voussoir/voussoirkit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add a little obvious defense against filepaths in theme request.

Browse source
This commit is contained in:
voussoir 2022-11-11 15:54:32 -08:00
parent c6873fdcab
commit 5695450289
No known key found for this signature in database
GPG key ID: 5F7554F8C26DACCB
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
voussoirkit/flasktools.py
View file

@ -239,6 +239,8 @@ def give_theme_cookie(function, *, cookie_name, default_theme):
def wrapped(*args, **kwargs): def wrapped(*args, **kwargs):
old_theme = request.cookies.get(cookie_name, None) old_theme = request.cookies.get(cookie_name, None)
new_theme = request.args.get('theme', None) new_theme = request.args.get('theme', None)
if new_theme is not None and any(badchar in new_theme for badchar in {'..', '/', '\\'}):
new_theme = None
theme = new_theme or old_theme or default_theme theme = new_theme or old_theme or default_theme
# The original data structure for request.cookies is immutable and we # The original data structure for request.cookies is immutable and we