Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix arbitrary file access in M3U backend #1702

merged 4 commits into from Sep 27, 2018


Copy link

@jodal jodal commented Sep 17, 2018

This PR:

  • Defines the return value of core.playlists.delete() to be a success bool.
  • Updates the M3U backend to use mopidy.internal.path.is_path_inside_base_dir() to check if any received URI/path is inside the m3u/playlist_dir directory. If not, the request is treated as if the path doesn't exist.

This should plug the last part of #1659 and make us ready to release Mopidy 2.2.

@jodal jodal added the A-m3u Area: M3U backend label Sep 17, 2018
@jodal jodal added this to the v2.2 milestone Sep 17, 2018
@jodal jodal self-assigned this Sep 17, 2018
@jodal jodal added the A-core Area: Core layer label Sep 17, 2018
@jodal jodal force-pushed the fix/m3u-arbitrary-file-access branch from 3a595a0 to c01e796 Compare September 17, 2018 20:33
@jodal jodal force-pushed the fix/m3u-arbitrary-file-access branch from c01e796 to 58e75b2 Compare September 19, 2018 20:27
Copy link

Cool! I'm on holiday this week but can review when back.

@kingosticks kingosticks merged commit 09240da into mopidy:develop Sep 27, 2018
@jodal jodal deleted the fix/m3u-arbitrary-file-access branch September 28, 2018 08:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
A-core Area: Core layer A-m3u Area: M3U backend
None yet

Successfully merging this pull request may close these issues.

None yet

2 participants