mirror of https://github.com/sc0tfree/updog.git
Compare commits
7 Commits
Author | SHA1 | Date |
---|---|---|
sc0tfree | 28a1ac1612 | |
sc0tfree | 1fe14fb125 | |
sc0tfree | ed0f9113db | |
sc0tfree | 39d544a932 | |
sc0tfree | 5566289daf | |
sc0tfree | 6221f13bba | |
sc0tfree | 157b429794 |
|
@ -1,4 +1,4 @@
|
|||
![Version 1.1](http://img.shields.io/badge/version-v1.1-green.svg)
|
||||
![Version 1.4](http://img.shields.io/badge/version-v1.4-green.svg)
|
||||
![Python 3.8](http://img.shields.io/badge/python-3.8-blue.svg)
|
||||
[![MIT License](http://img.shields.io/badge/license-MIT%20License-blue.svg)](https://github.com/sc0tfree/updog/blob/master/LICENSE)
|
||||
[![sc0tfree Twitter](http://img.shields.io/twitter/url/http/shields.io.svg?style=social&label=Follow)](https://twitter.com/sc0tfree)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
version_info = (1,1)
|
||||
version_info = (1,4)
|
||||
version = '.'.join(str(c) for c in version_info)
|
||||
|
||||
base_directory = ''
|
|
@ -8,7 +8,7 @@ from werkzeug.utils import secure_filename
|
|||
from werkzeug.security import generate_password_hash, check_password_hash
|
||||
from werkzeug.serving import run_simple
|
||||
|
||||
from updog.utils.path import is_valid_subpath, get_parent_directory, process_files
|
||||
from updog.utils.path import is_valid_subpath, is_valid_upload_path, get_parent_directory, process_files
|
||||
from updog.utils.output import error, info, warn, success
|
||||
from updog import version as VERSION
|
||||
|
||||
|
@ -37,6 +37,9 @@ def parse_arguments():
|
|||
|
||||
args = parser.parse_args()
|
||||
|
||||
# Normalize the path
|
||||
args.directory = os.path.abspath(args.directory)
|
||||
|
||||
return args
|
||||
|
||||
|
||||
|
@ -126,7 +129,7 @@ def main():
|
|||
|
||||
path = request.form['path']
|
||||
# Prevent file upload to paths outside of base directory
|
||||
if not is_valid_subpath(path, base_directory):
|
||||
if not is_valid_upload_path(path, base_directory):
|
||||
return redirect(request.referrer)
|
||||
|
||||
for file in request.files.getlist('file'):
|
||||
|
|
|
@ -9,6 +9,13 @@ def is_valid_subpath(relative_directory, base_directory):
|
|||
return os.path.commonprefix([base_directory, in_question]) == base_directory
|
||||
|
||||
|
||||
def is_valid_upload_path(path, base_directory):
|
||||
if path == '':
|
||||
return False
|
||||
in_question = os.path.abspath(path)
|
||||
return os.path.commonprefix([base_directory, in_question]) == base_directory
|
||||
|
||||
|
||||
def get_relative_path(file_path, base_directory):
|
||||
return file_path.split(os.path.commonprefix([base_directory, file_path]))[1][1:]
|
||||
|
||||
|
|
Loading…
Reference in New Issue