Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix arbitrary file access in M3U backend #1702

merged 4 commits into from Sep 27, 2018


Copy link

@jodal jodal commented Sep 17, 2018

This PR:

  • Defines the return value of core.playlists.delete() to be a success bool.
  • Updates the M3U backend to use mopidy.internal.path.is_path_inside_base_dir() to check if any received URI/path is inside the m3u/playlist_dir directory. If not, the request is treated as if the path doesn't exist.

This should plug the last part of #1659 and make us ready to release Mopidy 2.2.

@jodal jodal added the A-m3u label Sep 17, 2018
@jodal jodal added this to the v2.2 milestone Sep 17, 2018
@jodal jodal self-assigned this Sep 17, 2018
@jodal jodal requested review from adamcik and kingosticks Sep 17, 2018
@jodal jodal added the A-core label Sep 17, 2018
@jodal jodal force-pushed the jodal:fix/m3u-arbitrary-file-access branch from 3a595a0 to c01e796 Sep 17, 2018
@jodal jodal force-pushed the jodal:fix/m3u-arbitrary-file-access branch from c01e796 to 58e75b2 Sep 19, 2018
Copy link

@kingosticks kingosticks commented Sep 20, 2018

Cool! I'm on holiday this week but can review when back.

@kingosticks kingosticks merged commit 09240da into mopidy:develop Sep 27, 2018
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
@jodal jodal deleted the jodal:fix/m3u-arbitrary-file-access branch Sep 28, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants