mirror of
https://github.com/LibreTranslate/LibreTranslate.git
synced 2024-12-22 23:26:31 +00:00
Path traversal check
This commit is contained in:
parent
d12c81b773
commit
a1244b9e3e
3 changed files with 24 additions and 5 deletions
13
app/app.py
13
app/app.py
|
@ -12,7 +12,7 @@ from flask_swagger_ui import get_swaggerui_blueprint
|
|||
from translatehtml import translate_html
|
||||
from werkzeug.utils import secure_filename
|
||||
|
||||
from app import flood, remove_translated_files
|
||||
from app import flood, remove_translated_files, security
|
||||
from app.language import detect_languages, transliterate
|
||||
from .api_keys import Database
|
||||
from .suggestions import Database as SuggestionsDatabase
|
||||
|
@ -621,10 +621,15 @@ def create_app(args):
|
|||
Download a translated file
|
||||
"""
|
||||
if args.disable_files_translation:
|
||||
abort(403, description="Files translation are disabled on this server.")
|
||||
|
||||
|
||||
abort(400, description="Files translation are disabled on this server.")
|
||||
|
||||
filepath = os.path.join(get_upload_dir(), filename)
|
||||
try:
|
||||
checked_filepath = security.path_traversal_check(filepath, get_upload_dir())
|
||||
if os.path.isfile(checked_filepath):
|
||||
filepath = checked_filepath
|
||||
except security.SuspiciousFileOperation:
|
||||
abort(400, description="Invalid filename")
|
||||
|
||||
return_data = io.BytesIO()
|
||||
with open(filepath, 'rb') as fo:
|
||||
|
|
14
app/security.py
Normal file
14
app/security.py
Normal file
|
@ -0,0 +1,14 @@
|
|||
import os
|
||||
|
||||
class SuspiciousFileOperation(Exception):
|
||||
pass
|
||||
|
||||
def path_traversal_check(unsafe_path, known_safe_path):
|
||||
known_safe_path = os.path.abspath(known_safe_path)
|
||||
unsafe_path = os.path.abspath(unsafe_path)
|
||||
|
||||
if (os.path.commonprefix([known_safe_path, unsafe_path]) != known_safe_path):
|
||||
raise SuspiciousFileOperation("{} is not safe".format(unsafe_path))
|
||||
|
||||
# Passes the check
|
||||
return unsafe_path
|
|
@ -175,7 +175,7 @@
|
|||
<div class="row" v-if="translationType === 'files'">
|
||||
<div class="file-dropzone">
|
||||
<div v-if="inputFile === false" class="dropzone-content">
|
||||
<span>Supported file format: [[ supportedFilesFormatFormatted ]]</span>
|
||||
<span>Supported file formats: [[ supportedFilesFormatFormatted ]]</span>
|
||||
<form action="#">
|
||||
<div class="file-field input-field">
|
||||
<div class="btn">
|
||||
|
|
Loading…
Reference in a new issue