codex-storage
/
deluge
mirror of https://github.com/codex-storage/deluge.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

security fixes

This commit is contained in:
Martijn Voncken 2008-07-22 19:01:37 +00:00
parent 498fbab03a
commit 276cf262ed
4 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
deluge/ui/webui/config_forms.py
View File

@ -53,6 +53,7 @@ class WebCfgForm(forms.Form):
return config.get_config() return config.get_config()
def save(self, data): def save(self, data):
utils.validate_config(data)
for key, value in data.iteritems(): for key, value in data.iteritems():
config.set(key, value) config.set(key, value)
config.save() config.save()

1
deluge/ui/webui/config_tabs_webui.py
View File

@ -43,6 +43,7 @@ from render import render
config_page = component.get("ConfigPageManager") config_page = component.get("ConfigPageManager")
plugins = component.get("WebPluginManager") plugins = component.get("WebPluginManager")
class Template(config_forms.WebCfgForm): class Template(config_forms.WebCfgForm):
title = _("Template") title = _("Template")

10
deluge/ui/webui/pages.py
View File

@ -394,8 +394,14 @@ class template_render:
"render anything in /render/ dir" "render anything in /render/ dir"
@deco.deluge_page @deco.deluge_page
def GET(self, name): def GET(self, name):
filename = os.path.join(os.path.dirname(__file__), #security : assumes config.get('template') returns a safe subdir.
'templates/%s/render/%s' % (config.get('template'), name)) basepath = os.path.normpath(os.path.join(os.path.dirname(__file__),
'templates/%s/render' % config.get('template')))
filename = os.path.normpath(os.path.join(basepath,name))
if not filename.startswith(basepath):
#hack detected?
raise Exception("File to render is not located in %s" % basepath)
return web.template.Template(open(filename).read(), filename=filename)() return web.template.Template(open(filename).read(), filename=filename)()
route("/template/render/(.*)", template_render) route("/template/render/(.*)", template_render)

12
deluge/ui/webui/utils.py
View File

@ -250,6 +250,18 @@ def check_pwd(pwd):
m.update(pwd) m.update(pwd)
return (m.digest() == config.get('pwd_md5')) return (m.digest() == config.get('pwd_md5'))
def validate_config(cfg_dict):
"""
call this before setting webui-config!
#security : if template contains "../.." or other vars the filesystem could get compromized.
"""
if "template" in cfg_dict:
from render import render
#make shure it is a real template
if not cfg_dict["template"] in render.get_templates():
raise Exception("Invalid template")
def set_config_defaults(): def set_config_defaults():
changed = False changed = False
for key, value in CONFIG_DEFAULTS.iteritems(): for key, value in CONFIG_DEFAULTS.iteritems():