oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move invalid path test upper level

Browse source
This commit is contained in:
shortcutme 2017-02-27 11:21:22 +01:00
parent a72c4eafff
commit 871588aa9f
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
1 changed files with 30 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/Ui/UiRequest.py
View file

@ -346,6 +346,9 @@ class UiRequest(object):
# Serve a media for site # Serve a media for site
def actionSiteMedia(self, path, header_length=True): def actionSiteMedia(self, path, header_length=True):
if ".." in path: # File not in allowed path
return self.error403("Invalid file path")
path_parts = self.parsePath(path) path_parts = self.parsePath(path)
# Check wrapper nonce # Check wrapper nonce
@ -365,9 +368,6 @@ class UiRequest(object):
if path_parts: # Looks like a valid path if path_parts: # Looks like a valid path
address = path_parts["address"] address = path_parts["address"]
file_path = "%s/%s/%s" % (config.data_dir, address, path_parts["inner_path"]) file_path = "%s/%s/%s" % (config.data_dir, address, path_parts["inner_path"])
if ".." in path_parts["inner_path"]: # File not in allowed path
return self.error403("Invalid file path")
else:
if config.debug and file_path.split("/")[-1].startswith("all."): if config.debug and file_path.split("/")[-1].startswith("all."):
# If debugging merge *.css to all.css and *.js to all.js # If debugging merge *.css to all.css and *.js to all.js
site = self.server.sites.get(address) site = self.server.sites.get(address)