From ac0dc3bf11230729f83d6101fab125a17a5b94e9 Mon Sep 17 00:00:00 2001 From: HelloZeroNet Date: Sat, 20 Feb 2016 11:19:28 +0100 Subject: [PATCH] Rev906, Escape file path, Only allow to modify tor in configuration --- src/Config.py | 2 +- src/Ui/UiRequest.py | 4 ++-- src/Ui/UiWebsocket.py | 7 ++++++- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/Config.py b/src/Config.py index f6414e14..377784b8 100644 --- a/src/Config.py +++ b/src/Config.py @@ -8,7 +8,7 @@ class Config(object): def __init__(self, argv): self.version = "0.3.6" - self.rev = 905 + self.rev = 906 self.argv = argv self.action = None self.config_file = "zeronet.conf" diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index 1348eac3..e70b3b6c 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -271,8 +271,8 @@ class UiRequest(object): "src/Ui/template/wrapper.html", server_url=server_url, inner_path=inner_path, - file_url=file_url, - file_inner_path=file_inner_path, + file_url=re.escape(file_url), + file_inner_path=re.escape(file_inner_path), address=site.address, title=cgi.escape(title, True), body_style=body_style, diff --git a/src/Ui/UiWebsocket.py b/src/Ui/UiWebsocket.py index 7a3b7f87..0643e819 100644 --- a/src/Ui/UiWebsocket.py +++ b/src/Ui/UiWebsocket.py @@ -3,6 +3,7 @@ import time import sys import hashlib import os +import re import gevent @@ -611,6 +612,10 @@ class UiWebsocket(object): sys.modules["main"].ui_server.stop() def actionConfigSet(self, to, key, value): + if key not in ["tor"]: + self.response(to, "denied") + return + if not os.path.isfile(config.config_file): content = "" else: @@ -631,7 +636,7 @@ class UiWebsocket(object): if key_line_i: del lines[key_line_i] else: # Add / update - new_line = "%s = %s" % (key, value) + new_line = "%s = %s" % (key, value.replace("\n", "").replace("\r", "")) if key_line_i: # Already in the config, change the line lines[key_line_i] = new_line elif global_line_i is None: # No global section yet, append to end of file