Deluge
diff options
| author | Kyle Neideck <kyle@bearisdriving.com> | 2017-03-11 13:58:28 +1100 |
|---|---|---|
| committer | Calum Lind <calumlind+deluge@gmail.com> | 2017-03-15 23:12:36 +0000 |
| commit | 960f3a6552a47549ef46dee5f9579ccf317d7bbf (patch) | |
| tree | 9d8d9ba1844af411c4fe5bec4631708171a4a2e8 /deluge/ui/web/server.py | |
| parent | 35c78eee41426bd21a0b689fda75b48fda593a57 (diff) | |
| download | deluge-960f3a6552a47549ef46dee5f9579ccf317d7bbf.tar.gz deluge-960f3a6552a47549ef46dee5f9579ccf317d7bbf.tar.bz2 deluge-960f3a6552a47549ef46dee5f9579ccf317d7bbf.zip | |
[WebUI] Check render template files exist and raise 404 if not
- Check render/* requests match to .html files in the 'render' dir
- Protects against directory (path) traversal
Diffstat (limited to 'deluge/ui/web/server.py')
| -rw-r--r-- | deluge/ui/web/server.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/deluge/ui/web/server.py b/deluge/ui/web/server.py index e14c89a6d..a02609f53 100644 --- a/deluge/ui/web/server.py +++ b/deluge/ui/web/server.py @@ -126,6 +126,10 @@ class Upload(resource.Resource): class Render(resource.Resource): + def __init__(self): + resource.Resource.__init__(self) + # Make a list of all the template files to check requests against. + self.template_files = fnmatch.filter(os.listdir(rpath('render')), '*.html') def getChild(self, path, request): # NOQA: N802 request.render_file = path @@ -136,6 +140,10 @@ class Render(resource.Resource): request.setResponseCode(http.INTERNAL_SERVER_ERROR) return '' + if request.render_file not in self.template_files: + request.setResponseCode(http.NOT_FOUND) + return '<h1>404 - Not Found</h1>' + filename = os.path.join('render', request.render_file) template = Template(filename=rpath(filename)) request.setHeader(b'content-type', b'text/html') |