pub-solar/obs-portal
5
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

do not serve files from outside the frontend dir.

Browse source
This commit is contained in:
gluap 2022-04-12 20:11:34 +02:00
parent f229ab4112
commit c61157aca3
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
api/obs/api/routes/frontend.py
View file

@ -1,4 +1,4 @@
from os.path import join, exists, isfile from os.path import join, exists, isfile, abspath
import sanic.response as response import sanic.response as response
from sanic.exceptions import NotFound from sanic.exceptions import NotFound
@ -50,6 +50,9 @@ if INDEX_HTML and exists(INDEX_HTML):
raise NotFound() raise NotFound()
file = join(app.config.FRONTEND_DIR, path) file = join(app.config.FRONTEND_DIR, path)
if not abspath(file).startswith(abspath(app.config.FRONTEND_DIR)):
raise NotFound()
if not exists(file) or not path or not isfile(file): if not exists(file) or not path or not isfile(file):
return response.html( return response.html(
index_file_contents.replace("__BASE_HREF__", req.ctx.frontend_url + "/") index_file_contents.replace("__BASE_HREF__", req.ctx.frontend_url + "/")