Increment version to 1.4

Add function is_valid_upload_path to fix crafted filepaths to escape the base directory. Close #2 .
Release update to 1.3
2020-02-18 22:26:57 -05:00 · 2020-02-18 21:48:21 -05:00 · 2020-02-18 21:02:57 -05:00 · 2020-02-18 20:57:53 -05:00 · 2020-02-18 20:35:27 -05:00 · 2020-02-18 11:58:55 -05:00
4 changed files with 14 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-![Version 1.0](http://img.shields.io/badge/version-v1.0-green.svg)
+![Version 1.4](http://img.shields.io/badge/version-v1.4-green.svg)
 ![Python 3.8](http://img.shields.io/badge/python-3.8-blue.svg)
 [![MIT License](http://img.shields.io/badge/license-MIT%20License-blue.svg)](https://github.com/sc0tfree/updog/blob/master/LICENSE)
 [![sc0tfree Twitter](http://img.shields.io/twitter/url/http/shields.io.svg?style=social&label=Follow)](https://twitter.com/sc0tfree)
--- a/updog/init.py
+++ b/updog/init.py
@ -1,4 +1,4 @@
-version_info = (1,0)
+version_info = (1,4)
 version = '.'.join(str(c) for c in version_info)

 base_directory = ''
--- a/updog/main.py
+++ b/updog/main.py
@ -8,7 +8,7 @@ from werkzeug.utils import secure_filename
 from werkzeug.security import generate_password_hash, check_password_hash
 from werkzeug.serving import run_simple

-from updog.utils.path import is_valid_subpath, get_parent_directory, process_files
+from updog.utils.path import is_valid_subpath, is_valid_upload_path, get_parent_directory, process_files
 from updog.utils.output import error, info, warn, success
 from updog import version as VERSION

@ -37,6 +37,9 @@ def parse_arguments():

    args = parser.parse_args()

+    # Normalize the path
+    args.directory = os.path.abspath(args.directory)
+
    return args


@ -126,7 +129,7 @@ def main():

            path = request.form['path']
            # Prevent file upload to paths outside of base directory
-            if not is_valid_subpath(path, base_directory):
+            if not is_valid_upload_path(path, base_directory):
                return redirect(request.referrer)

            for file in request.files.getlist('file'):
--- a/updog/utils/path.py
+++ b/updog/utils/path.py
@ -9,6 +9,13 @@ def is_valid_subpath(relative_directory, base_directory):
    return os.path.commonprefix([base_directory, in_question]) == base_directory


+def is_valid_upload_path(path, base_directory):
+    if path == '':
+        return False
+    in_question = os.path.abspath(path)
+    return os.path.commonprefix([base_directory, in_question]) == base_directory
+
+
 def get_relative_path(file_path, base_directory):
    return file_path.split(os.path.commonprefix([base_directory, file_path]))[1][1:]
Author	SHA1	Message	Date
sc0tfree	28a1ac1612	Increment version to 1.4	2020-02-18 22:26:57 -05:00
sc0tfree	1fe14fb125	Add function is_valid_upload_path to fix crafted filepaths to escape the base directory. Close #2 .	2020-02-18 21:48:21 -05:00
sc0tfree	ed0f9113db	Release update to 1.3	2020-02-18 21:02:57 -05:00
sc0tfree	39d544a932	Add blank path validation. Close #2 .	2020-02-18 20:57:53 -05:00
sc0tfree	5566289daf	Change path validation to absolute to account for relative paths. Close #1 .	2020-02-18 20:35:27 -05:00
sc0tfree	6221f13bba	Update version for release	2020-02-18 11:58:55 -05:00
sc0tfree	157b429794	Fix bug by normalizing input path	2020-02-18 11:58:05 -05:00
sc0tfree	83981d1b8a	Increate version to 1.1 for PyPi	2020-02-18 11:32:34 -05:00