security fix: submitDomainCreation

usmannasir · usmannasir · commit 4611c327d6c7 · 2020-02-08T12:51:45.000+05:00
diff --git a/websiteFunctions/website.py b/websiteFunctions/website.py
@@ -261,6 +261,9 @@ def submitDomainCreation(self, userID=None, data=None):
             else:
                 return ACLManager.loadErrorJson('createWebSiteStatus', 0)
 
+            if data['path'].find('..') > -1:
+                return ACLManager.loadErrorJson('createWebSiteStatus', 0)
+
             if currentACL['admin'] != 1:
                 data['openBasedir'] = 1
 
