mirror of https://github.com/sc0tfree/updog.git
Add function is_valid_upload_path to fix crafted filepaths to escape the base directory. Close #2.
This commit is contained in:
parent
ed0f9113db
commit
1fe14fb125
|
@ -8,7 +8,7 @@ from werkzeug.utils import secure_filename
|
|||
from werkzeug.security import generate_password_hash, check_password_hash
|
||||
from werkzeug.serving import run_simple
|
||||
|
||||
from updog.utils.path import is_valid_subpath, get_parent_directory, process_files
|
||||
from updog.utils.path import is_valid_subpath, is_valid_upload_path, get_parent_directory, process_files
|
||||
from updog.utils.output import error, info, warn, success
|
||||
from updog import version as VERSION
|
||||
|
||||
|
@ -129,7 +129,7 @@ def main():
|
|||
|
||||
path = request.form['path']
|
||||
# Prevent file upload to paths outside of base directory
|
||||
if not is_valid_subpath(path, base_directory) or path == '':
|
||||
if not is_valid_upload_path(path, base_directory):
|
||||
return redirect(request.referrer)
|
||||
|
||||
for file in request.files.getlist('file'):
|
||||
|
|
|
@ -9,6 +9,13 @@ def is_valid_subpath(relative_directory, base_directory):
|
|||
return os.path.commonprefix([base_directory, in_question]) == base_directory
|
||||
|
||||
|
||||
def is_valid_upload_path(path, base_directory):
|
||||
if path == '':
|
||||
return False
|
||||
in_question = os.path.abspath(path)
|
||||
return os.path.commonprefix([base_directory, in_question]) == base_directory
|
||||
|
||||
|
||||
def get_relative_path(file_path, base_directory):
|
||||
return file_path.split(os.path.commonprefix([base_directory, file_path]))[1][1:]
|
||||
|
||||
|
|
Loading…
Reference in New Issue