oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Only raise security error on ../

Browse source
This commit is contained in:
user 2018-06-10 15:29:32 +01:00
parent 7bff5f562c
commit 4d25a02cd1
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/Site/SiteStorage.py
View file

@ -358,7 +358,7 @@ class SiteStorage(object):
if not inner_path: if not inner_path:
return self.directory return self.directory
if ".." in inner_path: if "../" in inner_path:
raise Exception(u"File not allowed: %s" % inner_path) raise Exception(u"File not allowed: %s" % inner_path)
return u"%s/%s" % (self.directory, inner_path) return u"%s/%s" % (self.directory, inner_path)

2
src/Ui/UiRequest.py
View file

@ -441,7 +441,7 @@ class UiRequest(object):
if path.endswith("/"): if path.endswith("/"):
path = path + "index.html" path = path + "index.html"
if ".." in path or "./" in path: if "../" in path or "./" in path:
raise SecurityError("Invalid path") raise SecurityError("Invalid path")
match = re.match("/media/(?P<address>[A-Za-z0-9]+[A-Za-z0-9\._-]+)(?P<inner_path>/.*|$)", path) match = re.match("/media/(?P<address>[A-Za-z0-9]+[A-Za-z0-9\._-]+)(?P<inner_path>/.*|$)", path)