oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1453 from anoadragon453/anoa/fix_filepaths

Browse source 
Only raise security error on ../
This commit is contained in:
ZeroNet 2019-06-30 16:46:55 +02:00 committed by GitHub
commit 9e7ae55068
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/Site/SiteStorage.py
View file

@ -362,7 +362,7 @@ class SiteStorage(object):
if not inner_path: if not inner_path:
return self.directory return self.directory
if ".." in inner_path: if "../" in inner_path:
raise Exception(u"File not allowed: %s" % inner_path) raise Exception(u"File not allowed: %s" % inner_path)
return u"%s/%s" % (self.directory, inner_path) return u"%s/%s" % (self.directory, inner_path)

2
src/Ui/UiRequest.py
View file

@ -526,7 +526,7 @@ class UiRequest(object):
if path.endswith("/"): if path.endswith("/"):
path = path + "index.html" path = path + "index.html"
if ".." in path or "./" in path: if "../" in path or "./" in path:
raise SecurityError("Invalid path") raise SecurityError("Invalid path")
match = re.match("/media/(?P<address>[A-Za-z0-9]+[A-Za-z0-9\._-]+)(?P<inner_path>/.*|$)", path) match = re.match("/media/(?P<address>[A-Za-z0-9]+[A-Za-z0-9\._-]+)(?P<inner_path>/.*|$)", path)