oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rev1816, Fix exe distribution forbidden error

Browse source
This commit is contained in:
shortcutme 2017-01-14 12:43:05 +01:00
parent d6ff1dfd8d
commit d3fc1cf897
No known key found for this signature in database
GPG key ID: 9557210F5E536D3D
2 changed files with 3 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/Config.py
View file

@ -9,7 +9,7 @@ class Config(object):
def __init__(self, argv): def __init__(self, argv):
self.version = "0.5.1" self.version = "0.5.1"
self.rev = 1815 self.rev = 1816
self.argv = argv self.argv = argv
self.action = None self.action = None
self.config_file = "zeronet.conf" self.config_file = "zeronet.conf"

10
src/Ui/UiRequest.py
View file

@ -358,14 +358,8 @@ class UiRequest(object):
if path_parts: # Looks like a valid path if path_parts: # Looks like a valid path
address = path_parts["address"] address = path_parts["address"]
file_path = "%s/%s/%s" % (config.data_dir, address, path_parts["inner_path"]) file_path = "%s/%s/%s" % (config.data_dir, address, path_parts["inner_path"])
allowed_dir = os.path.abspath("%s/%s" % (config.data_dir, address)) # Only files within data/sitehash allowed if ".." in path_parts["inner_path"]: # File not in allowed path
data_dir = os.path.abspath(config.data_dir) # No files from data/ allowed return self.error403("Invalid file path")
if (
".." in file_path or
not os.path.dirname(os.path.abspath(file_path)).startswith(allowed_dir) or
allowed_dir == data_dir
): # File not in allowed path
return self.error403()
else: else:
if config.debug and file_path.split("/")[-1].startswith("all."): if config.debug and file_path.split("/")[-1].startswith("all."):
# If debugging merge *.css to all.css and *.js to all.js # If debugging merge *.css to all.css and *.js to all.js