fix path traversal for /view

b1294fa4 · m957ymj75urz · 5b425aaa · b1294fa4
Commit b1294fa4 authored Mar 14, 2023 by m957ymj75urz
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

server.py server.py +5 -1

No files found.
--- a/server.py
+++ b/server.py
@@ -118,11 +118,15 @@ class PromptServer():

                output_dir = os.path.join(os.path.dirname(os.path.realpath(__file__)), type)
                if "subfolder" in request.rel_url.query:
-                    output_dir = os.path.join(output_dir, request.rel_url.query["subfolder"])
+                    full_output_dir = os.path.join(output_dir, request.rel_url.query["subfolder"])
+                    if os.path.commonpath((os.path.realpath(full_output_dir), output_dir)) != output_dir:
+                        return web.Response(status=403)
+                    output_dir = full_output_dir

                file = request.rel_url.query["file"]
                file = os.path.basename(file)
                file = os.path.join(output_dir, file)
+
                if os.path.isfile(file):
                    return web.FileResponse(file)