fix: TemplatePage.can_render (#20261)

Don't render python executable/loadable files from TemplatePage renderer. This restricts access to reading/downloading possibly private Python source code from Frappe applications
frappe · Mar 6, 2023 · 2b10d6b · 2b10d6b
1 parent 00627bb
commit 2b10d6b
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/frappe/website/router.py b/frappe/website/router.py
@@ -6,13 +6,16 @@
 import io
 import os
 import re
+from importlib.machinery import all_suffixes
 
 from werkzeug.routing import Map, NotFound, Rule
 
 import frappe
 from frappe.model.document import get_controller
 from frappe.website.utils import can_cache, delete_page_cache, extract_comment_tag, extract_title
 
+PY_SUFFIXES = tuple(all_suffixes())
+
 
 def resolve_route(path):
 	"""Returns the page route object based on searching in pages and generators.
@@ -63,8 +66,12 @@ def make_page_context(path):
 	return context
 
 
-def get_page_info_from_template(path):
+def get_page_info_from_template(path: str):
 	"""Return page_info from path"""
+	# skip rendering of python files in www folder
+	if path.endswith(PY_SUFFIXES):
+		raise frappe.DoesNotExistError
+
 	for app in frappe.get_installed_apps(frappe_last=True):
 		app_path = frappe.get_app_path(app)