From 680bb77f2c2cd4e39344502268f4552932052881 Mon Sep 17 00:00:00 2001
From: solusipse <solus1ps3@gmail.com>
Date: Mon, 9 Oct 2017 20:15:22 +0200
Subject: [PATCH] Blocked dir traversal

---
 extras/lines/lines.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/extras/lines/lines.py b/extras/lines/lines.py
index 5d46b6a..df6b80c 100644
--- a/extras/lines/lines.py
+++ b/extras/lines/lines.py
@@ -19,14 +19,18 @@ def main():
 @app.route('/<slug>')
 def beautify(slug):
     # Return 404 in case of urls longer than 64 chars
-    if (len(slug) > 64):
+    if len(slug) > 64:
         abort(404)
 
     # Create path for the target dir
     target_dir = os.path.join(args.root_dir, slug)
 
+    # Block directory traversal attempts
+    if not target_dir.startswith(args.root_dir):
+        abort(404)
+
     # Check if directory with requested slug exists
-    if (os.path.isdir(target_dir)):
+    if os.path.isdir(target_dir):
         target_file = os.path.join(target_dir, "index.txt")
         
         # File index.txt found inside that dir