Blocked dir traversal

2017-10-09 20:15:22 +02:00
parent 1220515107
commit 680bb77f2c
1 changed files with 6 additions and 2 deletions
--- a/extras/lines/lines.py
+++ b/extras/lines/lines.py
@@ -19,14 +19,18 @@ def main():
@app.route('/<slug>')
 def beautify(slug):
    # Return 404 in case of urls longer than 64 chars
-    if (len(slug) > 64):
+    if len(slug) > 64:
        abort(404)

    # Create path for the target dir
    target_dir = os.path.join(args.root_dir, slug)

+    # Block directory traversal attempts
+    if not target_dir.startswith(args.root_dir):
+        abort(404)
+
    # Check if directory with requested slug exists
-    if (os.path.isdir(target_dir)):
+    if os.path.isdir(target_dir):
        target_file = os.path.join(target_dir, "index.txt")
        
        # File index.txt found inside that dir