Merge pull request #232 from openbikesensor/fix-traversal

do not serve files from outside the frontend dir.
This commit is contained in:
gluap 2022-04-12 23:19:59 +02:00 committed by GitHub
commit 96d157b226
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -1,4 +1,4 @@
from os.path import join, exists, isfile from os.path import join, exists, isfile, abspath
import sanic.response as response import sanic.response as response
from sanic.exceptions import NotFound from sanic.exceptions import NotFound
@ -50,6 +50,9 @@ if INDEX_HTML and exists(INDEX_HTML):
raise NotFound() raise NotFound()
file = join(app.config.FRONTEND_DIR, path) file = join(app.config.FRONTEND_DIR, path)
if not abspath(file).startswith(abspath(app.config.FRONTEND_DIR)):
raise NotFound()
if not exists(file) or not path or not isfile(file): if not exists(file) or not path or not isfile(file):
return response.html( return response.html(
index_file_contents.replace("__BASE_HREF__", req.ctx.frontend_url + "/") index_file_contents.replace("__BASE_HREF__", req.ctx.frontend_url + "/")