TIL that browsers resolve '..' before requesting from server. Seems like it was secure after all. But I still fixed problems with special characters in file location passed in request.
This commit is contained in:
Maximilian Wagner
10
frontend.py
10
frontend.py
@@ -53,13 +53,17 @@ def downloader():
|
|||||||
|
|
||||||
# downloads a single file
|
# downloads a single file
|
||||||
@frontend.route('/download/<path:file_path>', methods=['GET'])
|
@frontend.route('/download/<path:file_path>', methods=['GET'])
|
||||||
def download(file_path: str):
|
def download(file_path):
|
||||||
# if the path does not end with a slash, a single file is requested
|
# if the path does not end with a slash, a single file is requested
|
||||||
if '.' in file_path:
|
if '.' in file_path:
|
||||||
file_folder = ''.join([x if x not in file_path.split('/')[-1] else '' for x in file_path.split('/')])
|
split_path = file_path.split('/')
|
||||||
|
file_folder = ''.join([x if x not in split_path[-1] else '' for x in split_path])
|
||||||
|
|
||||||
video = query_db('SELECT path, name, ext FROM video WHERE name = :name AND path = :path',
|
video = query_db('SELECT path, name, ext FROM video WHERE name = :name AND path = :path',
|
||||||
{'name': file_path.split('/')[-1].split('.')[0], 'path': file_folder + '\\' if file_folder else ''},
|
{
|
||||||
|
'name': split_path[-1].split('.')[0],
|
||||||
|
'path': file_folder + '\\' if file_folder else ''
|
||||||
|
},
|
||||||
True)
|
True)
|
||||||
|
|
||||||
return send_from_directory(
|
return send_from_directory(
|
||||||
|
|||||||
Reference in New Issue
Block a user