Prevent deleting a GNS3 project outside the project directory. Ref #1669

This commit is contained in:
grossmj 2019-10-30 16:25:06 +08:00
parent f3ad333a21
commit 5e9810d420
2 changed files with 7 additions and 3 deletions

View File

@ -816,9 +816,12 @@ class Project:
await self.delete_on_computes() await self.delete_on_computes()
await self.close() await self.close()
try: try:
project_directory = get_default_project_directory()
if not os.path.commonprefix([project_directory, self.path]) == project_directory:
raise aiohttp.web.HTTPConflict(text="Project '{}' cannot be deleted because it is not in the default project directory: '{}'".format(self._name, project_directory))
shutil.rmtree(self.path) shutil.rmtree(self.path)
except OSError as e: except OSError as e:
raise aiohttp.web.HTTPConflict(text="Can not delete project directory {}: {}".format(self.path, str(e))) raise aiohttp.web.HTTPConflict(text="Cannot delete project directory {}: {}".format(self.path, str(e)))
async def delete_on_computes(self): async def delete_on_computes(self):
""" """

View File

@ -204,11 +204,12 @@ class ProjectHandler:
controller = Controller.instance() controller = Controller.instance()
config = Config.instance() config = Config.instance()
dot_gns3_file = request.json.get("path")
if config.get_section_config("Server").getboolean("local", False) is False: if config.get_section_config("Server").getboolean("local", False) is False:
log.error("Can't load the project the server is not started with --local") log.error("Cannot load '{}' because the server has not been started with the '--local' parameter".format(dot_gns3_file))
response.set_status(403) response.set_status(403)
return return
project = await controller.load_project(request.json.get("path"),) project = await controller.load_project(dot_gns3_file,)
response.set_status(201) response.set_status(201)
response.json(project) response.json(project)