Skip to content

Commit

Permalink
prevent creating folders in the files parent directory
Browse files Browse the repository at this point in the history
  • Loading branch information
@afourmy
afourmy committed Jan 14, 2024
1 parent a1bbf1d commit 5d44513
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion eNMS/controller.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1494,7 +1494,7 @@ def update_device_rbac(self):

def upload_files(self, **kwargs):
path = f"{vs.file_path}/{kwargs['folder']}/{kwargs['file'].filename}"
if not str(Path(path).resolve()).startswith(str(vs.file_path)):
if not str(Path(path).resolve()).startswith(f"{vs.file_path}/"):
return {"error": "The path resolves outside of the files folder."}
kwargs["file"].save(path)

Expand Down
2 changes: 1 addition & 1 deletion eNMS/models/administration.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ class File(AbstractBase):
def update(self, move_file=True, **kwargs):
old_path = self.full_path
self.full_path = f"{vs.file_path}{kwargs['path']}"
if not str(Path(self.full_path).resolve()).startswith(str(vs.file_path)):
if not str(Path(self.full_path).resolve()).startswith(f"{vs.file_path}/"):
raise Exception("The path resolves outside of the files folder.")
super().update(**kwargs)
if exists(str(old_path)) and not exists(self.full_path) and move_file:
Expand Down

0 comments on commit 5d44513

Please sign in to comment.