From 3bc45b5672f332e7cdbe314c756fcf4aac74e11f Mon Sep 17 00:00:00 2001 From: "ljf (zamentur)" Date: Wed, 7 Oct 2020 00:31:20 +0200 Subject: [PATCH] [enh] Replace os.path.join to improve security --- src/yunohost/app.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/yunohost/app.py b/src/yunohost/app.py index ae6accab0..f017521d2 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -1889,10 +1889,14 @@ def app_config_apply(operation_logger, app, args): filename = args[generated_name + '[name]'] content = args[generated_name] logger.debug("Save uploaded file %s from API into %s", filename, upload_dir) - file_path = os.path.join(upload_dir, filename) + + # Filename is given by user of the API. For security reason, we have replaced + # os.path.join to avoid the user to be able to rewrite a file in filesystem + # i.e. os.path.join("/foo", "/etc/passwd") == "/etc/passwd" + file_path = os.path.normpath(upload_dir + "/" + filename) i = 2 while os.path.exists(file_path): - file_path = os.path.join(upload_dir, filename + (".%d" % i)) + file_path = os.path.normpath(upload_dir + "/" + filename + (".%d" % i)) i += 1 try: with open(file_path, 'wb') as f: