use werkzeug safe_join to sanitize the requested path
no tests changed, so my implementation might have been good, but let's use the provided check
This commit is contained in:
parent
b3dfab2611
commit
55cfad90a9
@ -7,6 +7,7 @@ import re
|
||||
from flask import Blueprint, Markup, abort
|
||||
from flask import current_app as app
|
||||
from flask import redirect, request, send_from_directory
|
||||
from werkzeug.security import safe_join
|
||||
|
||||
from incorporealcms.lib import get_meta_str, init_md, render
|
||||
|
||||
@ -101,15 +102,16 @@ def request_path_to_instance_resource_path(path):
|
||||
"""
|
||||
# check if the path is allowed
|
||||
base_dir = os.path.realpath(f'{app.instance_path}/pages/')
|
||||
verbatim_path = os.path.abspath(os.path.join(base_dir, path))
|
||||
resolved_path = os.path.realpath(verbatim_path)
|
||||
logger.debug("base_dir '%s', constructed resolved_path '%s' for path '%s'", base_dir, resolved_path, path)
|
||||
|
||||
safe_path = safe_join(base_dir, path)
|
||||
# bail if the requested real path isn't inside the base directory
|
||||
if base_dir != os.path.commonpath((base_dir, resolved_path)):
|
||||
if not safe_path:
|
||||
logger.warning("client tried to request a path '%s' outside of the base_dir!", path)
|
||||
raise PermissionError
|
||||
|
||||
verbatim_path = os.path.abspath(safe_path)
|
||||
resolved_path = os.path.realpath(verbatim_path)
|
||||
logger.debug("base_dir '%s', constructed resolved_path '%s' for path '%s'", base_dir, resolved_path, path)
|
||||
|
||||
# see if we have a real file or if we should infer markdown rendering
|
||||
if os.path.exists(resolved_path):
|
||||
# if this is a file-like request but actually a directory, redirect the user
|
||||
@ -131,7 +133,7 @@ def request_path_to_instance_resource_path(path):
|
||||
return resolved_path.replace(f'{app.instance_path}{os.path.sep}', ''), 'file'
|
||||
|
||||
# if we're here, this isn't direct file access, so try markdown inference
|
||||
verbatim_path = os.path.abspath(os.path.join(base_dir, f'{path}.md'))
|
||||
verbatim_path = f'{safe_path}.md'
|
||||
resolved_path = os.path.realpath(verbatim_path)
|
||||
|
||||
# does the final file actually exist?
|
||||
|
Loading…
Reference in New Issue
Block a user