Commit 9353852c authored by Jérome Perrin's avatar Jérome Perrin

simplehttpserver: prevent overwriting files outside of document path

parent bbae9095
Pipeline #15823 passed with stage
in 0 seconds
......@@ -57,6 +57,9 @@ class ServerHandler(SimpleHTTPRequestHandler):
def writeFile(self, filename, content, method='ab'):
file_path = os.path.abspath(os.path.join(self.document_path, filename))
if not file_path.startswith(self.document_path):
self.respond(403, 'text/plain')
self.wfile.write(b"Forbidden")
try:
os.makedirs(os.path.dirname(file_path))
......
......@@ -87,3 +87,14 @@ class SimpleHTTPServerTest(unittest.TestCase):
self.assertIn('hello.txt', requests.get(server_base_url).text)
self.assertEqual(
requests.get(server_base_url + '/hello.txt').text, 'hello')
# incorrect paths are refused
for path in '/hello.txt', '../hello.txt':
resp = requests.post(
server_base_url,
files={
'path': path,
'content': b'hello',
},
)
self.assertEqual(resp.status_code, requests.codes.forbidden)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment