oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make sure to sanitize request url

Browse source
This commit is contained in:
shortcutme 2018-06-25 14:23:38 +02:00
parent 9afc39d5f1
commit df0562d6b4
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/Ui/UiRequest.py
View file

@ -82,6 +82,11 @@ class UiRequest(object):
path = re.sub("^http://zero[/]+", "/", path) # Remove begining http://zero/ for chrome extension path = re.sub("^http://zero[/]+", "/", path) # Remove begining http://zero/ for chrome extension
path = re.sub("^http://", "/", path) # Remove begining http for chrome extension .bit access path = re.sub("^http://", "/", path) # Remove begining http for chrome extension .bit access
# Sanitize request url
path = path.replace("\\", "/")
if "../" in path or "./" in path:
raise SecurityError("Invalid path")
if self.env["REQUEST_METHOD"] == "OPTIONS": if self.env["REQUEST_METHOD"] == "OPTIONS":
if "/" not in path.strip("/"): if "/" not in path.strip("/"):
content_type = self.getContentType("index.html") content_type = self.getContentType("index.html")
@ -437,6 +442,7 @@ class UiRequest(object):
# Return {address: 1Site.., inner_path: /data/users.json} from url path # Return {address: 1Site.., inner_path: /data/users.json} from url path
def parsePath(self, path): def parsePath(self, path):
path = path.replace("\\", "/")
path = path.replace("/index.html/", "/") # Base Backward compatibility fix path = path.replace("/index.html/", "/") # Base Backward compatibility fix
if path.endswith("/"): if path.endswith("/"):
path = path + "index.html" path = path + "index.html"