codex-storage
/
deluge
mirror of https://github.com/codex-storage/deluge.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[WebUI] Check render template files exist and raise 404 if not 

- Check render/* requests match to .html files in the 'render' dir
 - Protects against directory (path) traversal
This commit is contained in:
Kyle Neideck 2017-03-11 13:58:28 +11:00 committed by Calum Lind
parent 35c78eee41
commit 960f3a6552
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
deluge/ui/web/server.py
View File

@ -126,6 +126,10 @@ class Upload(resource.Resource):
class Render(resource.Resource): class Render(resource.Resource):
def __init__(self):
resource.Resource.__init__(self)
# Make a list of all the template files to check requests against.
self.template_files = fnmatch.filter(os.listdir(rpath('render')), '*.html')
def getChild(self, path, request): # NOQA: N802 def getChild(self, path, request): # NOQA: N802
request.render_file = path request.render_file = path
@ -136,6 +140,10 @@ class Render(resource.Resource):
request.setResponseCode(http.INTERNAL_SERVER_ERROR) request.setResponseCode(http.INTERNAL_SERVER_ERROR)
return '' return ''
if request.render_file not in self.template_files:
request.setResponseCode(http.NOT_FOUND)
return '<h1>404 - Not Found</h1>'
filename = os.path.join('render', request.render_file) filename = os.path.join('render', request.render_file)
template = Template(filename=rpath(filename)) template = Template(filename=rpath(filename))
request.setHeader(b'content-type', b'text/html') request.setHeader(b'content-type', b'text/html')