Merge pull request from GHSA-w4cf-92x9-v8w2

SECURITY PATCH: Local File Enumeration when accessing /list
Linbreux · Sep 4, 2022 · 8d1f94e · 8d1f94e
2 parents 259412c + 41dbb89
commit 8d1f94e
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/wiki.py b/wiki.py
@@ -128,7 +128,12 @@ def list_full_wiki():
 def list_wiki(folderpath):
     folder_list = []
     app.logger.info("Showing >>> 'all files'")
-    for root, subfolder, files in os.walk(os.path.join(cfg.wiki_directory, folderpath)):
+    safe_folder = cfg.wiki_directory
+    requested_path = os.path.join(cfg.wiki_directory,folderpath) 
+    print(requested_path)
+    if os.path.commonprefix((os.path.realpath(requested_path),os.path.realpath(safe_folder))) != os.path.realpath(safe_folder): 
+        return index()
+    for root, subfolder, files in os.walk(requested_path):
         if root[-1] == '/':
             root = root[:-1]
         for item in files: