Skip to content
Browse files

added path traversal check for file_exists decorator

  • Loading branch information...
1 parent c01edec commit 50da8f4d03e0a09249cabe83dddf764311c00a79 @bessl committed Jul 30, 2011
Showing with 8 additions and 1 deletion.
  1. +8 −1 filebrowser/decorators.py
View
9 filebrowser/decorators.py
@@ -61,11 +61,18 @@ def file_exists(function):
"""
def decorator(request, *args, **kwargs):
- if get_file(request.GET.get('dir', ''), request.GET.get('filename', '')) == None:
+ file_path = get_file(request.GET.get('dir', ''), request.GET.get('filename', ''))
+ if file_path == None:
msg = _('The requested File does not exist.')
messages.add_message(request, messages.ERROR, msg)
redirect_url = reverse("fb_browse") + query_helper(request.GET, "", "dir")
return HttpResponseRedirect(redirect_url)
+ elif file_path.startswith('/') or file_path.startswith('..'):
+ # prevent path traversal
+ msg = _('You do not have permission to access this file!')
+ messages.add_message(request, messages.ERROR, msg)
+ redirect_url = reverse("fb_browse") + query_helper(request.GET, "", "dir")
+ return HttpResponseRedirect(redirect_url)
return function(request, *args, **kwargs)
return decorator

0 comments on commit 50da8f4

Please sign in to comment.
Something went wrong with that request. Please try again.