ActionFile security check

lirenmi00 · May 11, 2017 · 47245f4 · 47245f4
1 parent 545459b
commit 47245f4
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
@@ -430,6 +430,8 @@ def actionUiMedia(self, path):
 
     # Stream a file to client
     def actionFile(self, file_path, block_size=64 * 1024, send_header=True, header_length=True):
+        if ".." in file_path:
+            raise Exception("Invalid path")
         if os.path.isfile(file_path):
             # Try to figure out content type by extension
             content_type = self.getContentType(file_path)
@@ -521,6 +523,7 @@ def actionConsole(self):
         import sys
         sites = self.server.sites
         main = sys.modules["main"]
+
         def bench(code, times=100):
             sites = self.server.sites
             main = sys.modules["main"]