mirrors/deluge
0
0
Fork 0
mirror of https://git.deluge-torrent.org/deluge synced 2025-09-02 16:15:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[WebUI] Fix potential flag endpoint path traversal
Some checks are pending
Package / windows_package (x64, 1.2.19, 3.9) (push) Waiting to run
Details
Package / windows_package (x64, 2.0.7, 3.9) (push) Waiting to run
Details
Package / windows_package (x86, 1.2.19, 3.9) (push) Waiting to run
Details
Package / windows_package (x86, 2.0.7, 3.9) (push) Waiting to run
Details
CI / test-linux (3.10) (push) Waiting to run
Details
CI / test-linux (3.7) (push) Waiting to run
Details
CI / test-windows (3.10) (push) Waiting to run
Details
CI / test-windows (3.7) (push) Waiting to run
Details
Docs / build (push) Waiting to run
Details
Linting / lint (push) Waiting to run
Details

Browse source 
Fixes issue that allows for reading arbitrary OS files but is limited to PNG files only.

Ref: GHSL-2024-191
Issue: https://github.com/deluge-torrent/deluge/security/advisories/GHSA-4w2r-55hx-ppgc
This commit is contained in:
Calum Lind 2024-08-24 14:14:30 +01:00 committed by Calum Lind
commit a49b436ff2
No known key found for this signature in database
GPG key ID: 90597A687B836BA3
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
deluge/ui/web/server.py
View file

@ -227,7 +227,9 @@ class Flag(resource.Resource):
return self
def render(self, request):
flag = request.country.decode().lower() + '.png'
country = request.country.decode().lower()
# Ensure filename only, to prevent path traversal.
flag = os.path.basename(f'{country}.png')
path = ('ui', 'data', 'pixmaps', 'flags', flag)
filename = common.resource_filename('deluge', os.path.join(*path))
if os.path.exists(filename):