 |
Blocked dir traversal - fiche - A pastebin adjusted for gopher use |
 |
git clone git://vernunftzentrum.de/fiche.git |
 |
Log |
|
Files |
|
Refs |
|
LICENSE |
|
--- |
|
commit 680bb77f2c2cd4e39344502268f4552932052881 |
|
parent 12205151078b89e48cee70ee450207a39046ae57 |
|
Author: solusipse <[email protected]> |
|
Date: Mon, 9 Oct 2017 20:15:22 +0200 |
|
|
|
Blocked dir traversal |
|
|
|
Diffstat: |
|
extras/lines/lines.py | 8 ++++++-- |
|
|
|
1 file changed, 6 insertions(+), 2 deletions(-) |
|
--- |
|
diff --git a/extras/lines/lines.py b/extras/lines/lines.py |
|
@@ -19,14 +19,18 @@ def main(): |
|
@app.route('/<slug>') |
|
def beautify(slug): |
|
# Return 404 in case of urls longer than 64 chars |
|
- if (len(slug) > 64): |
|
+ if len(slug) > 64: |
|
abort(404) |
|
|
|
# Create path for the target dir |
|
target_dir = os.path.join(args.root_dir, slug) |
|
|
|
+ # Block directory traversal attempts |
|
+ if not target_dir.startswith(args.root_dir): |
|
+ abort(404) |
|
+ |
|
# Check if directory with requested slug exists |
|
- if (os.path.isdir(target_dir)): |
|
+ if os.path.isdir(target_dir): |
|
target_file = os.path.join(target_dir, "index.txt") |
|
|
|
# File index.txt found inside that dir |
