New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix arbitrary file access in M3U backend #1702

Merged
merged 4 commits into from Sep 27, 2018

Conversation

2 participants
@jodal
Member

jodal commented Sep 17, 2018

This PR:

  • Defines the return value of core.playlists.delete() to be a success bool.
  • Updates the M3U backend to use mopidy.internal.path.is_path_inside_base_dir() to check if any received URI/path is inside the m3u/playlist_dir directory. If not, the request is treated as if the path doesn't exist.

This should plug the last part of #1659 and make us ready to release Mopidy 2.2.

@jodal jodal added the A-m3u label Sep 17, 2018

@jodal jodal added this to the v2.2 milestone Sep 17, 2018

@jodal jodal self-assigned this Sep 17, 2018

@jodal jodal requested review from adamcik and kingosticks Sep 17, 2018

@jodal jodal added the A-core label Sep 17, 2018

@jodal jodal force-pushed the jodal:fix/m3u-arbitrary-file-access branch from 3a595a0 to c01e796 Sep 17, 2018

@jodal jodal force-pushed the jodal:fix/m3u-arbitrary-file-access branch from c01e796 to 58e75b2 Sep 19, 2018

@kingosticks

This comment has been minimized.

Member

kingosticks commented Sep 20, 2018

Cool! I'm on holiday this week but can review when back.

@kingosticks kingosticks merged commit 09240da into mopidy:develop Sep 27, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@jodal jodal deleted the jodal:fix/m3u-arbitrary-file-access branch Sep 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment