Skip to content

Commit 17add7f

Browse files
committed
Fixed some code to prevent arbitrary file read and blind SSRF.
1 parent aa0af3f commit 17add7f

File tree

1 file changed

+14
-3
lines changed

1 file changed

+14
-3
lines changed

Diff for: bazarr/app/ui.py

+14-3
Original file line numberDiff line numberDiff line change
@@ -143,13 +143,22 @@ def movies_images(url):
143143
@check_login
144144
@ui_bp.route('/system/backup/download/<path:filename>', methods=['GET'])
145145
def backup_download(filename):
146-
return send_file(os.path.join(settings.backup.folder, filename), max_age=0, as_attachment=True)
146+
fullpath = os.path.normpath(os.path.join(settings.backup.folder, filename))
147+
if not fullpath.startswith(settings.backup.folder):
148+
return '', 404
149+
else:
150+
return send_file(fullpath, max_age=0, as_attachment=True)
147151

148152

149153
@ui_bp.route('/api/swaggerui/static/<path:filename>', methods=['GET'])
150154
def swaggerui_static(filename):
151-
return send_file(os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), 'libs', 'flask_restx',
152-
'static', filename))
155+
basepath = os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), 'libs', 'flask_restx',
156+
'static')
157+
fullpath = os.path.join(basepath, filename)
158+
if not fullpath.startswith(basepath):
159+
return '', 404
160+
else:
161+
return send_file(fullpath)
153162

154163

155164
def configured():
@@ -160,6 +169,8 @@ def configured():
160169
@ui_bp.route('/test', methods=['GET'])
161170
@ui_bp.route('/test/<protocol>/<path:url>', methods=['GET'])
162171
def proxy(protocol, url):
172+
if protocol.lower not in ['http', 'https']:
173+
return dict(status=False, error='Unsupported protocol')
163174
url = protocol + '://' + unquote(url)
164175
params = request.args
165176
try:

0 commit comments

Comments
 (0)