Add function is_valid_upload_path to fix crafted filepaths to escape the base directory. Close #2.

2020-02-18 21:48:21 -05:00 · 2020-02-18 21:48:21 -05:00 · 1fe14fb125
parent ed0f9113db
commit 1fe14fb125
2 changed files with 9 additions and 2 deletions
--- a/updog/main.py
+++ b/updog/main.py
@ -8,7 +8,7 @@ from werkzeug.utils import secure_filename
 from werkzeug.security import generate_password_hash, check_password_hash
 from werkzeug.serving import run_simple

-from updog.utils.path import is_valid_subpath, get_parent_directory, process_files
+from updog.utils.path import is_valid_subpath, is_valid_upload_path, get_parent_directory, process_files
 from updog.utils.output import error, info, warn, success
 from updog import version as VERSION

@ -129,7 +129,7 @@ def main():

            path = request.form['path']
            # Prevent file upload to paths outside of base directory
-            if not is_valid_subpath(path, base_directory) or path == '':
+            if not is_valid_upload_path(path, base_directory):
                return redirect(request.referrer)

            for file in request.files.getlist('file'):
--- a/updog/utils/path.py
+++ b/updog/utils/path.py
@ -9,6 +9,13 @@ def is_valid_subpath(relative_directory, base_directory):
    return os.path.commonprefix([base_directory, in_question]) == base_directory


+def is_valid_upload_path(path, base_directory):
+    if path == '':
+        return False
+    in_question = os.path.abspath(path)
+    return os.path.commonprefix([base_directory, in_question]) == base_directory
+
+
 def get_relative_path(file_path, base_directory):
    return file_path.split(os.path.commonprefix([base_directory, file_path]))[1][1:]