From 75b44f6980985b832778acf7a0a3b99e65aa775c Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Wed, 4 Oct 2017 12:37:22 +0200
Subject: [PATCH] Raise SecurityError on invalid path

---
 src/Ui/UiRequest.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 700480f4..42afbbf2 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -22,6 +22,10 @@ status_texts = {
 }
 
 
+class SecurityError(Exception):
+    pass
+
+
 @PluginManager.acceptPlugins
 class UiRequest(object):
 
@@ -417,8 +421,8 @@ class UiRequest(object):
         if path.endswith("/"):
             path = path + "index.html"
 
-        if ".." in path:
-            raise Exception("Invalid path")
+        if ".." in path or "./" in path:
+            raise SecurityError("Invalid path")
 
         match = re.match("/media/(?P<address>[A-Za-z0-9\._-]+)(?P<inner_path>/.*|$)", path)
         if match: