Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix file exploit vulnerability (#1105)
  • Loading branch information
kizniche committed Oct 26, 2021
1 parent 69acf26 commit 23ac5dd
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 3 deletions.
5 changes: 4 additions & 1 deletion CHANGELOG.md
@@ -1,4 +1,6 @@
## 8.12.7 (Unreleased)
## 8.12.7 (2021-10-25)

This is a bugfix release that includes a fix to a severe security vulnerability. It is recommended that all users that have Mycodo exposed to the internet and allow guest access upgrade to patch this vulnerability. Users that only run Mycodo on a local network and/or don't allow unknown user (i.e. guest) access likely won't be affected.

### Bugfixes

Expand All @@ -7,6 +9,7 @@
- Fix error when unauthenticated users attempting to land on the home page
- Fix Gauge Widget dependencies ([#1100](https://github.com/kizniche/mycodo/issues/1100))
- Fix installation of pigpiod
- Fix file exploit vulnerability ([#1105](https://github.com/kizniche/mycodo/issues/1105))

### Features

Expand Down
6 changes: 4 additions & 2 deletions mycodo/mycodo_flask/routes_general.py
Expand Up @@ -117,7 +117,8 @@ def send_note_attachment(filename):
file_path = os.path.join(PATH_NOTE_ATTACHMENTS, filename)
if file_path is not None:
try:
return send_file(file_path, as_attachment=True)
if os.path.abspath(file_path).startswith(PATH_NOTE_ATTACHMENTS):
return send_file(file_path, as_attachment=True)
except Exception:
logger.exception("Send note attachment")

Expand Down Expand Up @@ -149,7 +150,8 @@ def camera_img_return_path(camera_unique_id, img_type, filename):
files = []
if filename in files:
path_file = os.path.join(path, filename)
return send_file(path_file, mimetype='image/jpeg')
if os.path.abspath(path_file).startswith(path):
return send_file(path_file, mimetype='image/jpeg')

return "Image not found"

Expand Down

0 comments on commit 23ac5dd

Please sign in to comment.