fixes for CVE-2015-8309 (download arbitrary files) and CVE-2015-8309 …

…(XSS vulnerability) Many thanks to feedersec for checking the security of CherryMusic! Note to CM users: Both those vulnerabilities only work for logged-in users.
devsnd · Nov 21, 2015 · 62dec34 · 62dec34
1 parent 82ad793
commit 62dec34
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/cherrymusicserver/httphandler.py b/cherrymusicserver/httphandler.py
@@ -300,7 +300,11 @@ def download_check_files(self, filelist):
                 return 'not_permitted'
         # make sure nobody tries to escape from basedir
         for f in filelist:
-            if '/../' in f:
+            # don't allow to traverse up in the file system
+            if '/../' in f or f.startswith('../'):
+                return 'invalid_file'
+            # CVE-2015-8309: do not allow absolute file paths
+            if os.path.isabs(f):
                 return 'invalid_file'
         # make sure all files are smaller than maximum download size
         size_limit = cherry.config['media.maximum_download_size']

diff --git a/res/js/playlistmanager.js b/res/js/playlistmanager.js
@@ -562,8 +562,9 @@ PlaylistManager.prototype = {
                 isunsaved += ' <em>(unsaved)</em>';
             }
 
-
-            pltabs += '<a href="#" onclick="playlistManager.showPlaylist('+pl.id+')">'+isplaying+' '+pl.name+ isunsaved;
+            // fix for CVE-2015-8310
+            var escaped_playlist_name = $("<div>").text(pl.name).html();
+            pltabs += '<a href="#" onclick="playlistManager.showPlaylist('+pl.id+')">'+isplaying+' '+escaped_playlist_name + isunsaved;
             if(pl.closable){
                 pltabs += '<span class="playlist-tab-closer pointer" href="#" onclick="playlistManager.closePlaylist('+pl.id+')">&times;</span>';
             }