
     dirname = os.path.join(DATA_HOME, module_name)
     if not os.path.exists(dirname):
         os.makedirs(dirname)