[WebUI] Check render template files exist and raise 404 if not

- Check render/* requests match to .html files in the 'render' dir
 - Protects against directory (path) traversal

deluge/ui/web/server.py

@@ -174,6 +174,10 @@ class Upload(resource.Resource):
         }), request)
 
 class Render(resource.Resource):
+    def __init__(self):
+        resource.Resource.__init__(self)
+        # Make a list of all the template files to check requests against.
+        self.template_files = fnmatch.filter(os.listdir(rpath('render')), '*.html')
 
     def getChild(self, path, request):
         request.render_file = path
@@ -184,6 +188,10 @@ class Render(resource.Resource):
             request.setResponseCode(http.INTERNAL_SERVER_ERROR)
             return ""
 
+        if request.render_file not in self.template_files:
+            request.setResponseCode(http.NOT_FOUND)
+            return "<h1>404 - Not Found</h1>"
+
         filename = os.path.join("render", request.render_file)
         template = Template(filename=rpath(filename))
         request.setHeader("content-type", "text/html")