mirrors/deluge
1
0
Fork 0
mirror of https://git.deluge-torrent.org/deluge synced 2025-04-20 03:24:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[WebUI] Check render template files exist and raise 404 if not

Browse source 
- Check render/* requests match to .html files in the 'render' dir
 - Protects against directory (path) traversal
This commit is contained in:
Kyle Neideck 2017-03-11 13:58:28 +11:00 committed by Calum Lind
parent 9bec5142c7
commit 41acade01a
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
deluge/ui/web/server.py
View file

@ -174,6 +174,10 @@ class Upload(resource.Resource):
}), request)
class Render(resource.Resource):
def __init__(self):
resource.Resource.__init__(self)
# Make a list of all the template files to check requests against.
self.template_files = fnmatch.filter(os.listdir(rpath('render')), '*.html')
def getChild(self, path, request):
request.render_file = path
@ -184,6 +188,10 @@ class Render(resource.Resource):
request.setResponseCode(http.INTERNAL_SERVER_ERROR)
return ""
if request.render_file not in self.template_files:
request.setResponseCode(http.NOT_FOUND)
return "<h1>404 - Not Found</h1>"
filename = os.path.join("render", request.render_file)
template = Template(filename=rpath(filename))
request.setHeader("content-type", "text/html")