From 0ba88223f8b53e272909027fdd0e24490f362c80 Mon Sep 17 00:00:00 2001 From: Usman Nasir Date: Mon, 3 Feb 2020 23:11:41 +0500 Subject: [PATCH] bug fix: security improvements to fm --- filemanager/filemanager.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filemanager/filemanager.py b/filemanager/filemanager.py index 6f28710ea..2325862ee 100755 --- a/filemanager/filemanager.py +++ b/filemanager/filemanager.py @@ -306,7 +306,7 @@ class FileManager: if os.path.islink(self.data['fileName']): return self.ajaxPre(0, 'File exists and is symlink.') - if not self.data['fileName'].find(self.data['home']) > -1: + if self.data['fileName'].find(self.data['home']) == -1 or self.data['fileName'].find('..') > -1: return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') command = 'mv ' + tempPath + ' ' + self.returnPathEnclosed(self.data['fileName'])