security fix: submitDomainCreation

usmannasir · Feb 8, 2020 · 4611c32 · 4611c32
1 parent 7b3029e
commit 4611c32
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/websiteFunctions/website.py b/websiteFunctions/website.py
@@ -261,6 +261,9 @@ def submitDomainCreation(self, userID=None, data=None):
             else:
                 return ACLManager.loadErrorJson('createWebSiteStatus', 0)
 
+            if data['path'].find('..') > -1:
+                return ACLManager.loadErrorJson('createWebSiteStatus', 0)
+
             if currentACL['admin'] != 1:
                 data['openBasedir'] = 1