mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix traversal vulnerability GHSA-pxfv-7rr3-2qjg:

Browse source 
the /.cpr endpoint allowed full access to server filesystem,
unless mitigated by prisonparty
This commit is contained in:
ed 2023-07-14 15:55:49 +00:00
parent 8f59afb159
commit 043e3c7dd6
1 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
copyparty/httpcli.py
View file

@ -42,6 +42,7 @@ from .util import (
Pebkac, Pebkac,
UnrecvEOF, UnrecvEOF,
alltrace, alltrace,
absreal,
atomic_move, atomic_move,
exclude_dotfiles, exclude_dotfiles,
fsenc, fsenc,
@ -779,7 +780,14 @@ class HttpCli(object):
self.reply(b"", 301, headers=h) self.reply(b"", 301, headers=h)
return True return True
static_path = os.path.join(self.E.mod, "web/", self.vpath[5:]) path_base = os.path.join(self.E.mod, "web")
static_path = absreal(os.path.join(path_base, self.vpath[5:]))
if not static_path.startswith(path_base):
t = "attempted path traversal [{}] => [{}]"
self.log(t.format(self.vpath, static_path), 1)
self.tx_404()
return False
return self.tx_file(static_path) return self.tx_file(static_path)
if "cf_challenge" in self.uparam: if "cf_challenge" in self.uparam: