Protect controller and compute about path outside project directory

Fix #503
2025-06-21 00:22:56 +00:00 · 2016-05-11 15:59:32 +02:00
parent 390401000f
commit c2da568543
4 changed files with 75 additions and 1 deletions
--- a/gns3server/controller/project.py
+++ b/gns3server/controller/project.py
@ -25,6 +25,7 @@ from .vm import VM
 from .udp_link import UDPLink
 from ..notification_queue import NotificationQueue
 from ..config import Config
+from ..utils.path import check_path_allowed


 class Project:
@ -48,7 +49,6 @@ class Project:
                raise aiohttp.web.HTTPBadRequest(text="{} is not a valid UUID".format(project_id))
            self._id = project_id

-        #TODO: Security check if not locale
        if path is None:
            location = self._config().get("project_directory", self._get_default_project_directory())
            path = os.path.join(location, self._id)
@ -81,6 +81,7 @@ class Project:

    @path.setter
    def path(self, path):
+        check_path_allowed(path)
        try:
            os.makedirs(path, exist_ok=True)
        except OSError as e: