oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ActionFile security check

Browse source
This commit is contained in:
shortcutme 2017-05-11 17:59:46 +02:00
parent 545459be88
commit 47245f485a
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/Ui/UiRequest.py
View file

@ -430,6 +430,8 @@ class UiRequest(object):
# Stream a file to client # Stream a file to client
def actionFile(self, file_path, block_size=64 * 1024, send_header=True, header_length=True): def actionFile(self, file_path, block_size=64 * 1024, send_header=True, header_length=True):
if ".." in file_path:
raise Exception("Invalid path")
if os.path.isfile(file_path): if os.path.isfile(file_path):
# Try to figure out content type by extension # Try to figure out content type by extension
content_type = self.getContentType(file_path) content_type = self.getContentType(file_path)
@ -521,6 +523,7 @@ class UiRequest(object):
import sys import sys
sites = self.server.sites sites = self.server.sites
main = sys.modules["main"] main = sys.modules["main"]
def bench(code, times=100): def bench(code, times=100):
sites = self.server.sites sites = self.server.sites
main = sys.modules["main"] main = sys.modules["main"]