From a49b436ff2fdbc3ff3a1cfbdd5be4786e62c9589 Mon Sep 17 00:00:00 2001
From: Calum Lind <calumlind@gmail.com>
Date: Sat, 24 Aug 2024 14:14:30 +0100
Subject: [PATCH] [WebUI] Fix potential flag endpoint path traversal

Fixes issue that allows for reading arbitrary OS files but is limited to PNG files only.

Ref: GHSL-2024-191
Issue: https://github.com/deluge-torrent/deluge/security/advisories/GHSA-4w2r-55hx-ppgc
---
 deluge/ui/web/server.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/deluge/ui/web/server.py b/deluge/ui/web/server.py
index e88c96969..e93d4f6f3 100644
--- a/deluge/ui/web/server.py
+++ b/deluge/ui/web/server.py
@@ -227,7 +227,9 @@ class Flag(resource.Resource):
         return self
 
     def render(self, request):
-        flag = request.country.decode().lower() + '.png'
+        country = request.country.decode().lower()
+        # Ensure filename only, to prevent path traversal.
+        flag = os.path.basename(f'{country}.png')
         path = ('ui', 'data', 'pixmaps', 'flags', flag)
         filename = common.resource_filename('deluge', os.path.join(*path))
         if os.path.exists(filename):