Merge pull request #2 from porcupineyhairs/FixPathInjection

Fix Path Traversal Vulnerability
idayrus · May 8, 2022 · 241d92a · 241d92a
2 parents d9ef8c7 + fefef0d
commit 241d92a
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/app/helper/middleware.py b/app/helper/middleware.py
@@ -5,6 +5,7 @@
 from app.module.user.model import UserModel, UserTokenModel
 from app.module.user import UserSession
 from werkzeug.routing import BaseConverter, ValidationError
+from werkzeug.utils import safe_join
 from bson.objectid import ObjectId
 from bson.errors import InvalidId
 from os import path
@@ -18,7 +19,7 @@
 @login_required
 def private_static(filename):
     # Get path
-    filepath = path.join(app.config.get("PRIVATE_DIR"), filename)
+    filepath = safe_join(app.config.get("PRIVATE_DIR"), filename)
     if path.isfile(filepath):
         return send_file(filepath)
     # End