Prevent directory traversal

2025-06-21 16:39:40 +00:00 · 2021-05-15 17:35:32 +09:30
parent 2c938b2c19
commit 6294ad9e76
9 changed files with 70 additions and 67 deletions
--- a/gns3server/handlers/api/compute/qemu_handler.py
+++ b/gns3server/handlers/api/compute/qemu_handler.py
@ -566,15 +566,15 @@ class QEMUHandler:
        raw=True,
        description="Download Qemu image")
    async def download_image(request, response):
+
        filename = request.match_info["filename"]

+        # Raise error if user try to escape
+        if filename[0] == "." or os.path.sep in filename:
+            raise aiohttp.web.HTTPForbidden()
+
        qemu_manager = Qemu.instance()
        image_path = qemu_manager.get_abs_image_path(filename)
-
-        # Raise error if user try to escape
-        if filename[0] == ".":
-            raise aiohttp.web.HTTPForbidden()
-
        await response.stream_file(image_path)

    @Route.get(