GitHub/Anki
1
0
Fork 0
mirror of https://github.com/ankitects/anki.git synced 2025-09-19 06:22:22 -04:00
Code Issues Projects Releases Packages 1 Wiki Activity Actions

Ensure protection against directory transversal

Browse source 
https://security.openstack.org/guidelines/dg_using-file-paths.html
This commit is contained in:
evandrocoan 2020-06-18 19:58:39 -03:00
parent be10da58d9
commit 1e6fa5f8eb
1 changed files with 15 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
qt/aqt/mediasrv.py
View file

@ -93,6 +93,18 @@ def allroutes(path):
mimetype="text/plain", mimetype="text/plain",
) )
directory = os.path.realpath(directory)
path = os.path.normpath(path)
fullpath = os.path.realpath(os.path.join(directory, path))
# protect against directory transversal: https://security.openstack.org/guidelines/dg_using-file-paths.html
if not fullpath.startswith(directory):
return flask.Response(
"Path for '%s - %s' is a security leak!" % (directory, path),
status=HTTPStatus.FORBIDDEN,
mimetype="text/plain",
)
if isdir: if isdir:
return flask.Response( return flask.Response(
"Path for '%s - %s' is a directory (not supported)!" % (directory, path), "Path for '%s - %s' is a directory (not supported)!" % (directory, path),
@ -103,6 +115,9 @@ def allroutes(path):
try: try:
if devMode: if devMode:
print("Sending file '%s - %s'" % (directory, path)) print("Sending file '%s - %s'" % (directory, path))
path = os.path.basename(fullpath)
directory = os.path.dirname(fullpath)
return flask.send_from_directory(directory, path) return flask.send_from_directory(directory, path)
except Exception as error: except Exception as error: