george/fiche
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Blocked dir traversal

Browse Source
This commit is contained in:
solusipse
2017-10-09 20:15:22 +02:00
parent 1220515107
commit 680bb77f2c
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
extras/lines/lines.py
View File

@@ -19,14 +19,18 @@ def main():
@app.route('/<slug>') @app.route('/<slug>')
def beautify(slug): def beautify(slug):
# Return 404 in case of urls longer than 64 chars # Return 404 in case of urls longer than 64 chars
if (len(slug) > 64): if len(slug) > 64:
abort(404) abort(404)
# Create path for the target dir # Create path for the target dir
target_dir = os.path.join(args.root_dir, slug) target_dir = os.path.join(args.root_dir, slug)
# Block directory traversal attempts
if not target_dir.startswith(args.root_dir):
abort(404)
# Check if directory with requested slug exists # Check if directory with requested slug exists
if (os.path.isdir(target_dir)): if os.path.isdir(target_dir):
target_file = os.path.join(target_dir, "index.txt") target_file = os.path.join(target_dir, "index.txt")
# File index.txt found inside that dir # File index.txt found inside that dir