From 1fe14fb125e0eb9a3e617ae2cdbf2edb0db00c78 Mon Sep 17 00:00:00 2001 From: sc0tfree Date: Tue, 18 Feb 2020 21:48:21 -0500 Subject: [PATCH] Add function is_valid_upload_path to fix crafted filepaths to escape the base directory. Close #2. --- updog/__main__.py | 4 ++-- updog/utils/path.py | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/updog/__main__.py b/updog/__main__.py index 239fef2..63d5e06 100644 --- a/updog/__main__.py +++ b/updog/__main__.py @@ -8,7 +8,7 @@ from werkzeug.utils import secure_filename from werkzeug.security import generate_password_hash, check_password_hash from werkzeug.serving import run_simple -from updog.utils.path import is_valid_subpath, get_parent_directory, process_files +from updog.utils.path import is_valid_subpath, is_valid_upload_path, get_parent_directory, process_files from updog.utils.output import error, info, warn, success from updog import version as VERSION @@ -129,7 +129,7 @@ def main(): path = request.form['path'] # Prevent file upload to paths outside of base directory - if not is_valid_subpath(path, base_directory) or path == '': + if not is_valid_upload_path(path, base_directory): return redirect(request.referrer) for file in request.files.getlist('file'): diff --git a/updog/utils/path.py b/updog/utils/path.py index 7f650ee..cde0c3f 100644 --- a/updog/utils/path.py +++ b/updog/utils/path.py @@ -9,6 +9,13 @@ def is_valid_subpath(relative_directory, base_directory): return os.path.commonprefix([base_directory, in_question]) == base_directory +def is_valid_upload_path(path, base_directory): + if path == '': + return False + in_question = os.path.abspath(path) + return os.path.commonprefix([base_directory, in_question]) == base_directory + + def get_relative_path(file_path, base_directory): return file_path.split(os.path.commonprefix([base_directory, file_path]))[1][1:]