Skip to content

GitLab

"signatures/git@developer.sourcefind.cn:wangsen/mineru.git" did not exist on "c2c34c39a81c194660ee56c5aa942ee9e72e3c54"
Commit b1294fa4 authored by m957ymj75urz's avatar m957ymj75urz
Browse files

fix path traversal for /view

parent 5b425aaa
Show whitespace changes
Inline Side-by-side
Showing with 5 additions and 1 deletion
server.py
View file @ b1294fa4
...@@ -118,11 +118,15 @@ class PromptServer(): ...@@ -118,11 +118,15 @@ class PromptServer():
output_dir = os.path.join(os.path.dirname(os.path.realpath(__file__)), type) output_dir = os.path.join(os.path.dirname(os.path.realpath(__file__)), type)
if "subfolder" in request.rel_url.query: if "subfolder" in request.rel_url.query:
output_dir = os.path.join(output_dir, request.rel_url.query["subfolder"]) full_output_dir = os.path.join(output_dir, request.rel_url.query["subfolder"])
if os.path.commonpath((os.path.realpath(full_output_dir), output_dir)) != output_dir:
return web.Response(status=403)
output_dir = full_output_dir
file = request.rel_url.query["file"] file = request.rel_url.query["file"]
file = os.path.basename(file) file = os.path.basename(file)
file = os.path.join(output_dir, file) file = os.path.join(output_dir, file)
if os.path.isfile(file): if os.path.isfile(file):
return web.FileResponse(file) return web.FileResponse(file)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment