From f39bedadaf617ad36486372bd123697761b8a2fd Mon Sep 17 00:00:00 2001
From: Usman Nasir <usman@cyberpersons.com>
Date: Mon, 3 Feb 2020 21:43:29 +0500
Subject: [PATCH] bug fix: security improvements to fm

---
 filemanager/filemanager.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/filemanager/filemanager.py b/filemanager/filemanager.py
index 4ded5fb57..6f28710ea 100755
--- a/filemanager/filemanager.py
+++ b/filemanager/filemanager.py
@@ -46,7 +46,7 @@ class FileManager:
 
             pathCheck = '/home/%s' % (domainName)
 
-            if self.data['completeStartingPath'].find(pathCheck) == -1:
+            if self.data['completeStartingPath'].find(pathCheck) == -1 or self.data['completeStartingPath'].find('..') > -1:
                 return self.ajaxPre(0, 'Not allowed to browse this path, going back home!')
 
             command = "ls -la --group-directories-first " + self.returnPathEnclosed(
@@ -276,7 +276,7 @@ class FileManager:
 
             pathCheck = '/home/%s' % (domainName)
 
-            if self.data['fileName'].find(pathCheck) == -1:
+            if self.data['fileName'].find(pathCheck) == -1 or self.data['fileName'].find('..') > -1:
                 return self.ajaxPre(0, 'Not allowed.')
 
             command = 'cat ' + self.returnPathEnclosed(self.data['fileName'])
@@ -336,7 +336,7 @@ class FileManager:
             finalData['fileName'] = fs.url(filename)
             pathCheck = '/home/%s' % (self.data['domainName'])
 
-            if self.data['completePath'].find(pathCheck) == -1:
+            if self.data['completePath'].find(pathCheck) == -1 or self.data['completePath'].find('..') > -1:
                 return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
 
             command = 'mv ' + self.returnPathEnclosed('/home/cyberpanel/media/' + myfile.name) + ' ' + self.returnPathEnclosed(self.data['completePath'] + '/' + myfile.name)