Fixed file traversal via path filename vulnerability in swaggerui static route. #2559

5 months ago · 7b7e984bff
parent ad88ec3767
commit 7b7e984bff
1 changed files with 2 additions and 2 deletions
--- a/bazarr/app/ui.py
+++ b/bazarr/app/ui.py
@ -153,8 +153,8 @@ def backup_download(filename):
 def swaggerui_static(filename):
    basepath = os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), 'libs', 'flask_restx',
                            'static')
-    fullpath = os.path.join(basepath, filename)
-    if not fullpath.startswith(basepath):
+    fullpath = os.path.realpath(os.path.join(basepath, filename))
+    if not basepath == os.path.commonpath((basepath, fullpath)):
        return '', 404
    else:
        return send_file(fullpath)