Only raise security error on ../

This commit is contained in:
user 2018-06-10 15:29:32 +01:00
parent 7bff5f562c
commit 4d25a02cd1
2 changed files with 2 additions and 2 deletions

View file

@ -358,7 +358,7 @@ class SiteStorage(object):
if not inner_path:
return self.directory
if ".." in inner_path:
if "../" in inner_path:
raise Exception(u"File not allowed: %s" % inner_path)
return u"%s/%s" % (self.directory, inner_path)

View file

@ -441,7 +441,7 @@ class UiRequest(object):
if path.endswith("/"):
path = path + "index.html"
if ".." in path or "./" in path:
if "../" in path or "./" in path:
raise SecurityError("Invalid path")
match = re.match("/media/(?P<address>[A-Za-z0-9]+[A-Za-z0-9\._-]+)(?P<inner_path>/.*|$)", path)