diff options
author | Anton Khirnov <anton@khirnov.net> | 2019-12-17 21:29:31 +0100 |
---|---|---|
committer | Anton Khirnov <anton@khirnov.net> | 2019-12-17 21:29:31 +0100 |
commit | dd1627fb78f8461ea89add9535a1abe6fcadfadc (patch) | |
tree | 94be8a94ea6261c7f0f9fc6608f770a673b42189 | |
parent | 650c33b18b159e75a4bf43c341b4aae049ea26ef (diff) |
dash_server: make sure requests do not point outside our root.
-rwxr-xr-x | dash_server.py | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/dash_server.py b/dash_server.py index da65584..8a78f0f 100755 --- a/dash_server.py +++ b/dash_server.py @@ -187,8 +187,18 @@ class DashRequestHandler(hs.BaseHTTPRequestHandler): super().__init__(*args, **kwargs) - def _decode_path(self, encoded_path): - return urlparse.unquote_to_bytes(encoded_path) + def _process_path(self, encoded_path): + # decode percent-encoding + path = urlparse.unquote_to_bytes(encoded_path) + + # normalize the path + path = os.path.normpath(path) + + # make sure the path doesn't point outside of our root + if path.startswith(b'..'): + raise PermissionError('Invalid path') + + return path def _serve_local(self, path): with open(path, 'rb') as infile: @@ -207,7 +217,7 @@ class DashRequestHandler(hs.BaseHTTPRequestHandler): def do_GET(self): self._log_request() - local_path = self._decode_path(self.path) + local_path = self._process_path(self.path) outpath = b'/'.join((self.server.serve_dir, local_path)) try: ds = self.server._streams[local_path] @@ -241,7 +251,7 @@ class DashRequestHandler(hs.BaseHTTPRequestHandler): self._log_request() with contextlib.ExitStack() as stack: - local_path = self._decode_path(self.path) + local_path = self._process_path(self.path) ds = stack.enter_context(contextlib.closing(DataStream())) stack.enter_context(self.server._streams.add_entry(local_path, ds)) |