Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfix: .. in filename throwing error while loading in output. #7795

Merged
merged 8 commits into from Mar 25, 2024
Merged

Bugfix: .. in filename throwing error while loading in output. #7795

merged 8 commits into from Mar 25, 2024

Conversation

shubhamofbce
Copy link
Contributor

Description

We were checking if .. in file path to prevent path traversal, but we need to exclude filename while checking this otherwise it will return false if filename has dots in it. So I have updated the function to check path without filename.

Closes: #7755

🎯 PRs Should Target Issues

Not adhering to this guideline will result in the PR being closed.

@gradio-pr-bot
Copy link
Contributor

gradio-pr-bot commented Mar 22, 2024
edited

🪼 branch checks and previews

Name Status URL
Spaces ready! Spaces preview
Website ready! Website preview
🦄 Changes detected! Details

Install Gradio from this PR

pip install https://gradio-builds.s3.amazonaws.com/c205c1df0cff21d68e01474907e1fd6e0d36daad/gradio-4.23.0-py3-none-any.whl

Install Gradio Python Client from this PR

pip install "gradio-client @ git+https://github.com/gradio-app/gradio@c205c1df0cff21d68e01474907e1fd6e0d36daad#subdirectory=client/python"

@gradio-pr-bot
Copy link
Contributor

gradio-pr-bot commented Mar 22, 2024
edited

🦄 change detected

This Pull Request includes changes to the following packages.

Package Version
gradio patch
  • Maintainers can select this checkbox to manually select packages to update.

With the following changelog entry.

Bugfix: .. in filename throwing error while loading in output.

Maintainers or the PR author can modify the PR title to modify this entry.

Something isn't right?
  • Maintainers can change the version label to modify the version bump.
  • If the bot has failed to detect any changes, or if this pull request needs to update multiple packages to different versions or requires a more comprehensive changelog entry, maintainers can update the changelog file directly.

@shubhamofbce shubhamofbce changed the title Exclude filename while preventing path traversal Bugfix: .. in filename throwing error while loading in output. Mar 22, 2024
@shubhamofbce
Copy link
Contributor Author

@abidlabs This is a small bugfix, and ready for review. Let me know if you have any questions.

freddyaboulton
freddyaboulton reviewed Mar 22, 2024
View reviewed changes
gradio/utils.py Outdated Show resolved Hide resolved
freddyaboulton
freddyaboulton approved these changes Mar 25, 2024
View reviewed changes
Copy link
Collaborator

@freddyaboulton freddyaboulton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @shubhamofbce for addressing comments! CC @abidlabs prior to merge

@abidlabs
Copy link
Member

Hmm let me take a look at these tests

@abidlabs
Copy link
Member

So the docstring for is_in_or_equal is actually inaccurate. We do have some use cases where path_1 can be a file path as well, namely the use here:

gradio/gradio/utils.py

Line 1079 in 2f12512

return any(is_in_or_equal(file_path, static_file) for static_file in static_files)

So I slightly refactored the implementation to be a little more explicit what we are testing. Also added a unit test.

@freddyaboulton
Copy link
Collaborator

Nice LGTM @abidlabs !

@abidlabs
Copy link
Member

Thanks @shubhamofbce for the original PR identifying the cause of the issue and @freddyaboulton for reviewing the fix. Will merge in after CI

@abidlabs abidlabs enabled auto-merge (squash) March 25, 2024 19:23
@abidlabs abidlabs merged commit 1c257f5 into gradio-app:main Mar 25, 2024
7 checks passed
@pngwn pngwn mentioned this pull request Mar 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abidlabs abidlabs abidlabs left review comments

@freddyaboulton freddyaboulton freddyaboulton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Error while uploading file with certain name
4 participants
@shubhamofbce @gradio-pr-bot @abidlabs @freddyaboulton