monorail
/
Archipelago
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

<filename> route needs sanitazition, as it can escalate to parent folders and grab any file from the server.

This commit is contained in:
Fabian Dill 2020-08-01 02:32:48 +02:00
parent 2f2cfc6a09
commit e4e57432e3
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
WebHostLib/__init__.py
View File

@ -6,7 +6,7 @@ import uuid
import base64 import base64
from pony.flask import Pony from pony.flask import Pony
from flask import Flask, request, redirect, url_for, render_template, Response, session, abort from flask import Flask, request, redirect, url_for, render_template, Response, session, abort, send_from_directory
from flask_caching import Cache from flask_caching import Cache
from flaskext.autoversion import Autoversion from flaskext.autoversion import Autoversion
from flask_compress import Compress from flask_compress import Compress
@ -128,10 +128,10 @@ def host_room(room: UUID):
return render_template("host_room.html", room=room) return render_template("host_room.html", room=room)
@app.route('/<filename>', methods=['GET']) @app.route('/favicon.ico')
def static_file(filename: str): def favicon():
return app.send_static_file(filename) return send_from_directory(os.path.join(app.root_path, 'static'),
'favicon.ico', mimetype='image/vnd.microsoft.icon')
from WebHostLib.customserver import run_server_process from WebHostLib.customserver import run_server_process
from . import tracker, upload, landing, check # to trigger app routing picking up on it from . import tracker, upload, landing, check # to trigger app routing picking up on it