@@ -143,13 +143,22 @@ def movies_images(url):
143143@check_login
144144@ui_bp .route ('/system/backup/download/<path:filename>' , methods = ['GET' ])
145145def backup_download (filename ):
146- return send_file (os .path .join (settings .backup .folder , filename ), max_age = 0 , as_attachment = True )
146+ fullpath = os .path .normpath (os .path .join (settings .backup .folder , filename ))
147+ if not fullpath .startswith (settings .backup .folder ):
148+ return '' , 404
149+ else :
150+ return send_file (fullpath , max_age = 0 , as_attachment = True )
147151
148152
149153@ui_bp .route ('/api/swaggerui/static/<path:filename>' , methods = ['GET' ])
150154def swaggerui_static (filename ):
151- return send_file (os .path .join (os .path .dirname (os .path .dirname (os .path .dirname (__file__ ))), 'libs' , 'flask_restx' ,
152- 'static' , filename ))
155+ basepath = os .path .join (os .path .dirname (os .path .dirname (os .path .dirname (__file__ ))), 'libs' , 'flask_restx' ,
156+ 'static' )
157+ fullpath = os .path .join (basepath , filename )
158+ if not fullpath .startswith (basepath ):
159+ return '' , 404
160+ else :
161+ return send_file (fullpath )
153162
154163
155164def configured ():
@@ -160,6 +169,8 @@ def configured():
160169@ui_bp .route ('/test' , methods = ['GET' ])
161170@ui_bp .route ('/test/<protocol>/<path:url>' , methods = ['GET' ])
162171def proxy (protocol , url ):
172+ if protocol .lower not in ['http' , 'https' ]:
173+ return dict (status = False , error = 'Unsupported protocol' )
163174 url = protocol + '://' + unquote (url )
164175 params = request .args
165176 try :
0 commit comments