YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

[enh] Replace os.path.join to improve security

Browse source
This commit is contained in:
ljf (zamentur) 2020-10-07 00:31:20 +02:00 committed by ljf
parent fb0d23533e
commit 975bf4edcb
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/yunohost/app.py
View file

@ -1896,10 +1896,14 @@ def app_config_apply(operation_logger, app, args):
filename = args[generated_name + '[name]'] filename = args[generated_name + '[name]']
content = args[generated_name] content = args[generated_name]
logger.debug("Save uploaded file %s from API into %s", filename, upload_dir) logger.debug("Save uploaded file %s from API into %s", filename, upload_dir)
file_path = os.path.join(upload_dir, filename)
# Filename is given by user of the API. For security reason, we have replaced
# os.path.join to avoid the user to be able to rewrite a file in filesystem
# i.e. os.path.join("/foo", "/etc/passwd") == "/etc/passwd"
file_path = os.path.normpath(upload_dir + "/" + filename)
i = 2 i = 2
while os.path.exists(file_path): while os.path.exists(file_path):
file_path = os.path.join(upload_dir, filename + (".%d" % i)) file_path = os.path.normpath(upload_dir + "/" + filename + (".%d" % i))
i += 1 i += 1
try: try:
with open(file_path, 'wb') as f: with open(file_path, 'wb') as f: