Your ROOT_URL in app.ini is https://git.cloudchain.link/ but you are visiting https://dash.bss.nz/open-source-mirrors/bazarr/commit/7b7e984bff26f4d91bfec3dfdacedcd94c35d0cf You should set ROOT_URL correctly, otherwise the web may not work correctly.
open-source-mirrors
/
bazarr
mirror of https://github.com/morpheus65535/bazarr
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed file traversal via path filename vulnerability in swaggerui static route.

Browse Source
pull/2561/head
morpheus65535 9 months ago
parent ad88ec3767
commit 7b7e984bff
1 changed files with 2 additions and 2 deletions

4
bazarr/app/ui.py
Unescape View File

@ -153,8 +153,8 @@ def backup_download(filename):
def swaggerui_static(filename):
basepath = os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), 'libs', 'flask_restx',
'static')
fullpath = os.path.join(basepath, filename)
if not fullpath.startswith(basepath):
fullpath = os.path.realpath(os.path.join(basepath, filename))
if not basepath == os.path.commonpath((basepath, fullpath)):
return '', 404
else:
return send_file(fullpath)

Write Preview
Loading…
Cancel
Save