bug fix: security improvements to fm

2026-01-30 19:29:03 +01:00 · 2020-02-03 21:43:29 +05:00
parent 1dad06da46
commit f39bedadaf
1 changed files with 3 additions and 3 deletions
--- a/filemanager/filemanager.py
+++ b/filemanager/filemanager.py
@@ -46,7 +46,7 @@ class FileManager:

            pathCheck = '/home/%s' % (domainName)

-            if self.data['completeStartingPath'].find(pathCheck) == -1:
+            if self.data['completeStartingPath'].find(pathCheck) == -1 or self.data['completeStartingPath'].find('..') > -1:
                return self.ajaxPre(0, 'Not allowed to browse this path, going back home!')

            command = "ls -la --group-directories-first " + self.returnPathEnclosed(
@@ -276,7 +276,7 @@ class FileManager:

            pathCheck = '/home/%s' % (domainName)

-            if self.data['fileName'].find(pathCheck) == -1:
+            if self.data['fileName'].find(pathCheck) == -1 or self.data['fileName'].find('..') > -1:
                return self.ajaxPre(0, 'Not allowed.')

            command = 'cat ' + self.returnPathEnclosed(self.data['fileName'])
@@ -336,7 +336,7 @@ class FileManager:
            finalData['fileName'] = fs.url(filename)
            pathCheck = '/home/%s' % (self.data['domainName'])

-            if self.data['completePath'].find(pathCheck) == -1:
+            if self.data['completePath'].find(pathCheck) == -1 or self.data['completePath'].find('..') > -1:
                return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')

            command = 'mv ' + self.returnPathEnclosed('/home/cyberpanel/media/' + myfile.name) + ' ' + self.returnPathEnclosed(self.data['completePath'] + '/' + myfile.name)