Skip to content
Permalink
Browse files

fixes for CVE-2015-8309 (download arbitrary files) and CVE-2015-8309 …

…(XSS vulnerability)

Many thanks to feedersec for checking the security of CherryMusic!

Note to CM users: Both those vulnerabilities only work for logged-in users.
  • Loading branch information...
devsnd committed Nov 21, 2015
1 parent 82ad793 commit 62dec34a1ea0741400dd6b6c660d303dcd651e86
Showing with 8 additions and 3 deletions.
  1. +5 −1 cherrymusicserver/httphandler.py
  2. +3 −2 res/js/playlistmanager.js
@@ -300,7 +300,11 @@ def download_check_files(self, filelist):
return 'not_permitted'
# make sure nobody tries to escape from basedir
for f in filelist:
if '/../' in f:
# don't allow to traverse up in the file system
if '/../' in f or f.startswith('../'):
return 'invalid_file'
# CVE-2015-8309: do not allow absolute file paths
if os.path.isabs(f):
return 'invalid_file'
# make sure all files are smaller than maximum download size
size_limit = cherry.config['media.maximum_download_size']
@@ -562,8 +562,9 @@ PlaylistManager.prototype = {
isunsaved += ' <em>(unsaved)</em>';
}


pltabs += '<a href="#" onclick="playlistManager.showPlaylist('+pl.id+')">'+isplaying+' '+pl.name+ isunsaved;
// fix for CVE-2015-8310
var escaped_playlist_name = $("<div>").text(pl.name).html();
pltabs += '<a href="#" onclick="playlistManager.showPlaylist('+pl.id+')">'+isplaying+' '+escaped_playlist_name + isunsaved;
if(pl.closable){
pltabs += '<span class="playlist-tab-closer pointer" href="#" onclick="playlistManager.closePlaylist('+pl.id+')">&times;</span>';
}

0 comments on commit 62dec34

Please sign in to comment.
You can’t perform that action at this time.