fix for Uncontrolled data used in path expression

2022-09-25 13:48:23 +02:00 · 2022-09-25 13:48:23 +02:00 · 869ed25764
parent ceabd1b969
commit 869ed25764
1 changed files with 5 additions and 2 deletions
--- a/api/api_core.py
+++ b/api/api_core.py
@ -136,10 +136,13 @@ def get_file(filename):
    Returns:
        content of the file or abort(404)
    """
+    if not os.path.normpath(filename).startswith(nettacker_paths()["web_static_files_path"]):
+        abort(404)
    try:
-        return open(filename, 'rb').read()
+        return open(filename, "rb").read()
+    except ValueError:
+        abort(404)
    except IOError:
-        print(filename)
        abort(404)