Improve URI sanitation
The old implementation failed to sanitize URIs like ".", "..", "../.." or "//"
This commit is contained in:
parent
c217e5d2ff
commit
ee095a463d
@ -177,12 +177,17 @@ class Application(object):
|
||||
|
||||
@staticmethod
|
||||
def sanitize_uri(uri):
|
||||
"""Unquote and remove /../ to prevent access to other data."""
|
||||
"""Unquote and make absolute to prevent access to other data."""
|
||||
uri = unquote(uri)
|
||||
trailing_slash = "/" if uri.endswith("/") else ""
|
||||
uri = posixpath.normpath(uri)
|
||||
trailing_slash = "" if uri == "/" else trailing_slash
|
||||
return uri + trailing_slash
|
||||
new_uri = "/"
|
||||
for part in uri.split("/"):
|
||||
if not part or part in (".", ".."):
|
||||
continue
|
||||
new_uri = posixpath.join(new_uri, part)
|
||||
trailing_slash = "" if new_uri.endswith("/") else trailing_slash
|
||||
return new_uri + trailing_slash
|
||||
|
||||
def collect_allowed_items(self, items, user):
|
||||
"""Get items from request that user is allowed to access."""
|
||||
|
Loading…
Reference in New Issue
Block a user