Simon/metube
1
0
Fork 0
mirror of https://github.com/alexta69/metube.git synced 2026-03-03 02:57:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

disallow upward directory traversal in request-generated templates

Browse Source
This commit is contained in:
Alex Shnitman
2026-02-19 09:32:23 +02:00
parent 3bf7fb51f4
commit 56258a4f1b
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/main.py
View File

@@ -250,6 +250,8 @@ async def add(request):
if custom_name_prefix is None: if custom_name_prefix is None:
custom_name_prefix = '' custom_name_prefix = ''
if custom_name_prefix and ('..' in custom_name_prefix or custom_name_prefix.startswith('/') or custom_name_prefix.startswith('\\')):
raise web.HTTPBadRequest(reason='custom_name_prefix must not contain ".." or start with a path separator')
if auto_start is None: if auto_start is None:
auto_start = True auto_start = True
if playlist_item_limit is None: if playlist_item_limit is None:
@@ -258,6 +260,8 @@ async def add(request):
split_by_chapters = False split_by_chapters = False
if chapter_template is None: if chapter_template is None:
chapter_template = config.OUTPUT_TEMPLATE_CHAPTER chapter_template = config.OUTPUT_TEMPLATE_CHAPTER
if chapter_template and ('..' in chapter_template or chapter_template.startswith('/') or chapter_template.startswith('\\')):
raise web.HTTPBadRequest(reason='chapter_template must not contain ".." or start with a path separator')
playlist_item_limit = int(playlist_item_limit) playlist_item_limit = int(playlist_item_limit)