ExternalVendorCode/gns3-server
1
0
Fork 0
mirror of https://github.com/GNS3/gns3-server.git synced 2025-06-13 04:48:22 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Change method to prevent forbidden directory traversal. Ref #1894

Browse Source
This commit is contained in:
grossmj
2021-05-16 14:29:56 +09:30
parent f3d81fa450
commit 2bf16f1e5f
8 changed files with 104 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
gns3server/api/routes/compute/projects.py
View File

@ -19,6 +19,7 @@ API routes for projects.
"""
import os
import urllib.parse
import logging
@ -198,6 +199,7 @@ async def get_compute_project_file(file_path: str, project: Project = Depends(de
Get a file from a project.
"""
file_path = urllib.parse.unquote(file_path)
path = os.path.normpath(file_path)
# Raise error if user try to escape
@ -214,6 +216,7 @@ async def get_compute_project_file(file_path: str, project: Project = Depends(de
@router.post("/projects/{project_id}/files/{file_path:path}", status_code=status.HTTP_204_NO_CONTENT)
async def write_compute_project_file(file_path: str, request: Request, project: Project = Depends(dep_project)) -> None:
file_path = urllib.parse.unquote(file_path)
path = os.path.normpath(file_path)
# Raise error if user try to escape