From 47245f485ad790b324723cf746857fb791a7bac9 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Thu, 11 May 2017 17:59:46 +0200
Subject: [PATCH] ActionFile security check

---
 src/Ui/UiRequest.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index bc02f44f..50aa0327 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -430,6 +430,8 @@ class UiRequest(object):
 
     # Stream a file to client
     def actionFile(self, file_path, block_size=64 * 1024, send_header=True, header_length=True):
+        if ".." in file_path:
+            raise Exception("Invalid path")
         if os.path.isfile(file_path):
             # Try to figure out content type by extension
             content_type = self.getContentType(file_path)
@@ -521,6 +523,7 @@ class UiRequest(object):
         import sys
         sites = self.server.sites
         main = sys.modules["main"]
+
         def bench(code, times=100):
             sites = self.server.sites
             main = sys.modules["main"]