kopia lustrzana https://github.com/simonw/datasette
Fix static mounts using relative paths and prevent traversal exploits (#554)
Thanks, @abdusco! Closes #555pull/559/head
rodzic
9ca860e54f
commit
74ecf8a7cc
|
@ -735,7 +735,8 @@ class StaticMount(click.ParamType):
|
|||
param,
|
||||
ctx,
|
||||
)
|
||||
path, dirpath = value.split(":")
|
||||
path, dirpath = value.split(":", 1)
|
||||
dirpath = os.path.abspath(dirpath)
|
||||
if not os.path.exists(dirpath) or not os.path.isdir(dirpath):
|
||||
self.fail("%s is not a valid directory path" % value, param, ctx)
|
||||
return path, dirpath
|
||||
|
|
|
@ -300,7 +300,11 @@ async def asgi_send_file(
|
|||
def asgi_static(root_path, chunk_size=4096, headers=None, content_type=None):
|
||||
async def inner_static(scope, receive, send):
|
||||
path = scope["url_route"]["kwargs"]["path"]
|
||||
full_path = (Path(root_path) / path).absolute()
|
||||
try:
|
||||
full_path = (Path(root_path) / path).resolve().absolute()
|
||||
except FileNotFoundError:
|
||||
await asgi_send_html(send, "404", 404)
|
||||
return
|
||||
# Ensure full_path is within root_path to avoid weird "../" tricks
|
||||
try:
|
||||
full_path.relative_to(root_path)
|
||||
|
|
|
@ -67,6 +67,8 @@ def test_static_mounts():
|
|||
assert response.status == 200
|
||||
response = client.get("/custom-static/not_exists.py")
|
||||
assert response.status == 404
|
||||
response = client.get("/custom-static/../LICENSE")
|
||||
assert response.status == 404
|
||||
|
||||
|
||||
def test_memory_database_page():
|
||||
|
|
Ładowanie…
Reference in New Issue