Rev906, Escape file path, Only allow to modify tor in configuration

2016-02-20 11:19:28 +01:00 · 2016-02-20 11:19:28 +01:00 · ac0dc3bf11
commit ac0dc3bf11
parent 2f25204be9
3 changed files with 9 additions and 4 deletions
--- a/src/Config.py
+++ b/src/Config.py
@ -8,7 +8,7 @@ class Config(object):

    def __init__(self, argv):
        self.version = "0.3.6"
-        self.rev = 905
+        self.rev = 906
        self.argv = argv
        self.action = None
        self.config_file = "zeronet.conf"
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@ -271,8 +271,8 @@ class UiRequest(object):
            "src/Ui/template/wrapper.html",
            server_url=server_url,
            inner_path=inner_path,
-            file_url=file_url,
-            file_inner_path=file_inner_path,
+            file_url=re.escape(file_url),
+            file_inner_path=re.escape(file_inner_path),
            address=site.address,
            title=cgi.escape(title, True),
            body_style=body_style,
--- a/src/Ui/UiWebsocket.py
+++ b/src/Ui/UiWebsocket.py
@ -3,6 +3,7 @@ import time
 import sys
 import hashlib
 import os
+import re

 import gevent

@ -611,6 +612,10 @@ class UiWebsocket(object):
        sys.modules["main"].ui_server.stop()

    def actionConfigSet(self, to, key, value):
+        if key not in ["tor"]:
+            self.response(to, "denied")
+            return
+
        if not os.path.isfile(config.config_file):
            content = ""
        else:
@ -631,7 +636,7 @@ class UiWebsocket(object):
            if key_line_i:
                del lines[key_line_i]
        else:  # Add / update
-            new_line = "%s = %s" % (key, value)
+            new_line = "%s = %s" % (key, value.replace("\n", "").replace("\r", ""))
            if key_line_i:  # Already in the config, change the line
                lines[key_line_i] = new_line
            elif global_line_i is None:  # No global section yet, append to end of file