Skip to content

Commit 62dec34

Browse files
committed
fixes for CVE-2015-8309 (download arbitrary files) and CVE-2015-8309 (XSS vulnerability)
Many thanks to feedersec for checking the security of CherryMusic! Note to CM users: Both those vulnerabilities only work for logged-in users.
1 parent 82ad793 commit 62dec34

File tree

2 files changed

+8
-3
lines changed

2 files changed

+8
-3
lines changed

Diff for: cherrymusicserver/httphandler.py

+5-1
Original file line numberDiff line numberDiff line change
@@ -300,7 +300,11 @@ def download_check_files(self, filelist):
300300
return 'not_permitted'
301301
# make sure nobody tries to escape from basedir
302302
for f in filelist:
303-
if '/../' in f:
303+
# don't allow to traverse up in the file system
304+
if '/../' in f or f.startswith('../'):
305+
return 'invalid_file'
306+
# CVE-2015-8309: do not allow absolute file paths
307+
if os.path.isabs(f):
304308
return 'invalid_file'
305309
# make sure all files are smaller than maximum download size
306310
size_limit = cherry.config['media.maximum_download_size']

Diff for: res/js/playlistmanager.js

+3-2
Original file line numberDiff line numberDiff line change
@@ -562,8 +562,9 @@ PlaylistManager.prototype = {
562562
isunsaved += ' <em>(unsaved)</em>';
563563
}
564564

565-
566-
pltabs += '<a href="#" onclick="playlistManager.showPlaylist('+pl.id+')">'+isplaying+' '+pl.name+ isunsaved;
565+
// fix for CVE-2015-8310
566+
var escaped_playlist_name = $("<div>").text(pl.name).html();
567+
pltabs += '<a href="#" onclick="playlistManager.showPlaylist('+pl.id+')">'+isplaying+' '+escaped_playlist_name + isunsaved;
567568
if(pl.closable){
568569
pltabs += '<span class="playlist-tab-closer pointer" href="#" onclick="playlistManager.closePlaylist('+pl.id+')">&times;</span>';
569570
}

0 commit comments

Comments
 (0)