From 41acade01ae88f7b7bbdba308a0886771aa582fd Mon Sep 17 00:00:00 2001
From: Kyle Neideck <kyle@bearisdriving.com>
Date: Sat, 11 Mar 2017 13:58:28 +1100
Subject: [WebUI] Check render template files exist and raise 404 if not

 - Check render/* requests match to .html files in the 'render' dir
 - Protects against directory (path) traversal
---
 deluge/ui/web/server.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/deluge/ui/web/server.py b/deluge/ui/web/server.py
index f092fc0..4f1f1ba 100644
--- a/deluge/ui/web/server.py
+++ b/deluge/ui/web/server.py
@@ -174,6 +174,10 @@ class Upload(resource.Resource):
         }), request)
 
 class Render(resource.Resource):
+    def __init__(self):
+        resource.Resource.__init__(self)
+        # Make a list of all the template files to check requests against.
+        self.template_files = fnmatch.filter(os.listdir(rpath('render')), '*.html')
 
     def getChild(self, path, request):
         request.render_file = path
@@ -184,6 +188,10 @@ class Render(resource.Resource):
             request.setResponseCode(http.INTERNAL_SERVER_ERROR)
             return ""
 
+        if request.render_file not in self.template_files:
+            request.setResponseCode(http.NOT_FOUND)
+            return "<h1>404 - Not Found</h1>"
+
         filename = os.path.join("render", request.render_file)
         template = Template(filename=rpath(filename))
         request.setHeader("content-type", "text/html")
-- 
cgit v1.1