Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix path traversal in static HTML export
This vulnerability was discovered by Sonar,
https://www.sonarsource.com/, who provided a detailled description of
the vulnerability, and also the fix as it is applied here.

The fix will be backported to the last release, v2.3.1, and released as
v2.3.2. A blog post will be published on pretalx.com.
  • Loading branch information
rixx committed Mar 7, 2023
1 parent 4732e8f commit 60722c4
Showing 1 changed file with 11 additions and 1 deletion.
12 changes: 11 additions & 1 deletion src/pretalx/agenda/management/commands/export_schedule_html.py
Expand Up @@ -115,7 +115,9 @@ def dump_content(destination, path, getter):
if path.endswith("/"):
path = path + "index.html"

path = Path(destination) / path.lstrip("/")
path = (Path(destination) / path.lstrip("/")).resolve()
if not Path(destination) in path.parents:
raise CommandError("Path traversal detected, aborting.")
path.parent.mkdir(parents=True, exist_ok=True)

with open(path, "wb") as f:
Expand All @@ -131,6 +133,14 @@ def get_mediastatic_content(url):
else:
raise FileNotFoundError()

# Prevent directory traversal, make sure the path is inside the media or static root
local_path = local_path.resolve(strict=True)
if not any(
path in local_path.parents
for path in (settings.MEDIA_ROOT, settings.STATIC_ROOT)
):
raise FileNotFoundError()

with open(local_path, "rb") as f:
return f.read()

Expand Down

0 comments on commit 60722c4

Please sign in to comment.