From 1f5c1b4669da599fcd3a41efb9746663b4cc1f2c Mon Sep 17 00:00:00 2001 From: gluap Date: Tue, 12 Apr 2022 23:12:25 +0200 Subject: [PATCH] backport fix to 0.3.4 --- api/obs/api/routes/frontend.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/api/obs/api/routes/frontend.py b/api/obs/api/routes/frontend.py index c5547c0..a230d2f 100644 --- a/api/obs/api/routes/frontend.py +++ b/api/obs/api/routes/frontend.py @@ -1,4 +1,4 @@ -from os.path import join, exists, isfile +from os.path import join, exists, isfile, abspath import sanic.response as response from sanic.exceptions import NotFound @@ -45,6 +45,9 @@ if INDEX_HTML and exists(INDEX_HTML): raise NotFound() file = join(app.config.FRONTEND_DIR, path) + if not abspath(file).startswith(abspath(app.config.FRONTEND_DIR)): + raise NotFound() + if not exists(file) or not path or not isfile(file): return response.html( index_file_contents.replace("__BASE_HREF__", req.ctx.frontend_url + "/")