From 5695450289f24c4522b8cb479e3a717a4f88a07c Mon Sep 17 00:00:00 2001 From: Ethan Dalool Date: Fri, 11 Nov 2022 15:54:32 -0800 Subject: [PATCH] Add a little obvious defense against filepaths in theme request. --- voussoirkit/flasktools.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/voussoirkit/flasktools.py b/voussoirkit/flasktools.py index c674466..e17d619 100644 --- a/voussoirkit/flasktools.py +++ b/voussoirkit/flasktools.py @@ -239,6 +239,8 @@ def give_theme_cookie(function, *, cookie_name, default_theme): def wrapped(*args, **kwargs): old_theme = request.cookies.get(cookie_name, None) new_theme = request.args.get('theme', None) + if new_theme is not None and any(badchar in new_theme for badchar in {'..', '/', '\\'}): + new_theme = None theme = new_theme or old_theme or default_theme # The original data structure for request.cookies is immutable and we