From 41acade01ae88f7b7bbdba308a0886771aa582fd Mon Sep 17 00:00:00 2001 From: Kyle Neideck <kyle@bearisdriving.com> Date: Sat, 11 Mar 2017 13:58:28 +1100 Subject: [WebUI] Check render template files exist and raise 404 if not - Check render/* requests match to .html files in the 'render' dir - Protects against directory (path) traversal --- deluge/ui/web/server.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deluge/ui/web/server.py b/deluge/ui/web/server.py index f092fc0..4f1f1ba 100644 --- a/deluge/ui/web/server.py +++ b/deluge/ui/web/server.py @@ -174,6 +174,10 @@ class Upload(resource.Resource): }), request) class Render(resource.Resource): + def __init__(self): + resource.Resource.__init__(self) + # Make a list of all the template files to check requests against. + self.template_files = fnmatch.filter(os.listdir(rpath('render')), '*.html') def getChild(self, path, request): request.render_file = path @@ -184,6 +188,10 @@ class Render(resource.Resource): request.setResponseCode(http.INTERNAL_SERVER_ERROR) return "" + if request.render_file not in self.template_files: + request.setResponseCode(http.NOT_FOUND) + return "<h1>404 - Not Found</h1>" + filename = os.path.join("render", request.render_file) template = Template(filename=rpath(filename)) request.setHeader("content-type", "text/html") -- cgit v1.1