From b88922ee7cccce611eb7571c59db86b1118b5778 Mon Sep 17 00:00:00 2001
From: Usman Nasir <usman@cyberpersons.com>
Date: Fri, 17 Jan 2020 19:43:32 +0500
Subject: [PATCH] path check

---
 filemanager/filemanager.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/filemanager/filemanager.py b/filemanager/filemanager.py
index cde03f4dc..643dbead5 100755
--- a/filemanager/filemanager.py
+++ b/filemanager/filemanager.py
@@ -272,6 +272,11 @@ class FileManager:
             domainName = self.data['domainName']
             website = Websites.objects.get(domain=domainName)
 
+            pathCheck = '/home/%s' % (domainName)
+
+            if self.data['fileName'].find(pathCheck) == -1:
+                return self.ajaxPre(0, 'Not allowed.')
+
             command = 'cat ' + self.returnPathEnclosed(self.data['fileName'])
             finalData['fileContents'] = ProcessUtilities.outputExecutioner(command, website.externalApp)