oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rev2034, Fix leaking users.json via webui

Browse source
This commit is contained in:
shortcutme 2017-04-09 16:54:28 +02:00
parent 279e2ae865
commit f3edd8013d
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
3 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/Config.py
View file

@ -10,7 +10,7 @@ class Config(object):
def __init__(self, argv): def __init__(self, argv):
self.version = "0.5.3" self.version = "0.5.3"
self.rev = 2033 self.rev = 2034
self.argv = argv self.argv = argv
self.action = None self.action = None
self.config_file = "zeronet.conf" self.config_file = "zeronet.conf"

9
src/Test/TestWeb.py
View file

@ -38,10 +38,11 @@ class TestWeb:
assert "Forbidden" in wget("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../sites.json" % site_url) assert "Forbidden" in wget("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../sites.json" % site_url)
assert "Forbidden" in wget("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/..//sites.json" % site_url) assert "Forbidden" in wget("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/..//sites.json" % site_url)
assert "Forbidden" in wget("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../../zeronet.py" % site_url) assert "Forbidden" in wget("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../../zeronet.py" % site_url)
assert "Not Found" in wget("%s/content.db" % site_url) assert "Forbidden" in wget("%s/content.db" % site_url)
assert "Not Found" in wget("%s/./key-rsa.pem" % site_url) assert "Forbidden" in wget("%s/./users.json" % site_url)
assert "Not Found" in wget("%s/././././././././././//////sites.json" % site_url) assert "Forbidden" in wget("%s/./key-rsa.pem" % site_url)
assert "Forbidden" in wget("%s/././././././././././//////sites.json" % site_url)
def testLinkSecurity(self, browser, site_url): def testLinkSecurity(self, browser, site_url):
browser.get("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url) browser.get("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url)

2
src/Ui/UiRequest.py
View file

@ -374,6 +374,8 @@ class UiRequest(object):
if site.settings["own"]: if site.settings["own"]:
from Debug import DebugMedia from Debug import DebugMedia
DebugMedia.merge(file_path) DebugMedia.merge(file_path)
if not address or address == ".":
return self.error403(path_parts["inner_path"])
if os.path.isfile(file_path): # File exists if os.path.isfile(file_path): # File exists
return self.actionFile(file_path, header_length=header_length) return self.actionFile(file_path, header_length=header_length)
elif os.path.isdir(file_path): # If this is actually a folder, add "/" and redirect elif os.path.isdir(file_path): # If this is actually a folder, add "/" and redirect