Add function is_valid_upload_path to fix crafted filepaths to escape …

…the base directory. Close #2.
sc0tfree · Feb 19, 2020 · 1fe14fb · 1fe14fb
1 parent ed0f911
commit 1fe14fb
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/updog/__main__.py b/updog/__main__.py
@@ -8,7 +8,7 @@
 from werkzeug.security import generate_password_hash, check_password_hash
 from werkzeug.serving import run_simple
 
-from updog.utils.path import is_valid_subpath, get_parent_directory, process_files
+from updog.utils.path import is_valid_subpath, is_valid_upload_path, get_parent_directory, process_files
 from updog.utils.output import error, info, warn, success
 from updog import version as VERSION
 
@@ -129,7 +129,7 @@ def upload():
 
             path = request.form['path']
             # Prevent file upload to paths outside of base directory
-            if not is_valid_subpath(path, base_directory) or path == '':
+            if not is_valid_upload_path(path, base_directory):
                 return redirect(request.referrer)
 
             for file in request.files.getlist('file'):

diff --git a/updog/utils/path.py b/updog/utils/path.py
@@ -9,6 +9,13 @@ def is_valid_subpath(relative_directory, base_directory):
     return os.path.commonprefix([base_directory, in_question]) == base_directory
 
 
+def is_valid_upload_path(path, base_directory):
+    if path == '':
+        return False
+    in_question = os.path.abspath(path)
+    return os.path.commonprefix([base_directory, in_question]) == base_directory
+
+
 def get_relative_path(file_path, base_directory):
     return file_path.split(os.path.commonprefix([base_directory, file_path]))[1][1:]