[WebUI] Fix js script dir traversal vulnerability

Normalise the path to find scripts and skip any scripts located outside of the deluge scripts directory. Ref: GHSL-2024-188 Issue: https://github.com/deluge-torrent/deluge/security/advisories/GHSA-3mmw-mvr2-44rw
2025-09-02 16:15:32 +00:00 · 2024-08-24 20:22:11 +01:00 · 2024-08-24 20:22:11 +01:00 · a83f56a8a5
commit a83f56a8a5
parent 757a782351
1 changed files with 10 additions and 0 deletions
--- a/deluge/ui/web/server.py
+++ b/deluge/ui/web/server.py
@ -449,8 +449,18 @@ class ScriptResource(resource.Resource, component.Component):
                    filepath = filepath[0]

                path = filepath + lookup_path[len(pattern) :]
+                path = os.path.abspath(path)
+
+                if not os.path.commonpath([path, filepath]) == filepath:
+                    log.warning(
+                        'Script path %s traverses out of common dir %s',
+                        path,
+                        filepath,
+                    )
+                    continue

                if not os.path.isfile(path):
+                    log.warning('Unable to serve script which does not exist: %s', path)
                    continue

                log.debug('Serving path: %s', path)