Only raise security error on ../

2018-06-10 15:29:32 +01:00 · 2018-06-10 15:29:32 +01:00 · 4d25a02cd1
commit 4d25a02cd1
parent 7bff5f562c
2 changed files with 2 additions and 2 deletions
--- a/src/Site/SiteStorage.py
+++ b/src/Site/SiteStorage.py
@ -358,7 +358,7 @@ class SiteStorage(object):
        if not inner_path:
            return self.directory

-        if ".." in inner_path:
+        if "../" in inner_path:
            raise Exception(u"File not allowed: %s" % inner_path)

        return u"%s/%s" % (self.directory, inner_path)
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@ -441,7 +441,7 @@ class UiRequest(object):
        if path.endswith("/"):
            path = path + "index.html"

-        if ".." in path or "./" in path:
+        if "../" in path or "./" in path:
            raise SecurityError("Invalid path")

        match = re.match("/media/(?P<address>[A-Za-z0-9]+[A-Za-z0-9\._-]+)(?P<inner_path>/.*|$)", path)