ExternalVendorCode/gns3-server
1
0
Fork 0
mirror of https://github.com/GNS3/gns3-server.git synced 2025-06-15 05:48:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Change method to prevent forbidden directory traversal. Ref #1894

Browse Source
This commit is contained in:
grossmj
2021-05-16 14:29:56 +09:30
parent f3d81fa450
commit 2bf16f1e5f
8 changed files with 104 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
gns3server/api/routes/controller/projects.py
View File

@ -24,6 +24,7 @@ import tempfile
import zipfile
import aiofiles
import time
import urllib.parse
import logging
@ -369,7 +370,8 @@ async def get_file(file_path: str, project: Project = Depends(dep_project)) -> F
Return a file from a project.
"""
path = os.path.normpath(file_path).strip("/")
file_path = urllib.parse.unquote(file_path)
path = os.path.normpath(file_path)
# Raise error if user try to escape
if not is_safe_path(path, project.path):
@ -388,7 +390,8 @@ async def write_file(file_path: str, request: Request, project: Project = Depend
Write a file from a project.
"""
path = os.path.normpath(file_path).strip("/")
file_path = urllib.parse.unquote(file_path)
path = os.path.normpath(file_path)
# Raise error if user try to escape
if not is_safe_path(path, project.path):