Skip to content

Commit 23ac5dd

Browse files
committed
Fix file exploit vulnerability (#1105)
1 parent 69acf26 commit 23ac5dd

File tree

2 files changed

+8
-3
lines changed

2 files changed

+8
-3
lines changed

Diff for: CHANGELOG.md

+4-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
1-
## 8.12.7 (Unreleased)
1+
## 8.12.7 (2021-10-25)
2+
3+
This is a bugfix release that includes a fix to a severe security vulnerability. It is recommended that all users that have Mycodo exposed to the internet and allow guest access upgrade to patch this vulnerability. Users that only run Mycodo on a local network and/or don't allow unknown user (i.e. guest) access likely won't be affected.
24

35
### Bugfixes
46

@@ -7,6 +9,7 @@
79
- Fix error when unauthenticated users attempting to land on the home page
810
- Fix Gauge Widget dependencies ([#1100](https://github.com/kizniche/mycodo/issues/1100))
911
- Fix installation of pigpiod
12+
- Fix file exploit vulnerability ([#1105](https://github.com/kizniche/mycodo/issues/1105))
1013

1114
### Features
1215

Diff for: mycodo/mycodo_flask/routes_general.py

+4-2
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,8 @@ def send_note_attachment(filename):
117117
file_path = os.path.join(PATH_NOTE_ATTACHMENTS, filename)
118118
if file_path is not None:
119119
try:
120-
return send_file(file_path, as_attachment=True)
120+
if os.path.abspath(file_path).startswith(PATH_NOTE_ATTACHMENTS):
121+
return send_file(file_path, as_attachment=True)
121122
except Exception:
122123
logger.exception("Send note attachment")
123124

@@ -149,7 +150,8 @@ def camera_img_return_path(camera_unique_id, img_type, filename):
149150
files = []
150151
if filename in files:
151152
path_file = os.path.join(path, filename)
152-
return send_file(path_file, mimetype='image/jpeg')
153+
if os.path.abspath(path_file).startswith(path):
154+
return send_file(path_file, mimetype='image/jpeg')
153155

154156
return "Image not found"
155157

0 commit comments

Comments
 (0)